By Nikolaus Fecht on behalf of the VDW - German Machine Tool Builders' Association
Digitization has its price. The networking of people, machines and companies not only increases productivity and sustainability, but also raises the risk of a cyberattack. The VDMA Cybersecurity Congress at METAV 2020 on March 11, 2020 offers potential ways of resolving this dilemma. Heinz-Uwe Gernhard is head of the VDMA Security working group and in his principal occupation is responsible for IT security at Robert Bosch in Stuttgart. In an interview he reveals his recipe for success: vigilance training for cyberattacks.
Has cyber security awareness increased?
Heinz-Uwe Gernhard: Yes, but not to the extent that I expected when we launched the Security Working Group in 2012. There is still urgent need for action because Germany and the EU are demanding measures for greater protection against cyberattacks, including in production, in the form of laws and regulations. Deploying additional IT is certainly one way of achieving this. But without the necessary knowledge and organizational skills, this alone will not be enough to reach the necessary security levels. Industry 4.0 developments are certainly helpful here, but unfortunately cybersecurity is just one of many aspects.
What do you recommend to newcomers in this field?
Heinz-Uwe Gernhard: Just start taking precautions, both technical and organizational. It's a bit like the annual flu epidemic. You have a higher risk of getting it without a flu shot. In today's networked world, no one is safe from cyberattacks. There needs to be a change of heart here.
Cyberattacks on the rise
What measures should companies that are currently undergoing an Industry 4.0 digital transformation process take?
Heinz-Uwe Gernhard: This is a task for management – clear and simple. The managers must identify the risks that are attached to networking and then define suitable measures. With regard to production technology availability, they must understand the risk of considerable damage being done. Interconnectivity means that nobody is immune. If you follow the trade press, there is a constant stream of news items on this – such as that of a cyberattack practically paralyzing the IT of a specialist safety and control technology company. The company decided to go public with the incident. I think that's important and it's the right approach because we are all in the same boat.
Nevertheless, openness is still the exception when it comes to cyberattacks. To what extent can networks such as the VDMA Security Working Group, which you spearhead, help in this? By getting network members to talk openly to each other about cyberattacks?
Heinz-Uwe Gernhard: We take a proactive approach by clearly identifying the risks and providing assistance on a wide range of issues. I think it is crucial that we work together to ensure transparency across association boundaries. The Industry 4.0 platform link also offers a good starting point www.plattform-i40.de.
In many cases there is a lack of awareness.
Some companies are now starting to alert their employees to different fraud scenarios. What do you think of the new buzzword "cyberresilience," which is now making the rounds?
Heinz-Uwe Gernhard: This is the right approach, because awareness offers the best protection for this type of threat. Every user of cybertechnologies should be cyberresilient.
Where do you think we are right now with security IT?
Heinz-Uwe Gernhard: Let me make a comparison with road vehicles. In 1920, motorists needed a completely different level of risk awareness to today's drivers because cars now demand much less attention as a result of all the built-in systems. The vehicles themselves and the infrastructure make driving today much less risky. Our IT is currently at the level of a 1920s car in terms of the inherent risks. It requires a high level of attention from users and a wide range of knowledge. Awareness is a key topic right now.
Isn't that scaremongering?
Heinz-Uwe Gernhard: No, it's not scaremongering, at all. Marc Elsberg's novel "Blackout" plays through various scenarios. The technical aspects he includes are not fictional, but reflect the current realities. He has merely packaged them in an exciting fictional work. The government is also getting involved in the form of the IT Security Act (Kritis), which is currently being revised.
The IT expert Peter Turczak told VDMA magazine: "I would never put critical data into a cloud." However, companies need data in order to implement Industry 4.0 and need to store it securely. What belongs in the cloud and what doesn't?
Heinz-Uwe Gernhard: My IT colleague here is addressing the central requirement of OT for availability. As a communications engineer, I am well aware of the competition between bandwidth, local computing power and, of course, cost. With the right bandwidth, the cloud can facilitate the provision of a centralized application with a great deal of computing power to a large number of users. Users must weigh the type of cloud usage against their willingness to take risks, their availability requirements, and their technical and organizational capabilities. Another important question, of course, is how to guarantee the dependability or trustworthiness of the provider.
So it's a question of trust?
Heinz-Uwe Gernhard: Yes, I need to ask myself whom I trust to do what. Do the technical measures, contracts and service provider certifications offer sufficient legal protection?
Most machine tools at METAV 2020 have Internet connections: What should trade fair visitors be looking out for here?
Heinz-Uwe Gernhard: Hopefully the link is not via an open Internet connection, but a trustworthy one, as I just mentioned. Don't just ask about the technical solution itself, but also about the provider's organizational capabilities. From a technical point of view, private VPN networks based on an appropriate contract are best here.