We are hearing more and more about hacker attacks on industrial companies. How great is the damage and are companies inadequately protected?

The damage caused by hacker attacks can range from minor to major outages. These can have different effects on companies:

• Reputational damage: Reduces expected revenue
• Production outages: lead to direct disruption to the supply chain and associated potential contractual penalties and, in the case of longer-term outages, potentially sustained loss of revenue (e.g. customers looking for alternative suppliers)
• Ransom for ransomware: although this is generally not recommended, many companies pay considerable sums to supposedly regain access to their data
• Theft of trade secrets: Enable competitors to improve production processes, for example, and thus possibly gain market share
• Reconstruction and repair: Depending on the severity of the attack, a large number of systems may have to be cleaned up and restored or even completely reinstalled.

The money organizations spend on security after being attacked is proof that they have failed to take important protective measures. Attackers will usually find a way into the organization - the question is whether you are prepared to detect them promptly and limit further access.

Larger companies are usually well prepared, especially in highly regulated industries such as finance. Smaller companies, for the most part, are increasingly investing in overall cybersecurity strategies and implementations, which is a positive and ongoing change. Nevertheless, I believe that it is probably lucky if these smaller companies have not yet suffered a significant attack, as according to the latest Bitkom study, nine out of ten companies have fallen victim to such attacks in the past year. The rise in Covid-19-related phishing attacks and ransomware attacks in the healthcare sector also shows that attackers are becoming increasingly context-specific in their approach. However, this also offers opportunities in the prevention of such attacks.

Are attacks more likely to compromise sensitive data or are we already seeing attacks on hardware - in other words, on ongoing production?

Currently, most attacks are financially motivated, so personal data and intellectual property are most at risk, as they can be resold for a large profit.

However, over the last ten years, we have seen an increase in attacks that focus on operational technology - usually the control of industrial equipment. The simultaneous development of the Internet of Things with all its networked devices is putting companies in increasingly risky situations. This is because, compared to traditional IT security, most companies are not well prepared for securing cyber-physical systems - both in terms of organizational culture and actual expertise.

In 2014, for example, attackers targeted ICS operators in a German steelworks with phishing emails. They infiltrated the network and moved laterally within the production environment. As a result, a blast furnace could not be shut down properly, resulting in physical damage to company equipment. The attackers demonstrated considerable knowledge of ICS systems, and this was seven years ago.

What measures should manufacturing companies definitely take and how effective can protection against cyber attacks really be?

The most important step is to have an up-to-date, accurate and dynamic list of all technical assets. This gives organizations the ability to respond to vulnerabilities in their devices or programs, set up monitoring systems, and make processes such as patch management and remediation more efficient. This visibility into the organization's technology also has the added benefit of detecting when an unknown, unauthorized device is on the network.

Once this is clear, the risks to assets can be determined so that companies can better prioritize the controls required for their specific situation. Attacks typically follow the cyber kill chain (Lockheed Martin) - organizations need to take action for each step of the kill chain. To understand and defend against attackers' methods at each point in the kill chain, one of the best resources is the MITRE ATT&CK framework.

In addition, processes and procedures for dealing with security incidents need to be well established and tested long before an attack takes place. Even if there is a policy somewhere that prescribes what to do in the event of an incident, it will only be effective if the key players know exactly what their responsibilities and accountabilities are in the event of an attack.

Defenses will never be 100 percent effective, but they have a chance of either slowing down the attackers or improving internal incident response capabilities. Considering the massive investments companies make in security after incidents, it seems that preventative measures allow for a methodical and gradual build-up of security measures and can even save money in the long run.

How do you think this "battle" will develop in the future?

We cannot expect a decrease in attacks. I hope that the increased attention that is now being paid to this issue will lead organizations to adapt their knowledge and resources to better deal with attacks when (not if!) they come. Cyber security must be seen as an issue that is critical to every business and relevant to most, if not all, areas within an organization. Without adequate cyber security policies, procedures and controls, it is unlikely that a business will be able to function in the future.