Digitalization, sure – but secure

Small and medium-sized businesses are hesitant to embrace digital business models. They often cite the fear of a cyber-attack as a reason. Here, cybersecurity can give companies a competitive edge, as this fourth part of our series shows.

Is there any good aspect to the coronavirus? It seems so. “Corona has boosted digitalization,” says a pleased Dorothee Bär, the German government's Minister of State for Digital Affairs. The fact that it takes a pandemic to drive digitalization forward may be less flattering for politicians and businesses. But better late than never. The hope is that, once the virus is defeated, businesses and administrative authorities will be able to reap the fruits of accelerated digitalization.

 

While this is good news to some, it makes others nervous. Take the experts at the Federal Office for Information Security (BSI), for example. They also deal with viruses. These viruses, however, don’t endanger our health – instead, they haunt the Internet and infect PCs, IT networks and industrial plants in order to steal information, extort ransom money or damage the reputation of businesses. Digitalization cannot succeed without IT security, warns the BSI. And what’s more: “Ignoring cyber risks can destroy your own business,” says Natalia Oropeza, Chief Cybersecurity Officer at Siemens. “Without cybersecurity, Siemens, for example, would barely survive the next few years.”

Adequate cybersecurity is not only a must, it also represents enormous added value: Protection against attacks makes products and services more reliable, secures customer trust and improves competitiveness. According to BSI, investments in cybersecurity are therefore investments in economic success, especially for small and medium-sized companies.

Skeptical at first

One good example is Kallfass in Nürtingen, in southern Germany. The manufacturer of foil packaging machines has recently begun upgrading its machines for predictive maintenance. To put it simply, the machine reports a “0” when the sealing die is on the bottom and “1” when it is at the top. “An attacker cannot tell what the many zeros and ones throughout the factory mean,” says Michael Rempfer, technical director at Kallfass. It isn’t apparent until the software in the main computer assigns a meaning to the signals, such as the number of welding cycles and thus the soiling and time for cleaning. In addition, data traffic is a one-way street – the machine only sends information. Kallfass can thereby win over even skeptical customers who want to capture operating data but don’t want external access to their network. “This prevents downtime and saves costs,” says Rempfer.

A blessing in disguise

Pilz has learned what can happen when things suddenly come to a standstill. The automation company, which manufactures safe automation solutions (safety), was the victim of a cyberattack in October 2019 that targeted the company’s IT security. Hackers used ransomware to encrypt part of the data, then blackmailed the company for ransom. However, Pilz did not respond to the demands and contacted the police. A blessing in disguise: “No customer or supplier data was stolen,” reports Thomas Pilz. Most companies that experience such an attack keep it secret. But not Pilz. Ultimately, the managing partner believes that the incident has made his company better positioned in terms of cybersecurity than before. Nevertheless, this is one experience Pilz would gladly have done without. The company has therefore shared this information in the hope it can raise awareness and help other companies avoid the same experience.

In 2019 Siemens published more advisories than all of the company’s competitors combined.

Transparency as a competitive factor

Siemens is a pioneer when it comes to product vulnerabilities. In 2019, the company published 163 advisories, recommended actions for handling security gaps, for its products – more than all of the company’s competitors combined. But that doesn’t mean that the software used in Siemens products is deficient. “Weaknesses are just as common among competitors, but we at Siemens are particularly meticulous in uncovering vulnerabilities, finding solutions for them and communicating transparently with our customers,” emphasizes Klaus Lukas, the Head of Innovations in the Siemens ProductCERT (Product Computer Emergency Response Team).

Birth certificate for machines  

Trust is also essential when it comes to connecting machines and objects via the Internet of Things. Is the machine what it claims to be? Or is it actually a hacker who has tapped into the communication and wants to steal or manipulate data? Together with Siemens, PrimeKey has developed a solution for this. The Identity Authority Manager makes it possible to issue a type of birth certificate – a digital certificate – for such attempts. These certificates are issued by a certification authority (CA) highly trusted by all communication partners. Only in combination with the right private key can the component be identified as a true Siemens device and securely communicate with other components within the network. “Users can therefore utilize a digital birth certificate for creating inventories, automatic configuration and incorporation into their infrastructure or performing remote maintenance,” says Hendrik Brockhaus from the Security Architecture Team at Siemens. Brockhaus adds: “Just as is the case with the Data Capture Unit from Siemens, the Identity Authority Manager represents a cybersecurity component, which small and medium-sized enterprises can use to make their facilities and devices even more secure, reduce the risk of cyberattacks and thus reap the benefits of digitalization.”

Know-how transfer from Siemens

In addition to secure technology, know-how is essential. Siemens’ expertise can help here. With its holistic cybersecurity approach, Siemens protects not only its own infrastructure, but also its products, solutions and services. In doing so, the company supports businesses with a full range of information – from security checks and web-based training for employees to service packages for securing Siemens control systems. “With just a few concrete measures, you can take critical steps and significantly improve your own cybersecurity,” emphasizes Natalia Oropeza.

Click here if you would like to know more about the cyber risks that small and medium-sized enterprises face and learn what you can do to tackle them — including with assistance from Siemens.

Our series of five articles explains what small and medium-sized companies can do to protect themselves against cyber risks. This is the fourth article in the series. The series examines why smaller companies are more frequently impacted by attacks and what role employees play. The articles also provide tips on how companies can protect themselves against attacks at reasonable expense and leverage this as part of their business strategy — for example with concrete assistance from Siemens. As soon as a new article appears in a two-week interval, it, too, will be linked in this article.

 

Part 1: Room for improvement

Part 2: Far too low-hanging fruit

Part 3: Human beings: the chink in the armor

Bernd Müller

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.