Cybersecurity is becoming mandatory due to many EU regulations. What do you advise companies to bear in mind when implementing OT security measures?

The regulations that affect cybersecurity are diverse, including EU NIS-2, the IT Security Act 2.0 and the EU Cyber Resilience Act (CRA), as well as the EU AI Act, which also addresses the issue of security when using artificial intelligence.

First of all, the regulatory requirements and the company's own protection goals must be identified in order to design a security architecture with suitable protective measures. The use of standardized, well-researched procedures is always preferable to proprietary solutions. Implementing the measures remains an ongoing process. As the possibilities for attack are constantly evolving alongside the protection technologies and new vulnerabilities are constantly being found, recovery strategies are just as important as updating systems and replacing discontinued software libraries. Due to the development of quantum computers, cryptoagility and quantum-resistant protective measures also play a role here.

How can companies secure their OT environment and to what extent can existing IT security measures be used for this?

Access protection and authentication are the key issues here. The more strictly access (physical and digital) is restricted, the more difficult it is for attackers to attack the machines. A good PKI as the basis for the cryptographic implementation of authentication and authorization is helpful. Logging is very important for tracing possible attacks. In the wider context of information security, awareness and organizational measures are also very important here, because the human factor is often the major weak point.

How are data protection and security connected? Is it possible to "kill both birds with one stone"?

In general, data protection focuses on the user, while security looks at the system with which the user interacts or which stores and processes the user's data. This means that many security problems are also relevant to data protection and vice versa.

By law, data protection introduces security objectives and requirements for the security architecture that require IT security mechanisms. Accordingly, certifications on the subject of information security (ISO 27001, BSI basic protection) always include data protection issues. One specific measure is data economy: data that is not collected cannot be corrupted.
In addition to technical measures, users and administrators of a system must also be sensitized to the topic of data protection and the secure handling of this data, as the responsible handling of data (including access data) by individuals cannot always be enforced technically.

What opportunities does SPS offer companies that want to find out more about OT/IT security?

Wibu-Systems will be presenting various protection technologies at SPS, including AxProtector Python for protecting AI applications and models, solutions for secure licensing for Docker containers and our CodeMeter Ready solution for securely storing licenses on memory cards.

Wibu-Systems at the SPS 2023: Hall 6, Booth 428