Against the backdrop of new EU regulations on cybersecurity, how do you assess the current state of affairs for industrial cloud applications?

Klaus-Dieter Walter: To answer the question, I would like to briefly describe what I mean by an industrial cloud application. In my view, we are dealing here with a front end, i.e. sensors, controllers and the like as data sources, and a back end for obtaining information on the opposite side. In between, there are more or less complex cloud services from very different service providers with external communication connections in both directions - in other words, the architecture of a typical IoT application. Now to the answer to the question: I consider the cyber security of such applications in an industrial environment to be questionable overall, and in some cases even borderline.

That doesn't sound good. What is the basis for this pessimistic assessment?

You have to look at the cyber security of such applications from one end to the other and make sure that the confidentiality, integrity and authenticity of the data is guaranteed across all media breaks, plus the permanent availability of the services. The fact that IoT data is transferred from the endpoint to the cloud with a relatively high level of security, but is then decrypted and processed by various applications, is often overlooked. For the user of the information obtained at the other end of the application, the confidentiality, integrity and authenticity of the data source can generally no longer be verified. Furthermore, a cloud service, but also a communication channel, can fail at any time for various reasons. As a service user, you have virtually no influence on the availability or the software stack of the cloud services. If mobile networks or other public networks are also used as communication infrastructure, this assessment also applies in principle to the software components of the communication connections.

Some cloud platforms are operated by leading US IT companies. They have immense resources and a great deal of expertise in secure IT operations. Surely nothing can happen to my industrial cloud application there?

I see it differently. We just had the HTTP/2 Rapid Reset attack on Amazon and Google. Even the best cloud service providers can't really protect themselves against such a massive DDoS attack that exploits a vulnerability in a standard protocol, for example. With around 400 million pointless HTTP requests per second, even the cloud platforms of these IT groups are no longer accessible. In other words: even market leaders can be successfully attacked, you just have to make the attacks more sophisticated. It should also be noted that so-called third-party software modules are also used in the cloud platforms of large service providers. The third-party providers behind these functions develop special cloud solutions for machine and system operators, for example, and then host their solutions with Amazon, Microsoft or other providers. This significantly increases the potential attack surface for cyberattacks.

What could a solution look like that would help a cloud user in an industrial environment?

First of all, industrial cloud users should take care of the security of their application themselves wherever possible and not simply rely on their partners to take care of cybersecurity. This also includes asking service providers to fulfill certain security requirements and transparency obligations as part of suitable processes, but also to ensure redundancy that allows a quick change of provider in the event of problems. Furthermore, attention should be paid to genuine end-to-end security, with which an information user can also authenticate the data source. Overall, a multi-layered security structure should be aimed for. This can be based on defense-in-depth concepts.

SSV at the SPS 2023: Hall 6 Stand 241G