The dark side of digitalization

At the Paper Engineers’ Symposium in Cologne on October 12, 2018, Nicolas Christoph – the Information Security and Data Protection Officer of the Koehler Group – took on the important role of giving a talk to an audience of 450 interested people, in which he not only explained the clear benefits of an “industry 4.0” strategy, but also outlined the new risks and dangers arising in a production environment.

Interconnectivity Harbors Challenges for Production Facilities

Due to the increasing complexity, interconnectivity, and digitalization of previously stand-alone systems, manufacturing firms are faced with a new set of issues. And they need to find answers in the form of an “industry 4.0” strategy. Unlike in office IT environments, a frequent problem is that compromises have to be made in terms of security in order to maintain the availability of production systems.

As the development and replacement cycles are much longer in a production environment than in the rest of the IT world, you will very often still find old systems here (e.g. Windows XP) for which manufacturers no longer release updates to deal with current vulnerabilities. Furthermore, many standard and long-established IT security practices, such as regular patches for security vulnerabilities in programs and operating systems, the regular replacement of legacy components, and the use of virus scanners and firewalls are less straightforward in production-related IT environments due to compatibility issues.

Risk Awareness Must Be Strengthened throughout Companies

These requirements, which are already complex enough, are made even more challenging at many companies due to separate responsibilities for office and manufacturing IT systems, insufficient risk awareness, and a lack of accountability for system security.

An additional factor is that hackers and other attackers have become much more professional in recent years, continuously developing new business models that evolve rapidly to pose new and dramatic threats to areas such as networked production. Particularly notable in this regard was a spate of ransomware attacks, with manufacturing companies among those losing millions due to operational interruptions. Another important development is the sharp rise in industrial espionage, which is increasingly being supported or even carried out by state agencies.

IT Providers Also Bear a Responsibility

In his talk, Christoph not only outlined the threats, but also indicated potential solutions. Alongside a wide variety of technical measures, organizational measures also play a vital role in ensuring effective risk management in the field of information security. Of paramount importance here is a mutual understanding of the needs of office and manufacturing IT systems, as well as the development of clearly defined interfaces and responsibilities in order to tackle the challenges of information security as a team.

Koehler has already taken many important steps to safeguard its IT systems in recent years. These include ISO 27001 certification (obtained back in 2007) for the office IT landscape, as well as regular security audits conducted by external experts on the plants’ production systems. Following these audits, countless measures are identified and implemented in order to safeguard the entire system landscape at Koehler.

Nevertheless, it is still vital to keep pace with the latest developments going forward and to take into account the security aspects associated with increasing system interconnectivity in an industry 4.0 scenario, both in a technical and in an organizational sense. But leaving our own endeavors to one side for a moment, component and software manufacturers must not become so obsessed with interesting features and new possibilities that they neglect information security considerations. After all, it has to be possible to harness the many new opportunities offered by digitalization and interconnectivity in a way that is secure.