DOTMAGAZINE: How has the threat situation for the security of smart production plants developed in the last few years?
WOLFGANG STRASSER: Well, I think the situation has got a lot worse in the last years because production plants all have a lot more network and web integration. So the threats coming from networking and from the web, from the Internet, are coming a lot nearer to the plants. The situation has become really, really dangerous.
DOT: How can companies minimize the security risk to their production plants?
Which threats may affect production? What is the value of loss of production? What are the possible costs of attacks or outages in production?
STRASSER: Companies need to identify where the risks are. They should be aware of the threats and the risks they may face. So first, they should do a proper risk analysis and try to identify where the threats come from. From the infrastructure? From the web? From the applications? Who may attack you? What other problems might come nearer to production, like a virus outbreak, like ransomware, for example? All these things must be considered, and a lot more, of course. Which threats may affect production? What is the value of loss of production? What are the possible costs of attacks or outages in production? You have to be aware of this.
So, first of all, risk analysis, threat modelling. Second, document your network really well: Where are the IoT components, for example? Where are the SCADA systems? How are they are linked to each other? How can you operate them?
DOT: What steps should companies take in the first place before they start digitalizing their manufacturing processes? How would they go about the digital transformation so that they are secure?
If you install IoT components, how can they be attacked? What might happen in that situation and how can you prevent it?
STRASSER: I think it's more or less the same as above. Be aware of where the threats might come from. What might happen to you if you are opening your plants to the Internet? If you install IoT components, how can they be attacked? What might happen in that situation and how can you prevent it? So, make sure you have very good documentation of the infrastructure and operation systems you already have. Also of operations itself, which steps need to be taken, what has to be done? Then, you have to make security concepts for how to protect the plants and know how to install web applications. Are those web applications secure? Check them. You should check the security of the apps on your mobile devices, because all these are gateways for malware or attackers into your plant.
A virus outbreak in their plants meant production stood still for at least seven days. In the end, they lost 2 million Euros in one week.
DOT: How do you weigh up the advantages of Industrial IoT against the risks?
STRASSER: Well, that's a difficult question. First of all, we can't avoid it anymore. IoT or digitalization will come to the plants, no matter what. But we have already had some cases where not having integrated good security solutions and concepts has had a huge financial impact. Just to give you an example; recently one of our customers was attacked. They had 24/7 production, so no time puffer for maintenance or anything unexpected. Then they had a virus outbreak in their plants and production stood still for at least seven days. This meant a loss of EUR 200,000 per day. On top of that, they couldn’t deliver on time – and had just-in-time delivery agreed in all of their contracts, with penalties for any delays. In the end, they lost 2 million Euros in one week. All because they didn’t have good IT security protection for production at the plant.
DOT: And it's not possible to insure against something like that, is it?
STRASSER: Oh, I think there are insurances in Germany already, for cyber attacks, for example, or for infrastructure breakdowns like these. But, of course, the insurance companies will want to know what measures were taken to avoid such attacks, but by then it might be too late. So you have to check the policies and insurance contracts carefully.
Most companies have emergency plans for business continuity issues, but not for such attacks
DOT: Do you also help companies that are producing digital products to make sure that those products are secure. What is important there?
STRASSER: Very often, you hear about security by design. The thing is that all components and whatever is developed should be capable of undergoing patch management. Because they all work with Windows, they all work with Linux operating systems, and they all work with web application languages and, as we all know, all these things can be attacked. In the future, it needs to be a “must” that all of these components have the possibility for patch management. I think that is one of the most important things.
DOT: What advice do you have for companies facing an attack on their systems? How should they react?
STRASSER: If they lack the skills for handling these attacks, then they should keep their hands off - they should just call in the experts. First of all, they need an emergency plan for such events. Most companies have emergency plans for business continuity issues, but not for such attacks. Most of them make big, big mistakes in handling attacks or virus outbreaks in production because they do not know how to handle these situations. They do not have a plan, they haven’t documented what they should do, and most of them do not have any experience in handling such a situation. They should just keep their hands off.
Listen to a 2016 interview with Wolfgang Strasser in the eco International Podcast Making Smart Clever.
Wolfgang Strasser is the Founder and Managing Director of the cyber security company @-yet GmbH, established in 2002. He has been active in a range of management positions in the IT sector for the last 30 years. The focus of his work with @-yet includes IT Outsourcing and Cloud Consulting, and IT Risk Management, in particular Business and Information Security, Business Continuity, Business Compliance, and Industrial + SCADA Security.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.