News + Stories: What is security for you?
Stefan Trabesinger: The framework conditions are constantly changing, so there are security gaps and corresponding attacks. That is why security is not a product, but a process. The PDCA cycle is helpful here: Plan, Do, Check, Act – carried out repeatedly, a continuous improvement process can be created.
What is the danger if security is not guaranteed or continuously monitored?
Trabesinger: The danger can be multifaceted. If someone breaks into my system and installs a Trojan, for example, all my data can be read out. If I haven’t installed any monitoring systems, valuable expertise flows away unnoticed – classic industrial espionage. Another risk is sabotage, for example, when systems and data are encrypted and the “key” is only supplied in return for a certain amount of money, preferably in Bitcoin. This is a commercial and financial danger. However, if systems on the shop floor of an interconnected factory are attacked, it can also be dangerous for humans. For example, if a robot that is in remote maintenance mode is unexpectedly set in motion by malware. Occupational safety and IT security are becoming more closely linked in times of increasing system integration.
What is your perspective on security in your professional field?
Trabesinger: My focus is on security in computer-controlled, interconnected production. At the smart factory, various machines for manufacturing and assembly are connected to form a holistic, cyber-physical production system. The processes are planned in advance using simulations, and when the work instruction is finalised, it is sent to the machines and processed. Our machines are connected to the internet so that we can check their status, for example. This is relevant on a practical level for companies with distributed locations. Machines that are currently active send a status signal to a server via the internet, and the server forwards the status to the main site. If such a server is compromised, the status information can be changed.
Another security aspect is social engineering. There are USB slots on our machine tools that are required for certain processes. If someone has bad intentions, they could use a USB stick to install malicious code on the machines and cause huge damage, for example by causing of a collision with a tool spindle. This would cause a few hundred thousand euros in damage, machine downtime and possibly even personal injury.
How does this interconnected way of manufacturing change IT security? What are the key differences to traditional factories?
Trabesinger: The big difference is that interconnection very often takes place via the internet. There is this phrase that the internet is evil because you can find anything in it. Therefore it is necessary to protect production infrastructure against malicious behaviour on the internet. This is relatively complicated, but there are aids available, such as norms, standards and regulations. They come in many variations, from very rudimentary to highly complex. These can be selected and adapted as required. It is a challenging act to balance the desire to make the best possible use of the internet for one’s own purposes, while at the same time being aware of the dangers and implementing processes accordingly. As a company, I have to choose a framework that is suitable to the requirements of the company and that is financially feasible.
For example, there is a very simple standard – the so-called VDS standard, which was developed by a German insurance group. For small and medium-sized companies, it provides 10 to 15 pages of very simple and clear instructions on how to organise their security process. For example, by appointing a security officer who has to comply with certain processes. If I do that as an entrepreneur, I am already ahead of many others. Hackers don’t want to make things too complicated for themselves and try to get in where it’s easiest. The more hurdles a company puts up, the more likely attackers are put off.
Where do companies typically make mistakes that can then be exploited by attackers?
Trabesinger: A very common source of errors are passwords that are too simple. This occurs when there is no adequate password policy – where, for example, a certain combination of characters is mandatory, without which a password cannot be set. A very simple process, but it requires management at the organisational, technical and personnel level. Secondly, misconfiguration of systems. Software has gaps, and if I misconfigure certain software systems accordingly, this can be a gateway for attackers. Another point is the lack of network segmentation. Whether it’s my entire accounting department or my production department: don’t put everything in one network, but create as many individual segments as possible to make life as difficult as possible for the attacker. Once he is in a segment, there should be a hurdle to get into other segments.
Are security and usability goals contradicting each other?
Trabesinger: Yes, to some extent it is a contradiction. If I want to take zero risk as a company, then I have insanely high costs, due to a very high network segmentation, many networks, and accordingly also a lot of administration and management, because I also need regulations between networks. These regulations have to be implemented in the firewall, which has to be maintained and requires personnel – all of which incurs costs. As a company, however, I am required to implement this in the best possible way in terms of cost/risk optimisation. That’s why I scale back my investments a little – I segment less, perhaps spend less money on firewalls and provide fewer staff. If I continue down this path, the worst-case scenario arises with the highest risk at the lowest cost. The whole thing is therefore a trade-off between investment and risk assessment. This is the crux of the matter, which every company and every industry has to solve individually. In the case of critical infrastructure, however, there are minimum regulatory requirements.
What security aspects are you conducting research on at smartfactory@tugraz?
Trabesinger: We use machine tools and have run a use case where we plug a USB stick into the human-machine interface while a worker interacts with the machine tool. This involved the implementation of an intrusion detection system, i.e. an upstream security system that recognises changes to the system. The system creates a message that another system has logged in.
Can the skilled worker continue in such a case or do they have to wait for a check?
Trabesinger: This then depends on how strict the settings of the intrusion detection system are and what the measures of a downstream intrusion prevention system actually look like. There are companies with the practice of automatically formatting USB sticks that are plugged into a machine after 15 seconds.
Another field of research at the smart factory is the remote maintenance of robots. We have tested various systems on the market and found out which systems are rather insecure and what measures can be taken to make remote maintenance as secure as possible. For example, using VPNs, i.e. virtual private networks, where I really only access this one robot specifically.
And a third research topic at the smart factory is edge computing. It involves an industrial PC, a so-called edge device, which uses high-frequency data directly from the control system for subsequent data analyses, for example for material defect detection. This edge device must retrieve data from the internet during initial commissioning, as well as during installation. The device manufacturer has implemented a corresponding security concept for this purpose. But users also need to take certain safety precautions, and this was the focus of our research.
What should a small company with a smart factory bear in mind when it comes to security?
Trabesinger: Create a security policy and define responsible persons who comply with this security policy. If this is not possible internally, then get external help from specialists. Attacks should also be carried out regularly to determine the status quo of the systems. There are now very professional providers on the market who specialise in contract attacks. You then receive a detailed report and can deduce what needs to be done. If I were a company director, I would hire such a company as a first step.