Industrial Cybersecurity: The Elephant on the Factory Floor

The security status quo

Information security is already high on the agenda of managers and executives. However, one aspect in particular is currently coming into focus: the digitalisation and increasing interconnection of critical infrastructure and production facilities with a simultaneous increase in cyberattacks by professionalising hacker units and state actors is leading to an unprecedented threat situation. To make matters worse, the latest technologies often come up against outdated legacy equipment and systems that were never intended to be interconnected, especially not to untrustworthy networks like the internet.

This is because while in pioneering industries where products themselves are networked or production processes have been modernised and digitalised, security aspects have usually also been considered. This is often not the case with legacy production processes and technologies. Those are used heavily in critical infrastructures. Digitising them often means adding features like remote maintenance and monitoring functions to legacy control systems by using unsecure technology and interfaces.

The biggest challenges for industrial security

When legacy technology is interconnected and enhanced with digital capabilities, IT and OT converge. The risks of this convergence should not be underestimated for several reasons:

1. In times of new geopolitical conflicts, economic espionage and terrorism, industrial plants are becoming worthwhile targets with high blackmail potential, even beyond critical infrastructures.
2. Completely destroyed production batches, robots that go rogue, power outages in entire districts: The damage potential for OT attacks is often immensely greater than for pure IT incidents.
3. There is often a lack of mature technical and organisational protective measures. If a non-connected facility suddenly needs to be accessible via the internet, insecure workarounds are often used. Inadequately protected remote access or lax rules for physical access? Not uncommon.
4. In many places, outdated operating systems are no longer supported by the manufacturer. Replacements or updates often require fundamental changes in the production processes and associated investments in the millions.

Many companies, for example from critical infrastructures, as well as many SMEs, are economically forced to digitise quickly in order not to lose touch with customer needs and thus match their sales expectations. On the other hand, they are obliged by law to comply with stricter regulations (KRITIS, IT-SiG 2.0/3.0, NIS 2.0).

The conclusion: an overarching industrial security strategy is becoming a must for companies. How and in which phases should the OT transformation and the associated IT-OT convergence take place? How can this be secured with regard to physical security and cybersecurity? What security capabilities need to be built? How can manufacturers, suppliers and partners be integrated optimally?

Fertile ground for incidents: High speed, little strategy

In operational reality, however, OT security or the digitalisation of industrial plants in general is often still a niche topic. Beyond operational safety or operational maintenance, it is rarely strategically planned or systematically addressed. The fact that, in addition to advantages and business potentials, digital and networked OT can sometimes also bring tangible dangers into the production halls is often overlooked.

There are three main reasons for this:

1. Lack of strategic and operational differentiation between OT and IT security
In our day-to-day consulting work, we see it time and again: companies often do not see OT security as a process that has to be continually exercised and improved with its own specific requirements. Without a specific organisation and own domain knowledge, the vision of secure operating technology remains primarily one thing – a vision. Although there is often a separate department for IT security, this lacks the specific understanding of OT requirements. Conversely, the people who operate the OT are not familiar enough with IT security and the challenges of digitalisation. Here, a strict strategic alignment or even new operating models are needed in order to centrally anchor the adaptation to technological change not only in the IT infrastructure, but also in the systems and machines that are needed for "the product".

2. There is not only a lack of skilled workers, but even of roles
If already overworked employees from the plant engineering department suddenly have to be responsible for cybersecurity aspects as well, the shortage of skilled workers is doubled. Where a lack of skilled workers is already a problem today, companies will need a role structure in the future that takes into account the new requirements of the networked industry.

3. Manufacturer lock-in equals security lock-out
Even before they were networked, industrial plants were highly specialised, complex in design and so expensive that every adaptation had to be carefully considered. If an entire production hall full of machines and systems is to be digitally networked, companies are often only able to network their production processes, machines and technologies appropriately with the close support of individual manufacturers or external service providers. The result: a highly heterogeneous and fragmented manufacturer market in which companies find it difficult to define and, above all, implement their own safety standards across the board.