The Industrial IoT thrives on openness and networking. In this context, IT and OT are converging more and more. Is there a secure IT/OT reference architecture?

Various organizations and standardization bodies are in the process of collecting best practices and standardizing them for specific industries and requirements. IEC 62443, for example, provides a good framework for building and operating OT infrastructures securely, i.e. safely and (cyber)securely. This also includes the approach to IT. NAMUR has made a significant contribution with the NAMUR Open Architecture. This not only describes what security should look like within OT, but also how interaction with the business area, i.e. the IT-supported side, can and should function practically and, above all, without repercussions. The BSI is also working on transferring the specifications and best practices for IT-supported processes developed in IT-Grundschutz to the requirements in OT in a meaningful way and enabling integration into an ISMS in accordance with IT-Grundschutz or ISO27001 with special OT modules or technical guidelines.

What are the most common attack scenarios on OT environments and how can a company defend itself against them?

The most common scenario is an attack on IT environments with OT as collateral damage. Time and again, this brings entire production processes to a standstill. Ransomware attacks are typical. The only thing that helps here is to secure the IT accordingly. Direct attacks on the OT primarily occur when an external attacker is given access to the OT, for example via remote maintenance access. Typically, attacks are carried out via an insecure connection to potentially compromised IT infrastructures, be it the company's own IT or that of a service provider. This can be remedied by a connection that is as restrictive as possible and keeps the attack surface to a minimum. Under no circumstances should external parties be allowed direct, unrestricted and unsupervised access to your own OT. Unfortunately, this is still often the case.

What added value do services such as Security-as-a-Service offer?

Many companies do not have the necessary in-house expertise and personnel to operate solutions such as secure remote access with sufficient security. In smaller environments in particular, even the initial investment in the necessary hardware and knowledge is not acceptable. This is where external, trustworthy providers can provide support and minimize the initial investment outlay. Companies can focus on their core business.

In light of the new Machinery Directive and NIS, what steps should SMEs take as quickly as possible?

Particularly with regard to NIS2.0, the most urgent activity for SMEs is to check whether they are affected by the regulation. The scope has been greatly expanded, especially with regard to the company size thresholds. Industry associations and the German government assume that a five-digit number of companies are (newly) affected. We also advise against taking a wait-and-see approach based on the motto: "It won't be implemented so badly". The scope for transposing NIS2 into national law is rather limited. The member states can set stricter requirements. However, it is not possible to relax them below the level specified by the EU. In this case, the main task for companies is to set up an ISMS in accordance with ISO27001 or IT baseline protection and to actively implement it. In many cases, such certification is only seen as a paper tiger and implemented in order to comply with the law. This is neither intended by the legislator nor does it benefit the company. Regulatory requirements are not an end in themselves. The required security measures serve to prevent damage to the company. This is exactly how they should be understood and practiced by companies.

Genoa at the SPS 2023: Hall 5, Stand 419