Industrial Security: IoT? Yes, if it’s secure!
The number of devices, systems and assets (i.e., "things") networked over the Internet is increasing tremendously. At the same time, these devices are often less protected than an average IT infrastructure. In addition, increasing standardization and the growing complexity of the devices offer open flanks to attackers. For this reason, protecting the Internet of Things (IoT) with a dedicated, comprehensive security strategy, Industrial Security, is urgently needed.
Market research from Gartner estimates that, by the year 2020, 4.3 billion crossindustry assets will be networked worldwide in industry alone. Added to this are another 3.1 billion machines, systems and assets in the Internet of Things (IoT) in the individual industry branches – for a total of nearly 8 billion connected assets. In 2018, not quite one year ago, there was only half as many networked things.
Networking is taking gigantic strides, providing companies with new insights into the response and operation of their machines and producing huge quantities of data that can be used for proactive maintenance as well as in the search of new products, business ideas and business cases.
IIndustrial Security by the numbers
While connectivity can deliver valuable business insights and efficiency, massive networking using standardized data lines and protocols over the Internet makes machines and systems more vulnerable, thereby creating new challenges. “Almost 70% of companies and institutions in Germany fell victim to cyberattacks in 2016 and 2017,” writes the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) in its newest report, The State of IT Security in Germany 2018. “In nearly half of the cases, the attackers were successful and were able to gain access to IT systems, influence the functioning of IT systems or manipulate companies’ Internet sites, for example. Every second successful attack led to production or operational downtimes. In addition, there were often costs for investigating the incidents and restoring the IT systems as well as damage to reputation.” An average data breach in Germany costs €3,390,000 as calculated by the study Cost of Data Breach from the Ponemon Institute sponsored by IBM in 2018.
The costs and damage to the reputation of a company are one thing. The long time that passes until attacks are found is another. According to the Cyber Alliance Center Bavaria (Cyber-Allianz-Zentrum, CAZ) in the Bavarian Office for the Protection of the Constitution, it takes 260 days on average for a discrete attack on IT infrastructures to be discovered.
Furthermore, when the security systems finally report a hacker attack, only four in 10 companies (43 percent) have an emergency management plan that specifies what is to be done in such a case. Even operators of critical infrastructures such as power utilities and financial services are ill equipped to handle breaches. Of the critical infrastructure companies, 53 percent have an emergency plan compared to 41 percent in industries that are not considered to have critical infrastructures.
Networked production is less protected than the IT infrastructure
IT business infrastructures – servers, desktop computers and mobile PCs, smart phones and tablets as well as the data lines they use to communicate – can be protected to some degree. This task is the responsibility of IT departments, usually led by the CIO and supported by teams of different sizes with varying degrees of specialization.
As yet, industrially networked systems do not enjoy this protection. As stated in the previously mentioned BSI status report from 2018: “Unlike traditional Internet-connected devices such as PCs, laptops and servers, IoT devices often lack their own attack prevention systems. To reduce costs and increase battery life, they generally have significantly less resources available for security mechanisms than PCs. The conclusion reached by the German Federal Office does not just sound alarming, it is alarming: “Operational technology (OT) systems are not only easier to compromise; it is also more difficult to recognize that they have been compromised.”
Integrated protection for IT and OT in demand
In a modern, networked industrial company, both systems must be protected, that is, the IT business infrastructure and the OT systems. In this respect, the Voith technology group follows an integrated approach for Industrial Security to protect its own infrastructures, its machines and systems and to make this protection available to its customers, as well. This offering is based on more than 150 years of experience in the manufacture and reliable operation of machines for paper production and hydropower plants based on Voith technologies. These are often security-critical systems that would jeopardize human life in the event of an operational malfunction that led to power failures or flooding. Seen in this light, Voith is not just simply a machine builder but has always been a designer of safety-related systems.
Voith’s approach to integrated security is also based on many years of commitment by the company to IT and OT security, for example, in the German Mechanical Engineering Industry Association (VDMA) and the Open Group Forum, which is involved with interoperability and the security of industrially networked systems. It is also based on the experience accumulated by Voith as one of the first companies with certifications as per ISO 27001. Starting from this approach, the manufacturer has developed an entire series of products that allow for the protection of industrially networked systems for itself and its customers. In this way, Voith established a Competence Center for Data Protection and Information Security many years ago. The Voith Security Operations Team consists of qualified experts who are involved with protecting IT infrastructures. The team monitors and analyzes all security-related systems – company networks, servers, workplace computers and Internet services – and investigates them for anomalies.
The central component in the task is a sensor system that automatically analyzes, correlates and displays the large quantities of IT and OT information on its own. The automation of security processes is one of the most important measures for effective protection against attacks while providing additional advantages. Security automation meets the increasing expectations of cyber security because of the more and more complex threat scenarios and the increasing complexity of IT infrastructures. In addition, it relieves IT from some of the perpetual cost pressure through the reduction of manual activities during inspections, actions and reports. Finally, automation supports companies in better meeting their regulatory and compliance requirements, even if they are not explicitly required by law.
WannaCry attack repelled at Voith
Voith has directly benefited from a thwarted cyberattack thanks to automated processes in IT security. On 12 September 2018, security experts at Voith determined within a very short time that individual computers within the company were infected with WannaCry. This particular malware attacks Windows systems that have not installed a certain patch. As ransomware, WannaCry encrypts the infected computers and extorts the owners to have the data decrypted again. Ransomware is not new. In the second quarter of 2012 alone, there were about 123,000 new versions, according to Kindsight Security. However, WannaCry represented a whole new level of threat at that time. Just in May 2017, the malware had attacked several large multi-national companies in a very short time – a total of more than 230,000 computers in 150 countries. The European Police Office of the European Union designated the outbreak as a “never before seen event.”
At Voith, the ransomware was able to penetrate about 140 systems worldwide. However, no production systems, only monitoring systems, were affected, so there was no production outage. The Anomaly Detection System at Voith was primarily responsible for the successful defense against the attack. This system sounds the alarm when malware attempts to contact external servers to encrypt systems internal to the company. The first report appeared a few minutes after the infection on 12 September 2018. As a result, the Security Operations Team was able to initiate the necessary measures, to isolate the affected systems and to install the patches to prevent propagation of the malware. In the end, only about 140 systems were affected because of this quick reaction. These systems were part of the more than 20,000 computers in use worldwide at Voith.
Cybercrime and the human factor
IT and OT systems can now be protected quite effectively against external attacks using various measures. This assumes that the attack attempts, like the one from WannaCry, are discovered quickly. Everyone who installs current updates and security patches on his or her system also provides appropriate protection of the IT infrastructures that can be further improved with regular security checks. The weakest link in this chain is still not protected with these measures. We are referring to the people who, often enough, open the door into the company for attackers through negligent or careless behavior.
Every sixth employee, approximately 18 percent, would respond to a phony email from the executive suite and divulge sensitive company information, according to a survey of BSI 2018. That this is more than just a theoretical hazard is substantiated by other studies. The German Federal Criminal Police Office counted 250 cases of fraud in three years. The most well-known in 2016 were the Bavarian automotive supplier Leoni AG who suffered damages of €40 million and the Austrian-Chinese aviation industry supplier FACC who lost about €50 million. Information about responsibilities in the company, the composition of departments, internal processes and organizational structures were harvested from emails sent via purportedly trustworthy senders. The information serves cyber criminals as a valuable foundation in the preparation of targeted attacks on the company. Gaining information by trickery, known as social engineering, purposefully exploits the trust and helpfulness of people. They make contact with the employees of a company by mail, on the telephone or even using conversations in real life – at events or trade fairs, for example.
The best option for avoiding such incidents is – even here, Voith leads with its own good example – the regular training of employees regarding security issues with the purpose of raising and refreshing awareness. As far back as 12 years ago, Voith was one of the first companies to establish a worldwide awareness campaign on the topics of data protection and data security throughout its branches. With the Privacy and Security Information Portal, Voith provides its employees with all the information they need to practice proper behavior. In addition, the company has established a globally standard telephone hotline that provides help – around the clock – in the event of security-related incidents and questions.
Voith is familiar with the tricks of the hackers
Under contract to its customers, Voith performs penetration tests. In these stress tests, qualified expert teams attack IT and OT infrastructures in a targeted manner to uncover and eliminate vulnerabilities. The tests follow the strategy for penetration tests provided by the German Federal Office for Information Security and the basic principles of the international ISO Standard 27001 (ISO27001 Assessment).
In addition, Voith offers security assessments based on a number of different certifications and programs. These include ISO 27001 (IT security), IEC 62443 for the security of industrial communications networks and NERC CIP, an American collection of different standards for protecting critical infrastructures. The objective of the assessment is to find and eliminate vulnerabilities.
Security by default/by design
Voith plays an integral role in developing adequate security strategies and dynamic actions for its products and solutions. This role is not limited to delivery but rather extends over the entire life cycle – as an effective security strategy is never static. It is dynamic as required by the threat situations that are always changing.