Vigilance – The best protection against hacking — METAV 2020 offering expert knowledge on data security – Cybersecurity Congress highlighting challenges facing the office and production environments

Frank­furt am Main, 27 Novem­ber 2019 — Dig­i­tal­i­sa­tion has its price. The net­work­ing of peo­ple, machines and com­pa­nies not only increas­es pro­duc­tiv­i­ty and sus­tain­abil­i­ty, but also rais­es the risk of a cyber attack. The VDMA Cyber­se­cu­ri­ty Con­gress at METAV 2020 on 11 March 2020 offers poten­tial ways of resolv­ing this dilem­ma. Heinz-Uwe Gern­hard is head of the VDMA Secu­ri­ty work­ing group and in his prin­ci­pal occu­pa­tion is respon­si­ble for IT secu­ri­ty at Robert Bosch in Stuttgart. In an inter­view he reveals his recipe for suc­cess: vig­i­lance train­ing for cyber attacks.

Look out! Cyberattacks can be prevented by training employees in the company or online - or at least by reducing the impact.  Photo: Siemens
Look out! Cyber­at­tacks can be pre­vent­ed by train­ing employ­ees in the com­pa­ny or online — or at least by reduc­ing the impact.
Pho­to: Siemens

Mr Gern­hard, has cyber secu­ri­ty aware­ness increased?
Heinz-Uwe Gern­hard: Yes, but not to the extent that I expect­ed when we launched the Secu­ri­ty Work­ing Group in 2012. There is still urgent need for action because Ger­many and the EU are demand­ing mea­sures for greater pro­tec­tion against cyber attacks, includ­ing in pro­duc­tion, in the form of laws and reg­u­la­tions. Deploy­ing addi­tion­al IT is cer­tain­ly one way of achiev­ing this. But with­out the nec­es­sary knowl­edge and organ­i­sa­tion­al skills, this alone will not be enough to reach the nec­es­sary secu­ri­ty lev­els. Indus­try 4.0 devel­op­ments are cer­tain­ly help­ful here, but unfor­tu­nate­ly cyber secu­ri­ty is just one of many aspects.

What do you rec­om­mend to new­com­ers in this field?
Heinz-Uwe Gern­hard: Just start tak­ing pre­cau­tions, both tech­ni­cal and organ­i­sa­tion­al. It’s a bit like the annu­al flu epi­dem­ic. You have a high­er risk of get­ting it with­out a flu job. In today’s net­worked world, no one is safe from cyber attacks. There needs to be a change of heart here.

Cyber attacks on the rise

What mea­sures should com­pa­nies that are cur­rent­ly under­go­ing an Indus­try 4.0 dig­i­tal trans­for­ma­tion process take?
Heinz-Uwe Gern­hard: This is a task for man­age­ment – clear and sim­ple. The man­agers must iden­ti­fy the risks that are attached to net­work­ing and then define suit­able mea­sures. With regard to pro­duc­tion tech­nol­o­gy avail­abil­i­ty, they must under­stand the risk of con­sid­er­able dam­age being done. Inter­con­nec­tiv­i­ty means that nobody is immune. If you fol­low the trade press, there is a con­stant stream of news items on this – such as that of a cyber attack prac­ti­cal­ly paralysing the IT of a spe­cial­ist safe­ty and con­trol tech­nol­o­gy com­pa­ny. The com­pa­ny decid­ed to go pub­lic with the inci­dent. I think that’s impor­tant and it’s the right approach because we are all in the same boat.

Nev­er­the­less, open­ness is still the excep­tion when it comes to cyber attacks. To what extent can net­works such as the VDMA Secu­ri­ty Work­ing Group, which you spear­head, help in this? By get­ting net­work mem­bers to talk open­ly to each oth­er about cyber attacks?
Heinz-Uwe Gern­hard: We take a proac­tive approach by clear­ly iden­ti­fy­ing the risks and pro­vid­ing assis­tance on a wide range of issues. I think it is cru­cial that we work togeth­er to ensure trans­paren­cy across asso­ci­a­tion bound­aries. The Indus­try 4.0 plat­form link also offers a good start­ing point www.plattform-i40.de.

In many cas­es there is a lack of aware­ness.

Some com­pa­nies are now start­ing to alert their employ­ees to dif­fer­ent fraud sce­nar­ios. What do you think of the new buzz­word “cyber resilience” which is now mak­ing the rounds?
Heinz-Uwe Gern­hard: This is the right approach, because aware­ness offers the best pro­tec­tion for this type of threat. Every user of cyber tech­nolo­gies should be cyber resilient.

Where do you think we are right now with secu­ri­ty IT?
Heinz-Uwe Gern­hard: Let me make a com­par­i­son with road vehi­cles. In 1920, motorists need­ed a com­plete­ly dif­fer­ent lev­el of risk aware­ness to today’s dri­vers because cars now demand much less atten­tion as a result of all the built-in sys­tems. The vehi­cles them­selves and the infra­struc­ture make dri­ving today much less risky. Our IT is cur­rent­ly at the lev­el of a 1920s car in terms of the inher­ent risks. It requires a high lev­el of atten­tion from users and a wide range of knowl­edge. Aware­ness is a key top­ic right now.

Isn’t that scare­mon­ger­ing?
Heinz-Uwe Gern­hard: No, it’s not scare­mon­ger­ing, at all. Marc Elsberg’s nov­el Black­out plays through var­i­ous sce­nar­ios. The tech­ni­cal aspects he includes are not fic­tion­al, but reflect the cur­rent real­i­ties. He has mere­ly pack­aged them in an excit­ing fic­tion­al work. The Gov­ern­ment is also get­ting involved in the form of the IT Secu­ri­ty Act (Kri­tis), which is cur­rent­ly being revised.

The IT expert Peter Tur­czak told VDMA mag­a­zine: “I would nev­er put crit­i­cal data into a cloud.” How­ev­er, com­pa­nies need data in order to imple­ment Indus­try 4.0 and need to store it secure­ly. What belongs in the cloud and what does­n’t?
Heinz-Uwe Gern­hard: My IT col­league here is address­ing the cen­tral require­ment of OT (?) for avail­abil­i­ty. As a com­mu­ni­ca­tions engi­neer, I am well aware of the com­pe­ti­tion between band­width, local com­put­ing pow­er and, of course, cost. With the right band­width, the cloud can facil­i­tate the pro­vi­sion of a cen­tralised appli­ca­tion with a great deal of com­put­ing pow­er to a large num­ber of users. Users must weigh the type of cloud usage against their will­ing­ness to take risks, their avail­abil­i­ty require­ments, and their tech­ni­cal and organ­i­sa­tion­al capa­bil­i­ties.  Anoth­er impor­tant ques­tion, of course, is how to guar­an­tee the depend­abil­i­ty or trust­wor­thi­ness of the provider.

So it’s a ques­tion of trust?
Heinz-Uwe Gern­hard: Yes, I need to ask myself whom I trust to do what. Do the tech­ni­cal mea­sures, con­tracts and ser­vice provider cer­ti­fi­ca­tions offer suf­fi­cient legal pro­tec­tion?

Most machine tools at METAV 2020 have Inter­net con­nec­tions: What should trade fair vis­i­tors be look­ing out for here?
Heinz-Uwe Gern­hard: Hope­ful­ly the link is not via an open Inter­net con­nec­tion, but a trust­wor­thy one, as I just men­tioned. Don’t just ask about the tech­ni­cal solu­tion itself, but also about the provider’s organ­i­sa­tion­al capa­bil­i­ties.  From a tech­ni­cal point of view, pri­vate VPN net­works based on an appro­pri­ate con­tract are best here.

Stan­dards can help

How can trade fair vis­i­tors pre­pare for their meet­ings?
Heinz-Uwe Gern­hard: Help is pro­vid­ed by ISO/IEC 62443. Part 2–4 con­tains the “Secu­ri­ty pro­gram require­ments for IACS ser­vice providers” and pro­vides a frame­work for the key aspects when con­sid­er­ing offers. Oth­er­wise, reg­u­la­tions and stan­dards, even if they are often inflex­i­ble, can be help­ful and effec­tive here.

Mr Gern­hard, thank you for talk­ing to us.

VDMA — Cyber secu­ri­ty through tar­get­ed inter­ac­tion
Infor­ma­tion tech­nolo­gies are a key ele­ment of almost every pro­duc­tion plant today. “IT not only makes machines smart and inter­ac­tive, but also more sus­cep­ti­ble to cyber attacks,” observes Stef­fen Zim­mer­mann, Head of the VDMA’s Indus­tri­al Secu­ri­ty Com­pe­tence Cen­ter. “In order to guar­an­tee high machine avail­abil­i­ty and data integri­ty lev­els over the entire prod­uct life cycle, the sup­pli­ers of automa­tion solu­tions and machines must also inter­act with the plant oper­a­tor. Oper­a­tors have to be aware of the con­stant threat of a cyber attack. This means they should take basic pre­cau­tions to ensure their own cyber resilience as a means of reduc­ing the impact of a cyber attack. The Cyber­se­cu­ri­ty Con­gress of VDW and VDMA at METAV 2020 on 11 March 2020, which focus­es on the con­ver­gence of the office and pro­duc­tion envi­ron­ments, will present the cur­rent state-of-the-art. The top­ics include: Reg­u­la­tion, remote maintenance/international net­work­ing, live hack­ing and basic mea­sures for IT net­work restora­tion.

Cur­ricu­lum vitae: Heinz-Uwe Gern­hard
After study­ing Com­mu­ni­ca­tions Engi­neer­ing at TH Darm­stadt, the young grad­u­ate Heinz-Uwe Gern­hard (born 1957) joined the SEL elec­tron­ics group as a devel­op­er In 1983,. From 1987 to 2017 Gern­hard worked on the devel­op­ment of con­trol tech­nol­o­gy at today’s Bosch Rexroth Elec­tric Dri­ves and Con­trols GmbH in Erbach. He has been work­ing in the cen­tral IT Secu­ri­ty and Appli­ca­tion (C/TED1) depart­ment at Robert Bosch GmbH in Stuttgart since 2017. Gern­hard spe­cialis­es in risk man­age­ment and IT secu­ri­ty for man­u­fac­tur­ing.

(Size: around 8,160 char­ac­ters incl. blanks)
Author: Niko­laus Fecht on behalf of the VDW

Categories: 2019, November