Security concepts
Protection begins when the contract is signed
Similar to the IoT, data security is also immensely important in the IIoT. However, hacker attacks in the industrial environment can have much more serious consequences than in the consumer environment. To prevent this, companies should also check the cyber security standards of their suppliers.
The future belongs to the networking of objects - not only in refrigerators, fitness bracelets and cars, but also in the form of intelligent machines and devices. The security aspects of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) may correspond to roughly the same standards, but the consequences of a cyberattack on a production line, for example, are far more serious. It is not the intelligent machines themselves and their communication with each other that are the greatest source of danger, but the outsourcing of data to the internet. In contrast to traditional devices that are only connected to the company network, IIoT devices send sensor data or similar to the cloud, increasing the attack surface for hackers immeasurably.
Full-service suppliers of machines have a legitimate interest in the device data - for example for active monitoring or predictive maintenance. Of course, manufacturing companies also benefit from this. The devices send measurement data and other data to the cloud, which the supplier can then access from anywhere and at any time. If necessary, the supplier reacts and replaces a component on the machine, for example, without having to inspect the device on site. However, when using cloud structures, close attention must be paid to their security so that no relevant data can be lost. If a company opts for a cloud solution (voluntarily or due to supplier specifications), the whereabouts and protection of the data can no longer be controlled by the company. Whether the company data in the supplier's cloud is protected against cyberattacks is entirely in the supplier's hands. However, the company remains responsible for the data. Outsourcing responsibility is only possible with great effort and in special areas or with special designs.
Suppliers as a popular target for hacker attacks
For hackers, a supplier or manufacturer of IoT devices is much more attractive than the manufacturing industry - after all, thousands and thousands of data records from a wide range of companies are stored in their cloud. From the attacker's point of view, this makes them a much more economical target; more potential victims with the same amount of work. In the best case scenario for the hacker, the supplier even takes care of installing a device that has already been modified by him at his customer, as he is not aware of the manipulation.
Large corporations are generally better protected against cyber attacks. The mostly smaller supplier companies often lack the money, time and resources to protect themselves adequately. This is also shown by Bitkom's Business Protection 2018 study: 60 percent of companies with more than 500 employees were victims of a cyberattack. For medium-sized companies, the figure was 78 percent. In order to protect all potential gateways against hacker attacks, companies should therefore already take protective measures in the contract. It makes sense to include a clause that allows the client, i.e. the production company, to carry out an audit at the supplier's premises, for example. Without such an addendum to the contract, the company has no legal basis to check the cyber security standards. It should also be clarified here which measures are to be initiated if audit weaknesses are found, the time frame in which these are to be carried out and who is to bear the costs. Consequently, procurement must work closely with the IT department to cover all important factors when drafting the contract.
This option is currently given little or no consideration in the mechanical and plant engineering sector - the guidelines for security in mechanical and plant engineering published by the German Engineering Federation (VDMA) emphasize that SMEs in particular are left to their own devices when it comes to choosing methods to protect against cyber attacks and therefore find it difficult to comply with security standards. The tenor in the industry so far has been: "Our long-standing contractual partners already know what they are doing, we don't need to check." This contradicts all the principles of the quality assurance process and would be unthinkable in other stages of the production process. Particularly in sensitive industries such as the banking sector with its strict regulations, comprehensive security tests, including of individual networks and computers (penetration tests and red team testing) of suppliers must be an integral part of quality management. A rethink is urgently needed to prevent serious damage.
Companies only behave reactively
Many companies only react to cyber threats when it is already too late and an attack has already taken place. This is because adequate protection means a high initial investment. They also have to repeat audits regularly to keep security standards consistently high. As a result, small and medium-sized companies in particular are often threatened in the event of a cyberattack. Due to their specialized products, they are extremely dependent on their suppliers. If there is a failure in the supply chain, they have no alternative to fall back on. In addition to financial losses, this usually results in considerable damage to their image.
External service providers as digitization specialists
Specialized employees are required to carry out the audits - which, with the exception of large corporations, cannot be found in most smaller companies due to a lack of capacity in any specialist department. In its study on the current state of IT security in SMEs, the Scientific Institute for Infrastructure and Communication Services also came to the conclusion that there are still considerable IT security deficits in small and medium-sized companies due to limited resources. It is therefore advisable to work together with external service providers. The experts have the appropriate skillset and are on hand to advise on both the contract design and the subsequent penetration test and other risk minimization measures so that the CEO can make the right risk adjustments.
Digitalization is advancing relentlessly and in the future there will hardly be any machines that are not connected to the Internet - according to a study by Gemalto, the world's leading digital security company, the number of devices connected to the Internet is set to rise to 20 billion by 2023. Companies are therefore well advised to build partnerships with cybersecurity service providers. For one thing, security is a matter of trust and should only be placed in competent hands. And secondly, only with a viable and sustainable cybersecurity strategy can companies benefit from the advantages of digitalization.
Michael Zobel, Director Cyber & Information Security and Big Data & Analytics, Alter Solutions Germany / ag
You might also be interested in
ESTIA aims to strengthen Europe's cloud
New tech alliance for EU sovereignty
Twelve companies, including Dassault Systèmes, are founding the European Sovereign Tech Industry Alliance (ESTIA). The initiative aims to strengthen Europe's technological independence and define requirements for sovereign cloud services. The start...
read more...Deutsche Telekom and Nvidia launch one of Europe's largest AI factories
With the Industrial AI Cloud in Munich, Deutsche Telekom and NVIDIA are creating one of the largest AI factories in Europe. Companies can train AI models, carry out simulations and access 10,000 GPUs.
read more...Leveraging data potential with AI and streaming
Huge data treasures are still lying dormant in many manufacturing companies. And yet it is high time that these treasures were unlocked. There is often a lack of resources and capacity to make data usable in real time. Streaming production data can...
read more...More awareness of noise
Dematic offers solutions that are tailored to different cloud environments and reduce environmental impact through reduced material consumption and improved energy efficiency.
read more...Generative AI in the automation environment
The mechanical engineering and automation industry is undergoing profound change. This transformation is being driven by more volatile global trade, geopolitical crises and increasing market pressure, which demands greater agility, technological...
read more...Rigid data structures have had their day
The traditional data center is no longer the center of data. A hybrid cloud storage approach enables manufacturing companies to both meet the current requirements of data-intensive processes and future-proof their infrastructure.
read more...Software as a service in three stages
CIM Database Cloud is a new out-of-the-box solution from Contact for end-to-end digital product development.
read more...How production can benefit from AI
Together with AI technology, IIoT networking makes it possible to better control machine parameters and optimize quality with predictive quality. Downtimes and set-up times can also be further minimized. Cloud platforms also make these technologies...
read more...More expertise for digital engineering
Altair, a computational science and artificial intelligence (AI) company, has acquired OmniV, a technology from Michigan, USA-based software company XLDyn.
read more...