The degree of networking and digitization in production still has a lot of potential in Germany, especially in the SME environment. In 2018, the digitization rate was only 30% or 20% for smaller companies.
According to the management and strategy consultants McKinsey & Company, consistent digitization can enable Germany as a business location to achieve a total of 126 billion euros in added value by 2025 and to cushion locational disadvantages. After all, 25% of the added value in Germany comes from the manufacturing industry.
However, the topic of cybersecurity is one of the obstacles that prevent companies from further advancing digitization and networking. No wonder, since the “hidden champions” of German industry are experts in their field, but not always in the area of cybersecurity in operational technology (OT). Physically separated (air-gapped) production environments are becoming rarer, but still guarantee high availability and protection against attacks and manipulations. IT and OT are increasingly using the same standards and infrastructure. Nevertheless, OT is still lagging behind in general when it comes to IT security.
Defense in depth approach
A study by the SANS Institute from 2018 shows that 25% of attacks on companies can be traced back to employees. Another 16% on service providers. In total, 41% of all attacks happen inside the firewall. With the American defense-in-depth approach, the German Federal Office for Information Security (BSI) recommends both perimeter protection (separation from the outside) and internal subdivision into areas by creating separate zones in production. Internal perpetrators and service providers in particular cannot be tackled with the usual cyber security measures. Here, the BSI recommends special technical and organizational measures (TOM).
Malware comes on foot
In addition to all the available and possible vectors for cyber attacks, analogous ways must not be ignored. Malware can easily bypass the firewall via infected USB sticks belonging to employees, service technicians and visitors. Even isolated production environments are not sealed against mobile storage devices for understandable reasons. Similar to the security checks at the airport, so-called data locks, which are also known as removable media locks, help here.
These are kiosk systems that, ideally under supervision, “x-ray” the storage devices brought by visitors, ie check them for malware. All major manufacturers of data locks use so-called anti-malware multi-scanners. Several anti-virus engines are bundled in a malware multi-scanner. This means that a storage device brought along is not only checked with an anti-virus engine, but also with at least two and a maximum of around 30 AV solutions, depending on the manufacturer. This is necessary because, according to the BSI, more than 300,000 new malware variants are developed every day. In order to keep the visitor’s waiting time as short as possible during the scanning process with the anti-malware multi-scanner, the parallel, i.e. simultaneous check with all integrated scanners makes sense, especially when it comes to checking with up to 30 AV engines.
Visitors who want to enter a sensitive IT or OT area must therefore have the data carriers they have brought checked. Before the check, the system asks for the data of the visitor and the employee in the company and logs all the information. If there are no complaints about all the data on the data carrier, there is a probability of over 99.5% that there is no longer any malware on the data carrier.
The remaining risks are so-called zero-day exploits. This refers to previously unknown security gaps that are already being successfully exploited by attackers. If the heuristics in the malware scanners detect non-executable program code or command calls, the way is clear for the zero-day exploits. The file disinfection option in data locks also effectively protects against these residual risks. File disinfection works according to the rule that all file types that can contain malicious code are also infected with malicious code. Risky file types such as audio and video files and Office documents, which may contain embedded malware, are therefore without exception converted into harmless files and any links that may also be contained in PDFs are rendered harmless.
Secure data transfer to the production network
If a mobile data medium has been successfully checked with the data lock, the visitor can either take his storage device with him or copy it to a mobile data medium provided by the company visited and only use it to enter the sensitive IT area. Another option is to just copy the data on the storage device you brought with you to the data lock and have it checked for malware there. This feature also opens the possibility that visitors do not have to wait for the scan result. The scanned files are then transferred via Secure File Transfer to a type of vault that is still on the IT network and stored there. Only “virus-free” data is transferred to the data vault via a secure connection. All files in the data vault are checked again and again with the latest anti-malware signatures.
Since the data vault (vault) is outside of the OT, an isolated production network remains closed off. The files scanned via the data lock are requested from the data vault using individual codes and transferred securely. If desired, file access can only be allowed after a preset period of time. The data safe behaves like a kind of internal sandbox that also tests new files over a period of time. A granular user management determines the type of authentication and the file types that can be accessed. It is important that guests and employees can only ever access their files. If the guests leave the company, your files will also be deleted.
Cybersecurity must also be of greater importance in production environments in the future. But malware can also be “invited” into the company. Manufacturers and service providers come to the premises for service work and product presentations and often bring mobile data carriers with them. The danger posed by insiders should not be underestimated. Data locks are a technical and organizational measure to protect sensitive IT and OT areas from cyber attacks via mobile storage devices.