What is the difference between industrial security and cyber security?

In cyber or IT security, people are used to updating systems quickly, i.e. having smaller releases; this is different in industry. In the world of automation, protocols such as Modbus or OPC UA are used that were only created for this environment. The heterogeneous environment is also a very big challenge that you don't usually have in the IT world: in the IT world, you expect to replace hardware such as servers or computers every three to five years, whereas in production, you don't just buy a new machine and replace it again after a few years. Different generations of machines with different technologies and systems are used in production, so the requirements are completely different.

You once said that the question is not whether a company will be attacked, but when. How do cyber criminals usually get into a company's own system?

Cyber criminals usually take the easy route. In other words, they look for the weak point in the system through which they can get in the quickest and easiest in order to cause the most damage or - in the case of blackmail - to make the most profit. In most cases, this vulnerability is the human factor: attackers gain access to the network via an email or a hastily opened file attachment.
Systems that are directly accessible via the Internet are also a weak point. There is even a search engine, Shodan, which scans the Internet for IP addresses and shows exactly which services can be accessed via which IP address. Here in particular you can see that the protection mechanisms for critical infrastructure are often very poor. For example, I can enter a control type directly and the search engine then lists systems and IP addresses that cyber criminals can very easily use for attacks.
But regardless of whether an attacker enters via the office IT or the IP address of a controller, office IT and production must be separated in the system, i.e. have their own independent networks.

Especially in times of increasing networking, how can separation succeed here?

People and machines must be networked in a modern industry. But it is important to segment and regulate access to networks, machines and devices. If this is not done, an attacker could gain direct access to the production network via the management PC. Users should therefore only have access to the areas and data that are really necessary for their work and not to the entire system.

How do you train employees properly?

If a company does not handle the topic of cyber and industrial security properly, it is automatically at risk. As security experts, we have already seen a lot: from simple passwords such as "123456" or "admin" to password lists that are printed out and stuck to the screen. Training is therefore important in order to create awareness among employees that each individual can contribute to the security of their company.
But it is not the employee alone, technical prerequisites must also be created, for example with the right tools and instruments. A security system should also be easy to use, because if something becomes too complex to use, people will find ways around it. We therefore focus on segmentation, authentication, authorization and accounting. I can then use a tool to manage rights centrally and also access systems centrally or seal them off in the event of an attack.

What dangers do legacy systems pose?

Legacy systems are usually older. In most cases, the software in these systems is susceptible to vulnerabilities that can be used to compromise the system. Cybercriminals use bugs and vulnerabilities to attack systems. There are various methods of attack: I can paralyze a machine or use a bug to gain higher authorization to manipulate processes. Cyber or industrial security is also about maintaining the life cycle of a machine through updates. A firewall or security product must be constantly supplied with updates and this is often not possible with legacy systems, as the software is already end-of-life. Windows 7 has just gone end-of-life, which means there are no more updates. However, some systems in the industry are still running Windows XP or even older. And this problem is serious: these systems no longer have any security updates. This means that the systems are automatically insecure! Added to this is the comparatively low computing power: a brute-force attack can overload the systems. To do this, you simply send a PLC so much traffic that it can no longer respond and a denial of service occurs. Such an attack is always possible.

Can a production plant be secured via IT security?

Production and office environments are sealed off, usually using standard IT security. However, production facilities ultimately have different requirements. It is therefore necessary to use tools that are created for office and production environments and are compatible with each other.
In production, for example, I need secure remote access. Using standard IT tools for this is simply convenient, but they cannot be used to manage authorizations or resolve IT conflicts in production to the same extent. In industry, the same IP address was used for different production lines or machines because it was practical. In IT, this is a no-go because IP addresses were not configured to be used multiple times.

Another issue is access directly via the Ethernet level. Why is this necessary?

Tools such as the suite from Siemens or Beckhoff send queries to the controller on an Ethernet basis, for example to understand how many controllers and which controllers are in a network. Many IT tools do not support this automation technology.

What does a good safety concept for production facilities look like?

As already mentioned, segmentation, authentication and authorization are essential. A production plant itself should also be segmented. Segmentation can be explained well using the example of a ship: A ship is divided into several segments. If it hits a reef or an iceberg and water gets in, the bulkheads of the affected segment are sealed to prevent the ship from sinking. The same applies in production: if a machine is infected, I use segmentation to seal the bulkheads to other segments, i.e. other machines and production facilities. Ideally, each machine corresponds to a segment and access and authorizations can be switched via an upstream gateway.
It is important that the access authorizations of people and machines can be managed centrally. Many production plants are distributed and have several lines with different machines from different manufacturers. If, for example, I only want to give a manufacturer access to one machine for maintenance, this is very easy with central authorization management. With manual approval, there is a greater risk of making mistakes or simply forgetting to revoke the authorization. The latter in particular poses a major security risk.
However, I can only find out whether my system is really secure by monitoring it. At Endian, we have been taking this approach in recent years and using cyber security or security for production systems and machines as a basic building block that also builds a bridge to system monitoring. This is because the gateways can not only ensure security, but also pass on production-relevant data that the user can ultimately use for condition monitoring or production optimization, such as for predictive maintenance. Our aim is to increasingly integrate security into the infrastructure and thus make digitalization simpler rather than more complex.

Cyber security as added value?

Exactly, security as a basic building block and part of the infrastructure strategy. Industry 4.0 means networking and anyone who networks must secure. However, the added value comes neither from networking nor from security, it comes from the data. The combination of these aspects results in added value and ultimately a tool that can be used to design processes.

We have been hearing more and more about anomaly detection recently. What role does it play in a security concept?

During anomaly detection, the actual state is compared with a previously recorded reference state. If an error occurs, it recognizes it, but cannot actively protect against it. But for anomaly detection to work, I first have to create a basis, and I create this basis by segmenting a network, authenticating users and authorizing their tasks. This is the ABC: if a resource is not publicly accessible, I cannot attack it.