According to a recent study by Bitkom, the number of cyberattacks at more than eight out of ten industrial companies has increased over the past two years - sensational incidents such as 'Stuxnet' are no longer isolated cases. An attack usually takes place in several stages and can be broken down into different phases according to the cyber kill chain model developed by Lockheed Martin, which is similar to a classic break-in: The target of the attack - i.e. the company and its IT network - is observed over a longer period of time and examined for vulnerabilities until a targeted attack is finally launched. In almost all cases, the network is successfully infiltrated via inadequately secured interfaces, social engineering or compromised removable media. In addition, a strong professionalization of attacks can be observed - they are often planned well in advance and subsidized by the state.

In the recent past, it was precisely such scenarios that allowed unauthorized persons to spread unnoticed in the corporate network for a long time. Recently, attackers were able to work their way into the production control network and access the control elements. As they only targeted the company's intellectual property, there was no direct impact on the functional safety of the plant. However, it would have been easy to manipulate the control systems with serious consequences. The attack was noticed by chance and dealt with by an external incident response team. Although production was not directly affected by the attack, the incident ultimately caused economic damage running into millions due to the use of necessary services and internal expenses for cleaning up the affected systems. Added to this is the unquantifiable damage caused by the outflow of information that represents a competitive advantage.

Examples such as these show why the consistent protection of industrial plant systems is essential. Although the implementation of effective in-depth protection - i.e. the coordinated use of various interlocking security measures - may initially seem laborious and costly, the economic setback and loss of reputation in the event of damage are disproportionately greater.

Security - a resource problem?

In SMEs in particular, security is primarily a cost issue - often only limited financial and human resources with the necessary expertise are available. External consultants can provide valuable support and accompany companies from risk analysis and assessment through to the implementation of suitable protective measures. The aim is to implement effective protection in accordance with the defense-in-depth principle (DHS2016b) within an economically justifiable framework. All security-relevant aspects - technical vulnerabilities, organizational deficiencies and human error - must be given equal consideration.

Every protective measure starts with the realization that your own company could be a potential target for attackers. Managing directors and senior managers in particular need to realize that an attack is no longer a theoretical scenario, but becomes more likely with every step towards networking. A careless click on a contaminated email in a sensitive production environment can be enough to open the door to unauthorized access - this illustrates how important it is to address the issue of security at all levels, including technological, human and process-based vulnerabilities.

Analysis and risk assessment

The first step is to obtain a precise overview of the company's own assets that are worth protecting, their network connection and the associated vulnerabilities and risks. In principle, a risk analysis in the area of IT security is carried out using the IEC 62443 or VDI 2182 series of standards.

The next step is to assess the potential risks - both in terms of the functional safety of systems and interfaces and in terms of organizational and social factors. At the end of the analysis and evaluation process, there is a complete list of all assets, relevant protection goals and threats. The results can then be used to derive sensible protective measures and prioritize them according to cost and effectiveness. All information must be carefully logged and regularly updated. An information security management system (ISMS) that stores the information securely is recommended for the collection and documentation.

Creating awareness: First Line of Defense

The majority of all cyberattacks now specifically use the human vulnerability to gain access to the company network. The possibilities of digital communication have taken social engineering to a new dimension. Phishing emails are one of the most tried and tested methods: Time and again, attackers succeed in persuading unsuspecting people to disclose confidential information in this way.

First line of defense: Raising employee awareness of cyber risks is a top priority.

© TÜV South

Strengthening risk awareness in the first line of defense is therefore a high priority. Employees must be able to recognize a cyber attack as such and classify potential risks. Binding guidelines and awareness training help to raise awareness of threats. These include guidelines on the use of personal devices at the workplace as well as guidelines on handling systems and components, installing software and dealing with security systems. The aim is to create a general awareness of the issue and thus minimize the risk of misconduct. Awareness measures are comparatively inexpensive to implement and are one of the most important foundations for an effective security concept.

Technical protective measures

On a technical level, a number of additional protective measures can be taken. These include, for example, the use of industry-specific firewalls and powerful anti-virus programs as well as sensible network segmentation and isolation of sub-areas. The separation of office IT and downstream production systems is a minimum requirement. Company-wide components with similar protection requirements should be grouped together in zones and separated from neighboring segments - in the event of an attack, the damage can be limited to sub-areas.

Communication between the individual areas should only take place in isolated zone transitions. The use of firewalls and data diodes to filter communication as well as modules for attack detection further increase security. Access and network monitoring, multi-level authentication procedures and encryption - especially for remote access - are further examples. In addition, software and component updates must be installed regularly. Outdated legacy systems that are not or only partially compatible with modern security updates pose a major problem here. In such cases, it is important to evaluate whether an IoT connection is really necessary and justifies the associated risks.

Supply chain security: access restriction and binding standards

In Germany, SMEs in particular are heavily integrated into the supply chains of large corporations and have access to parts of the corporate network. At the same time, they are less protected on average and therefore offer favorable attack surfaces.

To prevent cyberattacks via the supply chain, the principle of the least possible access with restriction to the most necessary functions is recommended. ISO 27001 provides a binding framework for companies when it comes to supply chain security. Among other things, it is important to set up clearly defined access and standardized procedures for connecting suppliers and sub-suppliers to the company network. TÜV Süd, for example, is involved in the Charter of Trust, an alliance of international companies for increased cyber security. In the meantime, 17 'Baseline Requirements' have been adopted for suppliers in terms of security, to which they are expected to commit.

Risk management: defining responsibilities and processes

In view of the increasing threat situation, IT security is taking on a new significance, which must be reflected accordingly in a company's organizational structure and processes. As a general rule, companies should define an IT security team with a person with primary responsibility. The team coordinates the implementation of and compliance with the IT security strategy and is responsible for dealing with disruptions and security incidents. Setting up such a team is time-consuming and resource-intensive, so the competence of external experts can be considered as an alternative.

Incident response management: equipped for emergencies

Cyber security incidents can never be completely ruled out. In the event of a crisis, responsibilities and procedures must be defined in the form of an Incident Response Plan (IRP). In any case, an internal reporting system for recording and handling IT security incidents should be set up. In addition, regulations, back-up and recovery measures must be drawn up in the event of a serious attack in which data is not only stolen but completely deleted.

Networked production: The Internet of Things increases vulnerability to cyber attacks.

© TÜV South

Incident response takes place in several steps. In the event of a concrete suspicion, the response team first observes the processes in the network, saves log files and carries out analyses. Suitable measures are then introduced to limit and rectify the damage. Common methods range from network isolation and deactivation to the creation of IT forensic images, the removal of backdoors and the installation of security patches. As a rule, a complete re-imaging of all affected systems is carried out before the cleaned systems are switched back into production in a controlled manner. Finally, the lessons learned from the incident and preventive measures for the future are recorded.

IT and OT security: pooling expertise

IT and OT security have traditionally been clearly separated areas. OT was traditionally limited to self-contained systems in production and industrial plants without a connection to the internet, and points of contact with IT were rare. With increasing networking, these boundaries are becoming blurred and new interfaces between IT and OT are creating new security requirements.

Consequently, both areas should work together more closely on security issues and pool their expertise in a joint Cyber Defense Center to ensure complementary protection for all areas of the company. In reality, however, the majority of cases are still processed separately, which means that synergies are not fully exploited and attackers from IT networks cannot be detected in the OT world.

In general, it can be said that attacks are often orchestrated via phishing and that one of the best investments for greater security is awareness training for employees. It is important to create awareness of the major influence that each employee has on the overall security of the company. Securing the supply chain is also increasingly important. A weakness in a supplier network that is directly linked to the target company is an easy hurdle to overcome and will be exploited sooner or later.

In short, there will be no such thing as absolute security in the future - but a dynamic, intelligent security strategy that sensibly combines technical, organizational and human components will significantly minimize the risk of cyberattacks. The aim is to combine all measures in a meaningful way and thus achieve the greatest possible protection within an economic framework.

Author:
Dr. Volker Baier is CISO Industrial Security at TÜV Süd Sec-IT.