The digitalization of production processes holds enormous potential for value creation. However, at the same time, cyber attacks pose a particularly strong threat to networked companies – and very few of them are prepared. But how great is the risk really?
With the growing networking of IT in all areas of work, from the office workstation to the factory floor, the risk of cyber attacks is growing. In networked production, machines, and systems as well as network and computer technology of different generations are linked together in a common IT environment. If there are regular security updates for the common operating systems in corporate IT, machines often remain in use unchanged for several years. This makes them easy to attack. In addition, there is often incorrect user behaviour on the part of employees. The result: malware, exploit kits and insider attacks threaten the entire corporate network.
Hardly any company is sufficiently prepared for the threat, as a study by the Fraunhofer IPT with 28 companies of various industries and sizes shows. Not even one of the companies studied meets all cybersecurity requirements. While just less than half of the companies with more than 250 employees implement at least partially necessary cybersecurity measures, most small and medium-sized companies do not even manage that.
The Aachen researchers present the results of their study in their white paper »Cybersecurity in networked production«. In it, they find that companies are dealing with the threat situation in very different ways. While large companies can hire dedicated IT security experts, in small companies the task falls to IT support at best.
However, it is not just their own organization that makes life difficult for companies, but also the behavior of the machine manufacturers: While PC components are subject to active patch management, the suppliers of PLC controllers generally do not provide active security updates. In addition, they do not communicate how machines and systems are to be monitored in the network. This turns the company's own machinery into a black box, in whose security and integrity they must blindly trust. This is further exacerbated by the lack of uniform standards and laws for the IT security of production facilities.
The Fraunhofer IPT team has developed the »Production Security Readiness Check«, or PSRC for short, for research purposes. It makes the test available to companies that did not participate in the evaluation. With the support of the intuitively usable questionnaire and an accompanying interview, small and medium-sized manufacturing companies should be able to better assess their current security level and identify and implement improvements. The test can be used by manufacturing companies of any industry, structure, and size. It consists of nine sub-areas that map those topics that need to be considered for a holistic approach to security. Here, the PSRC focuses on the implementation and management of methods to secure enterprise IT as well as operations technology and the environments in which both are used. The whitepaper is available for download free of charge from the Fraunhofer IPT homepage.