Digitalisation has its price. The networking of people, machines and companies not only increases productivity and sustainability but also the risk of a cyber attack.
The VDMA Cybersecurity Congress at Metav 2020 (11 March 2020) offers potential ways of resolving this dilemma. Heinz-Uwe Gernhard is head of the VDMA Security working group and in his principal occupation he is responsible for IT security at Robert Bosch in Stuttgart. In an interview with VDW he reveals his recipe for success: vigilance training for cyber attacks.
Mr Gernhard, has cyber security awareness increased?
Yes, but not to the extent that I expected when we launched the Security Working Group in 2012. There is still urgent need for action because Germany and the EU are demanding measures for greater protection against cyber attacks, including in production, in the form of laws and regulations. Deploying additional IT is certainly one way of achieving this. But without the necessary knowledge and organisational skills, this alone will not be enough to reach the necessary security levels. Industry 4.0 developments are certainly helpful here, but unfortunately cyber security is just one of many aspects.
What do you recommend to newcomers in this field?
Just start taking precautions, both technical and organisational. It's a bit like the annual flu epidemic. You have a higher risk of getting it without a flu job. In today's networked world, no one is safe from cyber attacks. There needs to be a change of heart here.
What measures should companies that are currently undergoing an Industry 4.0 digital transformation process take?
This is a task for management — clear and simple. The managers must identify the risks that are attached to networking and then define suitable measures. With regard to production technology availability, they must understand the risk of considerable damage being done. Interconnectivity means that nobody is immune. If you follow the trade press, there is a constant stream of news items on this — such as that of a cyber attack practically paralysing the IT of a specialist safety and control technology company. The company decided to go public with the incident. I think that's important and it's the right approach because we are all in the same boat.
Nevertheless, openness is still the exception when it comes to cyber attacks. To what extent can networks such as the VDMA Security Working Group, which you spearhead, help in this? By getting network members to talk openly to each other about cyber attacks?
We take a proactive approach by clearly identifying the risks and providing assistance on a wide range of issues. I think it is crucial that we work together to ensure transparency across association boundaries. The Industry 4.0 platform link also offers a good starting point www.plattform-i40.de.
Some companies are now starting to alert their employees to different fraud scenarios. What do you think of the new buzzword “cyber resilience”?
This is the right approach, because awareness offers the best protection for this type of threat. Every user of cyber technologies should be cyber resilient.
Where do you think we are right now with security IT?
Let me make a comparison with road vehicles. In 1920, motorists needed a completely different level of risk awareness to today's drivers because cars now demand much less attention as a result of all the built-in systems. The vehicles themselves and the infrastructure make driving today much less risky. Our IT is currently at the level of a 1920s car in terms of the inherent risks. It requires a high level of attention from users and a wide range of knowledge. Awareness is a key topic right now.
Isn't that scaremongering?
No, it's not scaremongering, at all. Marc Elsberg's novel Blackout plays out various scenarios. The technical aspects he includes are not fictional, but reflect the current realities. He has merely packaged them in an exciting fictional work. The Government is also getting involved in the form of the IT Security Act (Kritis), which is currently being revised.
The IT expert Peter Turczak told VDMA magazine: “I would never put critical data into a cloud.” However, companies need data in order to implement Industry 4.0 and need to store it securely. What belongs in the cloud and what doesn't?
My IT colleague here is addressing the central requirement of OT (Operational Technology) for availability. As a communications engineer, I am well aware of the competition between bandwidth, local computing power and, of course, cost. With the right bandwidth, the cloud can facilitate the provision of a centralised application with a great deal of computing power to a large number of users. Users must weigh the type of cloud usage against their willingness to take risks, their availability requirements, and their technical and organisational capabilities. Another important question, of course, is how to guarantee the dependability or trustworthiness of the provider.
So it's a question of trust?
Yes, I need to ask myself whom I trust to do what. Do the technical measures, contracts and service provider certifications offer sufficient legal protection?
Most machine tools at METAV 2020 have Internet connections: What should trade fair visitors be looking out for here?
Hopefully the link is not via an open Internet connection, but a trustworthy one, as I just mentioned. Don't just ask about the technical solution itself, but also about the provider's organisational capabilities. From a technical point of view, private VPN networks based on an appropriate contract are best here.
How can trade fair visitors prepare for their meetings?
Help is provided by ISO/IEC 62443. Part 2-4 contains the “Security program requirements for IACS service providers” and provides a framework for the key aspects when considering offers. Otherwise, regulations and standards, even if they are often inflexible, can be helpful and effective here.