With Industrie 4.0, IT and OT departments are converging more and more. Today, the two biggest problems are the inefficient communication as well as an integrated security approach for IT/OT systems. In order to overcome these challenges, industrial companies have to establish a comprehensive and common security culture.
We already talked about the differences between IT and OT in a previous article in July 2018. And it became yet clear that security concerns play a big role and must be addressed. The increasing interconnection of plants on the one hand and the networking of partners within the value creating network on the other hand, cannot be stopped. Burying one’s head in the sand is therefore not an option.
It is certain that the employees of the OT department must master the bigger challenges. They are used to work in relatively isolated environments, which become now increasingly open and interconnected. An attack on the OT environment can have more extensive consequences than the IT employees know. Here is the starting point both departments – IT and OT – can and must share. This is the only way for industrial companies to handle the progress of Industrie 4.0, to remain competitive and to face prospective security threats.
Establishing a common security culture
First of all, industrial companies should internally create a common culture for dealing with new security threats. For this purpose, IT and OT colleagues must be brought together. IT people are already familiar with the risks and challenges that arise as a result of an increasingly interconnected infrastructure. They can help to raise awareness of modern security requirements. In contrast, OT people, up to now, have primary focused on running operations and the functionality of the plants. In future, for example, faster patch management, higher network security and better access control become more important in OT.
Even the careless handling of passwords can be an open invite for cybercriminals. Or a weak access control of third-party suppliers such as providers or partners. The biggest security loophole thus is the human-machine-interface (HMI). Often times this is due to badly programmed software. In the worst-case scenario, it runs on an outdated operation system and the software is available for third parties via a not segmented network. Briefly: a paradise for hackers.
OT attracts the attention of hackers
Hackers have not been significantly attracted by OT networks until now. But this situation is changing because of the increasing networking via the internet. So far, the attacks of cybercriminals have focused on the energy sector. These are attacks like Industroyer, which attacked a Ukrainian energy provider in 2016. The BSI (Federal Office for Information Security) already warned hundreds of companies of the energy sector against potential attacks. The most current announcement was made in June 2018. Therein the BSI assumes that German companies of the energy sector are the target of a worldwide cyber-attack campaign.
But hackers have also set their sights on other systems long ago. For example, the Triconex Safty Integrated Systems Controller of Schneider Electric. These security controls for industrial machines were recently attacked by a malware called Trisis/Triton. Experts of the safety enterprises FireEye and Dragon discovered the malware. Even though the malware only caused an interruption of operations, researchers assume that the malware has been developed to damage an industrial plant physically.
The importance of an integrated security approach
In times of IIoT it is just a matter of time until hackers become interested in manipulating entire production lines. For that reason, industrial companies should consider establishing an integrated security approach for their IT/OT environment. Emphasis must be put on the respective interfaces – especially on the ones between IT and OT, where security breaches are most probable. In addition, purchasers should prospectively pay attention to the compatibility of the components in terms of an integrated security approach. An analysis of the current state of security should be the first step.
Another step is to know the entire attack surface of the organization. Today, this includes not only the physical IT and OT in a company. It is rather about considering modern multi cloud infrastructures as well as access rights of third parties, like suppliers and partners. Therefore, SMS digital made sure of maximum security for the mySMS group platform and its different applications from the very beginning. The platform-product-communication between the industrial app store and the apps takes place exclusively via encrypted SSL/TLS connections. Additionally, it is protected by a restrictive access and user management system. For authentication, the user receives a signed and encrypted access token after login. Furthermore, all data is not only transmitted but also stored in an encrypted way. This provides industrial enterprises with the highest level of security when accessing applications via the cloud.
Making use of experts’ know-how
The digital transformation creates a lot of new challenges for industrial companies in the security sector, which are not part of their core competencies. Consequently, they are well-advertised to get support from external experts that are specialized in security consulting. Associations such as the VDMA or the BSI can also be helpful sources. Normally, they have someone in their teams who is specialized in security within Industrie 4.0. The Association for Electrical, Electronic & Information Technologies (VDE) has even developed a special solution for SME: it offers small and medium-sized enterprises a CERT platform to counter cyber-attacks. Specialized teams, the Computer Emergency Response Teams (CERT), assist SMEs as cooperation partners across organization boarders. There are also internationally active organizations and experts who help to keep an eye on current security gaps in OT systems. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), for example, is responsible for protecting critical infrastructures in the United States. They provide information about SCADA/ ICS related security loopholes in order to close them as soon as possible. The SANs Institute also publishes current research results on a regular basis. The cooperative research and training organization also offers special security trainings for the OT sector.