Cybersecurity in production: From a nice-to-have to a must have

Factories are increasingly adding digital features – and becoming more tempting targets for hackers in the process. Any company that invests in cybersecurity can protect itself and even come up with new business models at the same time. This article is the first of a four-part series that will explore the issue of industrial cybersecurity.

Posting a vacation photo on Instagram, checking your bank account or booking a flight: We lead digital lives. Some of us would be more than willing to spend a few days alone without our partners but certainly not without our smartphones. At work, we no longer think twice about the information technology that surrounds us – a company would soon find itself in hot water if it failed to use software for personnel management or video conferencing with colleagues. So far, so good. But what about factories? The mere thought of the word “factories” conjures up visions of ear-splitting machinery and grimy grease, not bits and bytes. We need to think again: IT is rapidly taking hold of production operations, too – experts simply call it the convergence of IT and OT (operational technology). The conversion is already paying off in many ways: A virtual model of a product – a digital twin – helps plan and monitor the life cycle of a product. The transformation also facilitates the creation of new business models, things like operation models in which customers no longer buy a piece of equipment and simply pay only for the time that they use it. The entire process requires data, lots of data.

 

There is just one problem: As IT and OT are being converged, the OT increasingly has to deal with a problem that IT experts are all too familiar with – the threat of cyberattacks. The chinks in the armor arise from the bond that links the machines to one another and the Internet. Hackers can sneak through these unguarded fissures and cause devastating damage, damage that can even disrupt our daily lives if things go really bad. Colonial Pipeline, the operator of the largest fuel pipeline in the United States, suffered such a withering attack in May 2021. The company ultimately had to pay millions of dollars in ransom to resume deliveries of gasoline to filling stations. Reports about successful attacks and cyberrisks appear in the media every few weeks. Another major attack occurred in 2021 when hackers set their sights on SolarWinds and Log4j, a small piece of software that is employed in Java applications that are used to run servers.

 

Such media reports are only the tip of the iceberg. Companies around the world are being attacked day in and day out by hackers whose weapon of choice is ransomware. Many of these companies pay the ransom to the blackmailers simply so that the can resume operations.

When OT lost its innocence

Franz Köbinger, a cybersecurity expert at Siemens Digital Industries, remembers exactly when OT lost its innocence: It was 2010, and the attack became known around the world as the “Stuxnet incident.” “This was the first time that hackers intentionally set their sights on the OT. Cyberattacks on industrial facilities and automation systems have taken off ever since.”

 

Nonetheless, Siemens is fighting back, conscious of its role as a manufacturer of industrial automation systems. The company has made the issue a central element of its operations. It is an effort that includes a Siemens-wide Product & Solution Security Initiative and the central cybersecurity unit CYS. “There will be no return to the analog world, that time when production plants were shut off from the outside world,” Köbinger says. The efficiency gains created by digitalization in production are simply too great to give up. But work performed with such things as digital twins and artificial intelligence requires the real-time transmission of huge amounts of data and, thus, a comprehensive network. Automation systems and control units have been a part of IoT for years now.

Two-thirds of costs for software

An example from the rail industry illustrates just how quickly things have changed: Ten years ago, software made up just 10 percent of the costs of an interlocking. Today, it is more than 30 percent – and it will rise to 65 percent in a few more years. This digitalization process will pay off tremendously for the rail industry. One example of this is the digitalization of the entire Norwegian rail network, which Siemens will complete by 2034. The company is installing digital signaling technology on around 4,200 kilometers of track and 375 stations, which enhances safety, punctuality and capacity on the rail system.

Because this digital transformation is so critical, cybersecurity must be able to ensure the availability and integrity of systems at all times. We would rather not think about what could occur if an interlocking was improperly set during a hacker attack and caused two trains to collide.

 

In spite of the seriousness of the threat, many companies continue to take a carefree attitude about their OT. In the study “State of Operational Technology and Cybersecurity” conducted by Fortinet, a provider of information-security software in the United States, half of respondents acknowledged that their machinery was not protected from cyberattacks. A total of 91% of respondents demand that IT and OT should be jointly responsible for machinery security. But only half of the companies take such an approach.

 

Fortinet cited several different reasons for the lackadaisical approach to OT security. One is the long life cycles of machinery, something that may extend for decades. Such life cycles complicate protection efforts when an interface to the Internet has to be added to the machinery. Another reason is the complexity and heterogeneity of companies’ plants. These two factors make it difficult to erect an integrated line of defense. But the biggest factor of all is the high priority that companies place on availability. A production operation should never go offline, even when security updates are installed. As a result, companies tend to put off such installations for a long time. In the process, though, companies expose themselves to the risk of hacker attacks and the shutdown scenarios that they dread so much. Nonetheless, the scheduling of a patch window that includes a brief, orderly shutdown (if it turns out to be really necessary) is certainly better than a weeks-long, ransomware-triggered stoppage.

Standalone solutions are frequently used

“Major companies like those listed on Germany’s blue-chip index, the DAX, have a good grasp of the problem and have become role models,” says Saman Farsian, the Head of Cybersecurity OT Protection and Consulting at Siemens. “But the situation is pretty bad once you look beyond the DAX companies and their suppliers.” Small companies frequently understand what is at stake, but lack the know-how needed to reinforce their lines of defense from hackers, Farsian says. Such companies generally rely on standalone solutions and lack an integrated security strategy for the entire company, he adds.

If at all. Most frequently, colleagues call Franz Köbinger and Saman Farsian only after hackers have launched their attack – or they notice that the artillery shells are landing closer and closer to them. This was the case at one dairy, an operation that was not interested in cybersecurity solutions at all – because it believed that it was simply too unattractive to hackers. Times quickly changed after a competitor was hit by a massive attack that forced it to pay a high ransom. Suddenly, the dairy rolled out the red carpet to Siemens experts and a budget to pay for protection was available. A European automaker had to pay a ransom, too. Siemens initially submitted an offer to automate a production facility and enhance its cybersecurity in the process. The automaker initially turned down the offer. Things changed a few months later – after a cyberattack knocked the production facility out of operation. Farsian compares cybersecurity to an insurance policy: It costs money and provides no benefits at first – but you urgently need it when damage occurs.

 

But the comparison does not fit completely. This is because investments in cybersecurity pay off today even if no attack happens to be under way at that particular moment. In industries like the automotive sector or critical infrastructure, suppliers can forget about winning contracts if they cannot demonstrate that they meet certain standards or have particular certifications. Cybersecurity also enhances a company’s competitiveness and even clears the way for brand new digital business models.

 

Franz Köbinger says his mission and that of his colleagues is really just beginning: “Hackers continue to get better and better. They are also using new technologies to launch their cyberattacks. Concepts and security mechanisms in the OT must be continuously improved and kept up to date.”Hubertus Breuer.

Bernd Müller

Click here for more articles of our series, that will explore the issue of industrial cybersecurity.

 

Part 1: Cybersecurity in production: From a nice-to-have to a must have

Part 2: OT cybersecurity: no longer a niche field 

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.