However, cybersecurity is one of the obstacles that prevent companies from pushing ahead with digitization and networking. No wonder, as the "hidden champions" of German industry are experts in their field, but not always in the area of cybersecurity in operational technology (OT). Physically separate (air-gapped) production environments are becoming rarer, but still guarantee high availability and protection against attacks and manipulation. IT and OT are increasingly using the same standards and infrastructures. Nevertheless, OT is generally still lagging behind when it comes to IT security.

Defense-in-depth approach

A 2018 study by the SANS Institute shows that 25 percent of attacks on companies are attributable to employees. Another 16 percent to service providers. In total, 41% of all attacks occur within the firewall. The German Federal Office for Information Security (BSI) recommends both perimeter protection - sealing off from the outside - and internal division into areas by creating isolated zones in production using the American defense-in-depth approach. Internal perpetrators and service providers in particular cannot be countered with the usual cyber security measures. Here, the BSI recommends special technical and organizational measures (TOM).

In addition to all the available and possible vectors for cyber attacks, analog paths must not be ignored. Malware can easily bypass the firewall via infected USB sticks belonging to employees, service technicians and visitors. Isolated production environments are also not sealed off from mobile storage devices for understandable reasons. Similar to the security checks at the airport, so-called data locks, also known as removable media locks, help here.

These are kiosk systems that check the storage devices brought in by visitors for malware. All major manufacturers of data locks use so-called anti-malware multi-scanners. Several anti-virus engines are bundled in a malware multi-scanner. This means that a storage device is not only scanned with one anti-virus engine, but with at least two to a maximum of around 30 AV solutions, depending on the manufacturer. This is necessary because, according to the BSI, over 300,000 new malware variants are developed every day. In order to minimize the waiting time for visitors during the scanning process with the anti-malware multi-scanner, it makes sense to scan in parallel, i.e. simultaneously, with all integrated scanners, especially when scanning with up to 30 AV engines.

Log visitor data

Visitors who want to enter a sensitive IT or OT area must therefore have any data carriers they bring with them checked. Before the check, the system asks for the data of the visitor and the employee in the company and logs all details. If all data on the data carrier is unobjectionable, there is a probability of over 99.5 percent that there is no malware on the data carrier.

The residual risks are so-called zero-day exploits. These are previously unknown security vulnerabilities that have already been successfully exploited by attackers. If the heuristics in the malware scanners do not detect executable program code or command calls, the way is clear for zero-day exploits. The file disinfection option in data locks also provides effective protection against these residual risks. File disinfection works according to the rule that all file types that can contain malicious code are also infected with malicious code. Risky file types such as audio and video files as well as Office documents, which may contain embedded malware, are therefore converted into harmless files without exception and any links, which may still be contained in PDFs, are rendered harmless.

Secure data transmission into the production network

If a mobile data carrier has been successfully checked with the data lock, the visitor can either take their storage device with them or copy it to a mobile data carrier provided by the company and only use it to enter the sensitive IT area. Another option is to simply copy the data on the storage device to the data lock and have it checked for malware there. This function has the advantage that visitors do not have to wait for the scan result. The scanned files are then transferred via Secure File Transfer to a kind of vault that is still in the IT network and stored there. Only "virus-free" data is transferred to the data vault via a secure connection. All files in the data vault are constantly scanned with the latest anti-malware signatures.

As the data vault is located outside the OT, an isolated production network remains sealed off. The files scanned via the data lock are requested from the data vault using individual codes and transferred securely. If desired, file access can only be permitted after a preset time. This makes the data vault behave like an internal sandbox, which also tests new files over a period of time. Granular user management determines the type of authentication and file types that can be accessed. It is important that guests and employees can only ever access their files. If guests leave the company, their files are also deleted.

Malware must stay outside

Cybersecurity must also play a greater role in production environments in the future. However, malware can also be "invited" into the company. Manufacturers and service providers come into the company for service work and product presentations and often bring mobile data carriers with them. The danger posed by internal perpetrators should not be underestimated. Data locks are a technical and organizational measure to protect sensitive IT and OT areas from cyberattacks via mobile storage devices.

Robert Korherr, Managing Director of ProSoft