Five-step Plan for IT Security in Manufacturing

The headlines surrounding IT security incidents are increasing, and most companies need to take action with regard to IT security. The American IT service provider Kaseya, where malware was installed so that numerous customer data were affected, will not be the last example. In a representative study, the digital association Bitkom found that cyber attacks cost the German economy more than 200 billion euros a year. What could be the reasons for this?

OTRS study: More than half of companies are not ideally prepared / Lack of IT security in production as well

In a recent study of 500 security managers, OTRS Group found that only 56 percent of IT security teams are ideally prepared for a security incident. Two percent even stated that they are not sufficiently prepared.

When asked whether responsibilities and tasks are clearly defined in the event of a security incident, the vast majority (93 percent) agreed. However, six percent are of the opinion that this is not the case. Given the scale of a security incident, this is an alarming figure. In principle, 15 percent of the IT security teams surveyed would like to see more attention paid to their topic in the company – especially in view of the ongoing digitization.

Manufacturing sector: Over a third report production downtime due to IT security attacks

The manufacturing sector is not spared from IT security attacks either, with a significant increase in attacks on production equipment. In a survey, the VDMA (German Engineering Federation) found that more than a third of the members surveyed reported production downtime and more than half of the companies complained of capital losses due to hacker attacks.

Because the majority of machines will be connected to the Internet in the future, all parties involved – machine manufacturers, component suppliers, machine operators and, where applicable, service providers – face entirely new challenges in ensuring IT security in the industry. As production equipment and machines that are connected to internal production control systems and processes are increasingly outsourced to the cloud, the risk of malware and cyberattacks increases.

Five-step plan to protect CRITICAL infrastructure (CRITIS)

To a large extent, the manufacturing sector is one of the so-called “critical infrastructures” (CRITIS). Critical infrastructures are organizations or facilities of vital importance to the governmental community, the failure of which would result in supply shortages, significant disruptions to public safety, or other dramatic consequences. Tighter security measures apply to these areas.

To ensure maximum IT security and adequately evaluate cyber attacks after the fact, I recommend the following five-phase plan for protecting CRITICAL infrastructure.

Phase 1: Preparation for setting up crisis management

In the run-up to setting up or expanding a crisis management system, a number of principles should be agreed upon. These include, for example, defining responsibilities, providing resources, and formulating protection goals for the facility.

When planning crisis management, an ISMS (Information Security Management System) can be very helpful. This provides continuous, transparent and audit-proof documentation of structured processes in accordance with ISO/IEC 27001. The time savings of a good, well-structured ISMS are 30-40 percent.

Phase 2: Risk analysis

The second phase, risk analysis, is about evaluating potential risks in facilities. You should be able to answer the following questions:

• What types of hazards can occur?
• What is the likelihood of these hazards occurring at facility locations?
• What vulnerabilities exist that make the facility susceptible to hazard exposure?
• What damage can be expected if different hazards occur?
• What is the impact on the facility’s ability to function if processes fail due to exposure to the hazards?

Phase 3: Description of preventive measures

In the third phase, protective measures should be identified and weighed. This can be, for example, the installation of a firewall, security training for employees or a solution such as STORM, which provides security processes for an effective response to attacks. A cost-benefit analysis is useful at this point.

Phase 4: Establish crisis management

Crises that cannot be prevented despite prevention should be handled by a professional crisis management team.

The most important tasks of a crisis management team are:

• to create the best conceptual, organizational and procedural conditions to manage the crisis in the best possible way
• to establish special structures for responding in the event of a crisis

Phase 5: Regular evaluation

Situations and conditions can always change, so an evaluation of processes should be carried out regularly – preferably annually.

One of our surveys of 280 IT managers showed that the majority of respondents (61 percent) record a security incident weekly or more often. On the one hand, this is a high frequency; on the other, hackers’ methods are also becoming increasingly sophisticated. Therefore, continuous expansion of the security architecture is important.

In the manufacturing sector, the consequences may be even more serious than in other sectors. That is why I would like to draw particular attention once again to comprehensive prevention and preparation with regard to possible security attacks. In this way, we also strengthen public confidence in the topic of digitization, because since the outbreak of the pandemic and increased mobile work, there is no way around digital transformation.

If you have any further questions or advice on the subject of security, I would be happy to answer them personally.