Endian, a leading security manufacturer in the field of Industry 4.0, recommends ten protective measures for OT in 2022.

"Security in OT presents completely different challenges to those in a classic IT environment," says Endian CEO Raphael Vallazza. "The service life of industrial systems in particular is very different from that of IT equipment. In IT, every system is considered obsolete after a maximum of five years and is replaced. In industry, machines and systems are in operation for much longer, which leads to very heterogeneous environments. This makes uniform updates for the operating system, firmware and anti-virus software, which is so heavily dependent on being up-to-date, much more difficult."

Networks in industrial companies that have grown over the years also pose a security risk: Malware can quickly spread across entire production facilities via the numerous networking points. The coronavirus pandemic has further exacerbated the situation. "The pandemic has further blurred the clear distinction between internal and external access," explains Vallazza. "External maintenance personnel needed stable remote access, as did employees who had to do their work from home."

Endian recommends that companies implement the following measures to ensure the security of their OT environments:

Visualize networks

The graphical representation of networks helps to make their increasing complexity manageable. Seeing the various components, sensors and connections in front of you makes it easier to understand communication within the company and beyond its boundaries. Irregularities in the processes can thus be identified more quickly. At the same time, visualization forms the basis for network segmentation.

Segment networks

Ransomware is still the biggest threat to companies in Germany. Attackers encrypt company data using malicious code in order to then extort a ransom. The malicious code often aims to spread as inconspicuously as possible in the networks in order to achieve maximum effect. Dividing the operating network into individual, separate segments is therefore a fundamental step in ensuring security in the OT area. IoT security gateways, which are connected in front of the individual segments, can be used to subdivide networks without requiring changes to the network structure.

Introducing the zero trust concept

The more digitalization progresses, the fewer clear boundaries corporate networks have: Suppliers and business partners need access to certain company resources for optimal planning and the pandemic has brought many employees into the home office. The zero trust concept is based on the assumption that no access - whether internal or external - is trustworthy. It no longer relies on locations, but on identities, authorization and secure authentication of users and machines for every access.

Manage authorization and authentication centrally

By setting up user accounts and credentials, it is possible to ensure that only authorized employees have access to machines and systems. To manage this, administrators need a central tool that allows them to set up, change or delete roles and authorizations in real time. The introduction of access rules can further increase security. For example, it is possible to specify that employees only have access to the networks from certain countries. Regions in which the company has neither branches nor customers can be excluded.

Two-factor authentication

Insecure passwords are also a high security risk in the OT environment. Companies should rely on two-factor authentication, especially in light of the continuing trend towards working from home. In addition to a password, users need another factor to log in to a machine or network. The so-called "possession factor" is often used, for example, where users are sent a unique password to their smartphone.

M2M communication with certificates

Machines are also increasingly communicating with each other. The same principle applies here as for human-machine communication: Appropriate authorization is required for access. Certificates give each device a unique identity so that it can identify itself to machines, systems and people.

Focus on edge computing

Before data is sent to a central cloud, it must undergo a preliminary evaluation where it is collected, i.e. in the respective machine or system. This procedure saves bandwidth and ensures that less data is exposed to the risk of theft or manipulation during transmission.

Encrypt communication

As soon as data is exchanged between the edge and the cloud, it is exposed to particular risks. A VPN establishes an encryption tunnel for each transmission and thus ensures that the data is unusable for anyone attempting to intercept or record the communication.

On Premises solution

Companies should retain their independence at all times and be able to decide for themselves where their sensitive data is managed. On-premises solutions offer maximum flexibility, as they can be used in the cloud, in your own data center or at your system house partner.

Sensitization of employees

Most malicious code enters the company via phishing emails. By feigning false facts or a false identity, the attackers try to persuade an employee to open an infected attachment or link. Regular training and testing can help to actively involve employees in cyber defense.