A single prepped e-mail is all that is required. Easily opened by employees, it releases Trojans and viruses onto company computers through spear-phishing. They spread across office and production networks, causing substantial damage due to production outages or know-how theft. Or look at virtual threats like the ransomware Wannacry at the beginning of May or Petya at the end of June 2017, which target vulnerabilities in the IT system. They gained access to third-party systems via an unsecured Windows interface, implanted themselves onto hard disks and encrypted files and demanded ransoms. There were problems in the office and noticeable consequences for the companies affected. So far, assembly lines stood still at Renault in Douai, France, measurement sensors failed at the reactor ruins in Chernobyl, the shipping line Maersk had to shut down systems around the world, and production was interrupted at several companies throughout Europe. The reason for that is that corporate networks and IT structures now exist, where there once was a so-called air gap between offices and factory buildings. The result is that although a connected factory manufactures goods faster, more efficiently and more economically, it is also more susceptible to cyberattacks. Production networks are often based on outdated systems or cannot easily be updated with new software.
EUR 65 billion of damage
Hackers are increasingly making use of these vulnerabilities with severe consequences for companies. According to a study published in 2016 by the Centre for Economics and Business Research (Cebr) in London, hacker attacks of this kind cost the German economy around EUR 65.2 billion in damages over a five-year period. The manufacturing industry was worst affected. On the other hand, there is the economic benefit of connected, IT-controlled production. According to an estimate by IT industry association BITKOM, Industry 4.0 will boost productivity in Germany by around EUR 78 billion by 2025.
This is, however, a paradise for hackers who target IT vulnerabilities. They use automatic scanning programs to search the dataspace for vulnerabilities. Be it an IP address or an open port, cybercriminals attack targets wherever access is likely to prove worthwhile. Older production lines and “non-patchable” systems are often doomed by simple “infections from the IT network”.
Real danger posed by virtual threats
This was demonstrated in an experiment undertaken by the industrial security specialist Koramis. The Saarbrücken-based SME put a fictional local transportation company on the Internet, complete with websites, timetables and real-time transactions, virtual firewalls, monitoring cameras, servers, and an entire network of railroad tracks with switches, signals, and crossings. This Cloud simulation was so realistic that many hackers took the bait immediately and attacked the company and its virtual infrastructure. The result of security monitoring at the end of the six-week experiment was that a majority of hackers (39 percent) tried to take over the company’s sensitive control systems.
“For nearly one in three company’s production has already been brought to a halt by an industrial security incident, and 63 percent foresee an increase in incident numbers,” says Steffen Zimmermann, a security expert at Germany’s Mechanical Engineering Industry Association (VDMA), citing a 2013 VDMA study on IT threats to production facilities. “In view of dynamic corporate and business model digitization we assume that the situation has grown much more serious since then.”
Steffen Zimmermann, Director Competence Center Industrial Security at the VDMA (largest network organization for mechanical engineering in Europe)
Where exactly are the problems located? Partly in the infrastructure. Many companies use applications that run on outdated operating systems. “If you then install an update you risk no longer being able to use your specially adapted software,” Zimmermann says. And once process industry installations are up and running, they often run for five years or more without a break. Not even breaks for software updates are planned – usually on the grounds of cutting costs.
That may be a naïve miscalculation. If a plant is suddenly shut down after a hacker attack, the damage will generally be many times as high as the cost of a brief production shut down for a software update. In order to assess the risk and protection requirements individually, the VDMA has an online do-it-yourself test and guidelines on Industry 4.0 security that include a checklist, which can be the first step on the way toward industrial security and safer production. Alternatively, T-Sec specialists can generate vulnerability reports on customers’ data traffic and define effective protection procedures.
What can be said for sure is that unlike in office IT, protective measures that ought to be a matter of course, such as a virus scanner, are often missing on the factory floor, even though office computers are usually only used for a few years, unlike production lines that are intended to run reliably for 20 to 25 years or more. “The industry must take precautions now,” says Zimmermann of the VDMA, “to ensure that they do so.”