Hacker attacks have been on the rise. Even mechanical engineering companies are not safe from this. Where are potential vulnerabilities and how can you fix them?
According to the results of a Deutsche Telekom survey, nearly two thirds of German companies have fallen victim to hacking at least once. The mechanical engineering industry, too, is experiencing a significant increase in attacks on its production facilities. Steffen Zimmermann, Head of the VDMA Industrial Security Competence Center, explains how, in a recent VDMA survey, more than a third of the members who responded reported suffering production losses due to hacker attacks, and more than half the companies complained of capital losses. Better prevention is called for — as is a list of experts who can quickly be called in to provide support in the event of an attack.
Natalia Oropeza, Chief Cyber Security Officer of Siemens AG, says: “You have to be aware of the risks associated with infrastructure products — and also be prepared to respond to them. Ignoring them can destroy your business.” Oropeza is set to give the keynote speech at the VDMA and VDW Cyber Security Congress on 11 March 2020 at Metav in Düsseldorf. She will talk about security in the age of Industry 4.0 and the importance of Security by Design. This must include the entire supply chain if trustworthiness is to be ensured. Industry, manufacturers and users need technological transparency and homogeneous requirements across different markets.
Who carries responsibility for data security?
The majority of machines will be linked to the Internet in the future. This will confront all the relevant parties — machine manufacturers, component suppliers, machine operators and possibly also service providers — with completely new challenges. Productivity, robustness, longevity and reliability were once the main priorities, whereas IT security is now gaining in significance. Practical experience shows that there are many different potential security vulnerabilities. “In many cases it isn’t major hacker attacks that pose the greatest threat in everyday production,” says Dr Alexander Broos, Head of Research and Technology at the VDW. “Rather it’s the regular and unavoidable exchange of data via the USB interface of the controller, for instance, which provides the gateway into the system.” It is relatively easy for IT experts to offer instant solutions, such as simply closing the USB interface. “However, this prevents efficient use of the machine,” Broos continues. Service technicians, for example, need to be able to read out error logs and install updates. This is because automatic updating of the control software, as happens in the operating system of the office PC, is relatively unusual in production equipment. Life cycles of ten years and more are by no means a rarity in machines and control systems. In addition, the control software for complex products like machine tools is highly customised and is specially adapted to particular applications. The question therefore arises as to who is responsible for closing security gaps. “The responsibility is shared to varying degrees between the machine manufacturers, control suppliers and operators,” Broos continues. “Ultimately, however, the responsibility can only be met by all these together.”
Bernd Gehring, in charge of Industrial Security at Voith AG in Heidenheim, adds: “There is a risk of the software in older machines being completely outdated, and of the manufacturers providing no further updates. Accordingly, companies are well advised to prepare for digital maintenance of their machines at an early stage.” The operators, whose safety requirements machine manufacturers have to meet, are increasing the pressure, he believes, as are the standards that stipulate secure IT systems. These are indispensable in areas such as remote maintenance. He also points out that major investment is sometimes necessary in order to ensure machine security. However, there is often no initial return on such investment.
Raising transparency levels and sensitivity to security gaps
At the VDMA and VDW Cyber Security Congress to be held during Metav 2020, high-calibre speakers — e.g. from Siemens, the ZF Group, the German Federal Office for Information Security, Voith, Trumpf and Deutsche Telekom — will be talking about particular cyber security challenges in the automotive industry, the potential opportunities of security systems, and risk management solutions.
“We are particularly targeting managing directors and product managers from industrial companies with a strong culture of innovation. They are especially at risk, and security needs to be tackled at the highest level,” summarises Steffen Zimmermann. Nevertheless, there is no such thing as 100 % security, given that the target is constantly moving and that hackers are constantly adapting their methods. Machine manufacturers need to collaborate with component suppliers and operators to make production processes more secure. The Industry 4.0 business model can only work if digital services are made absolutely secure. All the contributing partners share a strong and common interest in this.