When companies decide on a security system to protect their data, the focus is often on IT, although all levels of the company should be taken into consideration. In the age of IoT, this means that there are demonstrably glaring security gaps in networked systems. Uwe Gries, Country Manager DACH at Stormshield, explains in an interview why it is essential to secure the entire OT (operational technology) in order to defend against cyberattacks.

Are German companies adequately prepared for potential cyber attacks and are their protective measures sufficient?

Gries: In Germany and internationally, it is still largely unclear in the industrial environment that the convergence between IT and OT environments requires a holistic approach to securing the entire infrastructure. We therefore believe that protection against cyber threats in this sector is generally inadequate - with the given exceptions. After detailed studies in 2017 showed that every second industrial company had suffered at least one security incident, many devoted themselves to securing IT networks, but barely considered the control rooms, which now have increasing points of contact with the rest of the infrastructure. The pretext for this was - and still is - the supposed isolation of command-issuing systems (usually computers with obsolete operating systems that are no longer maintained by the manufacturer), which would "automatically" shield them from external threats. However, this pretext is unjustified from the moment the maintenance technician feeds data or other information into the machine using a USB stick or connects his computer directly to the machine to be maintained. As long as there is no interdisciplinary competence between IT and OT teams, no holistic security concepts can be developed and security incidents will occur again and again.

Regardless of the budget, which three security measures should companies implement to protect themselves from cyber attacks?

Gries: As a cybersecurity manufacturer focused on critical infrastructures and a subsidiary of Airbus, an industrial group that places the highest priority on its own security, we recommend the use of network security solutions (IPS) that master both IT and OT protocols and protect both components of an Industry 4.0 infrastructure simultaneously and in real time. The key features of these solutions for us include reliability (with an MTBF equal to or higher than that of the OT infrastructure), the resilience of connections despite a possible hardware failure (HW bypass) and the transparency and speed of analysis of information exchanged via OT network protocols, even with customized implementations of command chains, to stop any attempt to manipulate production in real time. Last but not least, these devices should also be able to operate under extreme conditions, such as in industrial environments (temperature, humidity, power supply, dust, etc.). With these solutions, adequate network segmentation should be implemented to prevent the spread of malware from one area of production to another, as well as defining which employee is allowed to log on to which machine and when.

For the control room, on the other hand, we recommend solutions that, based on continuous behavioral analysis of the systems, fend off deviating queries (such as encryption or access attempts) in real time, without the need for signatures or an Internet connection. This makes it possible to define selective security policies so that these machines only do the work for which they are used. These solutions must also be able to secure operating systems that are no longer maintained by manufacturers, such as Windows XP and 7.

Keyword security as a service: Should the manufacturing and process industry consider managed security services?

Gries: In our opinion, this is the only option if there is no chance of accessing in-house personnel with sufficient interdisciplinary expertise in the field of industrial cybersecurity. A managed security service provider is the best choice if the service provider can provide expert technicians who are otherwise not available internally, who can master the balancing act between OT and IT technologies, view both sides of Industry 4.0 as a whole and recommend/implement suitable protective measures. In this case, we would even advocate this.

Experience Stormshield live

Visit Stormshield at the world & conference, the virtual trade fair of Computer&AUTOMATION, from October 5 and in the web seminar "Practical insight into the world of OT: Securing ICS systems" by Andreas Fülöp, Presales Engineer at Stormshield DACH.
Register here free of charge.

It starts on October 5 at 10:00 am.