Protecting machine tools from cyberattacks

Use all of the security options available to protect shop floor, office data

Data security is gaining in importance as Industry 4.0 takes shape.

Automation, cloud applications, and globally networked machines and components play key roles when it comes to shielding systems from external threats. As digitalization becomes more prevalent across industries, there is a growing need for companies to safeguard against cyber risks.

An example of this can be found in German industry, which has increasingly become a target for cybercriminals. More than eight in 10 industrial companies (84 per cent) have reported an increase in the number of cyberattacks in the past two years, with more than a third (37 per cent) reporting a strong increase.

This data comes from a 2018 survey conducted by the Bitkom digital association, which interviewed 503 managing directors and security officers from all sectors of industry.

“German industry is under constant digital fire from petty digital criminals, organized crime, and even state-backed hackers,” said Bitkom President Achim Berg. “The nature and scale of the cyberattacks is set to increase.”

One thing is certain, however: Cybercrime is a worldwide phenomenon that does not stop at national borders or at locked factory gates. It can happen wherever people use computers, smartphones, and other IT devices.

Security vulnerabilities

“Cybercriminals often use known vulnerabilities or bugs in outdated software to gain access to a system. Promptly installing updates and security patches considerably reduces the risk of cyberattacks,” said Philipp Echteler, IIoT strategy manager at the Balluff Group. “Using versioned software and firmware and then monitoring them help create greater transparency. Avoidable dangers also emanate from devices that were originally only designed for communication with the controller of isolated networks, and not for connection to the internet. Many of these Ethernet-enabled automation devices have no protection features, which leaves them vulnerable to attack.”

The Balluff Group is a global player in the automation sector. With its workforce of 4,000 employees, the company offers a comprehensive portfolio of sensor, identification, network, and software technology for all areas of automation. Protecting against cybercrime is a key aspect in the development and design of customer products.

Protecting systems

But what are the best ways to protect complex networked systems against manipulation and cybercrime?

“In principle, any networked system represents a possible point of attack. A well-designed security concept is therefore indispensable for safeguarding such systems against manipulation and cybercrime," said Juliane Schneider, junior product manager at Symmedia.

Symmedia GmbH, Bielefeld, Germany, has been developing services for the mechanical engineering sector since 1997. The company's digitalization expertise – especially in the field of mechanical and plant engineering – is strengthened by its alliance with Georg Fischer, a mechanical engineering company to which Symmedia has belonged since 2017.

“When it comes to handling sensitive data, any human negligence poses a security risk. An unnoticed cyberattack, the reckless multiple use of passwords, or the deliberate divulgence of confidential data -- any human action can have major consequences and cause significant damage,” said Schneider, listing just some of the more obvious risks.

“The risks which arise from internal threats should not be underestimated. Employees unthinkingly open email attachments that can be used to smuggle in viruses unnoticed, or they send critical company information in unencrypted form by email,” added Echteler.

Poorly protected or forgotten maintenance access routines represent back doors that attackers can then use for their own purposes.

Use firewalls

Encryption mechanisms such as SSL and TLS must be deployed as standard to protect complex networked systems from manipulation and cybercrime. These encrypt all data traffic between servers, computers, and applications in a network.

Another common practice is to install a firewall, which checks the trustworthiness of all parties seeking access to a computer to automatically protect it from attacks and unauthorized access.

“Having separate production and office networks offers additional security. Further recommendations include minimizing the number of network accesses and routing the data stream via a central, monitored gateway. Potential threats can often be identified at an early stage if data and network traffic levels and individual nodes are also continuously analyzed,” said Echteler.

Data security in production

Balluff has established its own team of experts to offer comprehensive consulting services to customers all over the world. Some of the Balluff devices now also feature hardware encryption based on the Trusted Platform module. In addition to minimum requirements such as firewall protection, Symmedia also uses HSM and TPM procedures (based on so-called hardware security and Trusted Platform modules) to ensure that only secure software is run.

“We also use a proprietary network protocol to provide very high-level protection against unwanted access. It is virtually impossible to hack into these connections," said Schneider.

The company uses a secure and work flow-based point-to-point link for digital service support.

"The use of common encryption, authentication, and authorization procedures for client applications, servers, and programming interfaces, so-called APIs, is also a matter of course for us. In addition, we offer many other security measures, including a public key infrastructure (PKI)-based individual machine and user certificate structure, password rules, the irreversible storage of access data with up-to-date hash procedures, and multi-factor authentication," said Schneider.

Clouds play a role

Another major point with regard to data handling is the location of the data storage. Three in 10 companies (29 per cent) use a cloud system that is outsourced to a certified data centre – either to achieve possible cost savings, to relieve the strain on their own IT staff, or to obtain greater security. Another 10 per cent plan to do so, and 28 per cent are discussing this as an option. This is shown by the Digital Office Index 2018, a representative survey of 1,106 Bitkom companies with 20 or more employees.

According to the index, fewer than three in 10 companies (28 per cent) state that cloud hosting is of no concern to them. A comparison of the different industries reveals that the mechanical engineering and plant construction sector is the frontrunner in this field. According to Bitkom, almost half of all companies in this industry (46 per cent) are already using external cloud service providers.

For Balluff, too, the public cloud is the first choice.

“Its high availability is attractive because its platforms are replicated in independent, geographically distributed data centres. Other advantages include its easy scalability, its high level of security, its use of state-of-the-art technologies and encryption, and its service continuity. These guarantee that the solutions will work even in the event of negative scenarios," said Echteler. “From experience we know that it is not possible for a company's own IT staff also to run a cloud. This is a task for suitably qualified specialists.”

Symmedia, on the other hand, offers its customers hybrid options.

"This gives our customers flexibility combined with outstanding security. And this in turn gives them full data sovereignty," said Schneider. “They can decide for themselves which data they want to store centrally, for example in a cloud, and which is only to be stored locally. We have found that our customers are open to central solutions, but always want to be able to store specific data locally, depending on how sensitive it is."

Contributing writer Annedore Bose-Munde can be reached at info@bose-munde.de.

Balluff, www.balluff.com

Bitkom, www.bitkom.org

Symmedia, www.symmedia.de