Industrial Security: Detecting and closing IT security gaps in industrial plants

1 Introduction

The economy is heading for Industry 4.0, where machines, people and information are interconnected via IT systems. In the factory of the future, all components are networked in a cyber-physical system. In other words, workpieces carrying chips for identification automatically wind their way through production, all the while communicating independently with the production machines. All available resources (i.e., production facilities, operating media, etc.) can be centrally managed: complete production landscapes are controlled in real time via the cloud. Not only is the data processed in ERP, PLM or MES systems, but it also serves as a basis for independent decisions arrived at by the production plant via business intelligence applications. The result is a self-organizing system that reacts to changes in real time, extensively without intervention.

 So-called “smart factories” produce faster, more efficiently and more economically. The German IT industry association BITKOM has calculated the economic potential of industry 4.0 for Germany. By the year 2025, productivity there is expected to have increased by around € 78 billion [1].

2 IT risks facing industrial plants

For industrial plants to be digitally managed and networked, previously employed analog components such as relays are replaced with processors, sensors and actuators. Additionally, each device in a factory gets its own IP address for communication purposes. This results in intelligent manufacturing networks that can be used to digitally optimize value creation.

The advent of IT, though, also entails risks. When machines and systems that used to be self-contained and isolated become networked and have their own IP addresses, they are suddenly much easier for hackers to attack. In other words, if Gartner’s prognostication of 30 billion interconnected machines and objects of all kinds by the year 2020 comes true, it will mean not only 30 billion opportunities for better value creation, but also 30 billion potential loopholes for hackers. As early as 2014, in a press release on mandatory prerequisites for the success of Industry 4.0 [2], the Association of German Engineers, VDI, wrote that, “If IT infrastructures such as the cloud for Industry 4.0 are to find their way into the manufacturing industry, IT security is the main prerequisite.” In that context, the Association of German Engineers was referring to the results of a survey conducted by the VDI/VDE Society for Measurement and Automation Technology (GMA), which was published at the VDI Automation Conference in Baden-Baden in 2014.

The German Mechanical Engineering Industry Association VDMA also surveyed its members in 2014. In that still-unique study [3], the association took an especially close look at “Industrial Security Incidents”, i.e., at IT threats to the workshop – as opposed to threats to office IT systems. According to the findings, 63 % of all plant & equipment manufacturers and contractors expect the number of such incidents to continue rising. At 29 % of all companies, at least one industrial security incident has already brought production to a standstill. According to the VDMA study, the top five threats to industrial plant safety are:

human misconduct and sabotage

smuggling of malicious codes into machines and plants

technical errors and force majeure

online attacks via office/enterprise networks

unauthorized access to resources

According to a study published in 2016 by the Centre for Economics and Business Research (Cebr) [4] in London, the German economy suffered losses of around € 65.2 billion within a span of five years. On average, then, the study attests to overall annual losses totaling some € 13 billion. Companies in the manufacturing and production sectors are those hit hardest by cyber attacks.

3 Industrial Security

Saarbrücken-based Koramis makes industrial plants safer. As a specialist in industrial security, the company knows from its own history what the manufacturing industry requires: Established in 1999, Koramis was initially an engineering firm for automation technology. As a service provider, Koramis developed hardware and software solutions for its customers, one goal being to replace relays with digital circuits. Today, Koramis’ roughly 40 employees provide solutions for automation and process control technology, as well as for network and information security.

Koramis’ clients include, for example, German energy utilities and car makers wishing to protect their supervisory control and data acquisition (SCADA) systems against cyber hazards. The service provider puts the customer’s production environments through stress tests, identifies IT weak points and derives protective measures from the findings. Much of Koramis’ work relies on cloud-based simulations. What this means is that the company simulates, inter alia, real production landscapes at high-performance data centers to uncover IT weak points in the manufacturing network.

3.1 Honey Train Project

At CeBIT 2015, Koramis launched an experiment that experts around the world considered sensational: The so-called “Honey Train Project” [5], which illustrates how the industrial security specialist goes about its work.

For that experiment, Koramis brought a fictitious public transport company on line. The artifice included not only a realistic website with timetables, information about delays and a ticket shop containing simulated transactions, but also virtual firewalls, surveillance cameras with fictitious live images, servers and an entire rail network with real-time sensor-value simulation. Rails switches, crossing signals, pneumatic pumps, … the cloud-based simulation comprised 19000 different parameters. A perfect illusion – one that attracted hackers to the network from the very word go.

Over a period of six weeks, Koramis monitored the IT invaders’ activities and analyzed their behavior. The results revealed what the intruders were aiming for: 27 % of the hackers attacked the media server of the local public transport company, while 34 % of them attacked the firewall. The majority, however, tried to hijack the company’s control systems. 39 % of all cyber attacks targeted those systems.

The Honey Train Project also exposed the hackers’ modus operandi: First, the attackers run an automatic scan of the internet for IP addresses and open ports. Once a number of promising targets have been identified, the hacker takes them under fire by hand. In the course of the experiment, Koramis observed some 2.5 million automatic scans over a 6-week period. A whole 0.0002 % of those human-intelligence attacks were successful. That may not sound like much, but considering the enormous overall number of attacks, it gains real economic relevance.

4 Using cloud technology

Koramis finds the requisite IT infrastructure for its high-powered simulations at Telekom’s cloud services data center. The service provider can obtain any required virtual resources from the Open Telekom Cloud – a public cloud proffering characterized by flexibility. Depending on the project in question, the customer’s order and its duration, Koramis obtains just the resources it needs at the moment from the data center. Telekom plies those IT capacities in so-called flavors, i.e., virtual computing and storage configurations that can be combined in different ways. In addition to a permanent 4 terabytes of data memory, Koramis can access up to 250 processors during peak periods and a mere 16 CPUs during normal operation. If the industrial security specialist needs even more computing power, it can book it directly in self-service mode with just a click of the mouse and then use it either directly or scale it off via application programmable interfaces (APIs). The service provider pays for, and only for, its actual computing needs according to Telekom’s pay-as-you-go model. Telekom also offers optional fixed-price, fixed-term contracts.

Cloud operation puts an extreme amount of computing power at Koramis’ disposal. In a test scenario, the company calculated back 32.6 million encrypted passwords within a two-week span. That process would have taken much longer with conventional IT resources from the server room. At the cloud data center, operations can be performed in parallel on numerous virtual computers to save time and money. That way, Koramis does not have to buy, maintain, service and operate its own hardware, instead always procuring resources according to actual requirements. Koramis’ benefits also extend to on-site operations, travel time and training. A fast, stable internet connection is all it takes for the experts to start work.

Koramis customers also inquire specifically about data privacy. The Open Telekom Cloud operates out of Telekom’s own twin data center located in Magdeburg and Biere, thus guaranteeing data privacy in compliance with local law.

5 Summary and outlook

As demonstrated by studies and experiments such as Koramis’ Honey Train Project, hackers like to target industrial plants. And clearly, unlike office IT, the shop floor tends to lack obligatory protective measures corresponding to, say, virus scanners for the office. Moreover, patches for industrial plants’ control software cannot be imported just in passing. Instead of being implemented immediately after they are published by the engineering contractor, updating is restricted to defined maintenance cycles, most of which are subject to long-term planning. While office computers have a service life of only a few years, production systems need to operate reliably for 20 to 25 years, so the industry must see to it that they can do so.

//www.koramis.de" target="_blank" >www.koramis.de:www.koramis.de