Solving security requirements in industrial plants and automotive systems is part of the expertise of specialists Michael Heinl and Alexander Giehl from the Fraunhofer Institute for Applied and Integrated Security AISEC. In a brief interview, they reveal how they assess the status quo in industry and what measures they recommend as a result, both internally and externally.

Are German companies adequately prepared for potential cyber attacks and are their protective measures sufficient?

Heinl/Giehl: Due to the great diversity of German companies, a differentiated view is generally very important here. However, trends can certainly be observed. For example, we often notice that larger companies are already aware of security and are willing to make the necessary technical and organizational changes. Small and medium-sized enterprises (SMEs), however, often lack the awareness and the necessary resources to implement security measures, especially in production.

One of the reasons for this is that SMEs often do not see themselves as the primary target of attacks. However, experience from our projects shows that the threats to SMEs are real. In addition to the increasing number of attacks using various types of ransomware, which occasionally even make it into the media and thus into the public consciousness, the often unnoticed outflow of intellectual property also plays a role. It should not be forgotten that the number of "hidden champions", i.e. market leaders in a particular segment, is very high, especially among SMEs in Germany.

In addition to operational measures to defend against traditional industrial espionage, which is often supported by digital infiltration and targets internal company information, digitalization in the course of Industry 4.0 means that manufacturers are increasingly having to protect the product itself, especially in the automation sector. Over the years, we at Fraunhofer AISEC have increasingly observed this development in a wide variety of projects.

Regardless of the budget, which three security measures should companies implement to protect themselves against cyber attacks?

Heinl/Giehl: Regular employee training on information security should be high on the list of priorities. Social engineering, i.e. exploiting human weaknesses, is still one of the most common initial attack vectors. Especially in times when personal contact is avoided and electronic means of communication are used instead, the risk of falling victim to classic phishing emails or so-called "voice phishing" is particularly high. Criminals pretend to be IT administrators on the phone and trick their victims into entering their access data on fake websites or directly on the phone. Regular training courses, such as those offered by Fraunhofer AISEC as part of the Cybersecurity Learning Lab, help to raise awareness of such risks and thus ensure that they are dealt with more attentively and openly in everyday life.

"Attackers never tire"

However, even the best training courses cannot completely rule out security incidents. Attackers regularly prove that they never tire of finding new ways to compromise company networks. Technical protective measures are therefore just as necessary to proactively contain the effects of a potential security incident. For example, networks should be segmented, access should be protected by multi-factor authentication, business-critical systems should be hardened and data should be backed up regularly and preferably offline.

However, even these measures are only of limited help if they are viewed in isolation. In order to identify critical systems and data and to ensure that technical and organizational measures are regularly checked for their effectiveness through penetration tests or risk analyses and coordinated with each other, it is therefore advisable to set up a holistic information security management system (ISMS) including corresponding business continuity/disaster recovery plans. The instructions for action described in these plans should be practiced regularly under realistic conditions in order to identify deficits in good time and ensure that all stakeholders can interact as smoothly as possible across departmental and even company boundaries in the event of an emergency.

Keyword security as a service: should the manufacturing and process industry consider managed security services?

Alexander Giehl, IT security project manager at Fraunhofe AISEC.

© Fraunhofer AISEC

Heinl/Giehl: If companies lack the appropriate resources, Managed Security Services (MSS) can certainly be a building block of a comprehensive security strategy. However, it is important that companies are not lulled into a false sense of security by using MSS.

There should therefore be at least one appropriately trained person firmly anchored in the company who primarily deals with security issues and is familiar with the specific requirements of the manufacturing and process industry.

"Continuously evaluate changes"

On the one hand, this helps to mediate between specialist departments and external service providers in order to correctly identify protection requirements and corresponding measures. On the other hand, these measures must not only be implemented technically or on paper, but must also be put into practice for the reasons already mentioned. In terms of acceptance, it is helpful if changes are initiated within the company, supported by a central contact person and continuously (re-)evaluated.

As part of the collaboration, companies sometimes have to provide MSS providers with very sensitive data or even access, which in turn makes these providers themselves a lucrative target for attackers. It is therefore important to pay attention not only to the price and the range of services offered, but also to other criteria such as security-relevant certifications, the physical storage location of the data or any disclaimers.

In general, security should not be seen as a product that you buy in order to "be secure" afterwards, but rather as a continuously evolving process. Regardless of how mature their security concept already is, companies of all sizes can therefore benefit from independent advice from security experts - also when it comes to the objective selection of appropriate service providers.