Thinking about security from the beginning

Six out of ten companies fell victim to a cyber attack last year, according to a study by KPMG. The recent examples of Salzburg Milch and Palfinger, which were victims of a hacking attack, also show that this is not an abstract but a real threat.

Three IT experts, Reinhard Mayr from the software company COPA-DATA, and Simon Kranzer and Dominik Engel from the Salzburg University of Applied Sciences, explain why security is becoming increasingly important for production facilities, how companies can approach the topic, and what is behind most hacker attacks.

Interconnected production facilities as a risk

Production facilities are becoming more interconnected due to digitalization. This also makes them more vulnerable to cyber attacks. For this reason, interconnected production facilities must be protected just like the rest of the IT in the company, which is referred to as Operational Technology (OT) security.

According to IT experts Simon Kranzer and Dominik Engel, IT security has already arrived in most companies, but there is still catching up to do in OT security. Therefore, the alarming numbers from the KPMG study are understandable, says Reinhard Mayr from COPA-DATA. “The Corona crisis has also caused cyber attacks on production facilities to skyrocket. Many employees were given access to central structures from home offices, sometimes even from their private PCs, without considering security.” This made them vulnerable to cyber attacks, and the lack of awareness and know-how regarding OT security is not helpful.

Security is not an add-on

When companies become aware of the importance of OT security, measures are often taken afterwards. However, adding security measures retroactively is not optimal. “Security and privacy should be integrated from the beginning and not added as an add-on afterwards. This concept is called ‘Security and Privacy by Design'”, says Dominik Engel. In fact, this already happens often, but not always. “Security costs something, it is an investment that only pays off when an attack occurs.”

Often, at the beginning, the functionality of the plant is more important than security. Machines perform even more and consume even less – these are the selling points. “IT security is incidental,” the three experts agree. Such a machine must run and function for many years. This is also a weakness for OT security. “System updates to ensure higher security or maintenance work are unpopular. Because such a machine must run 24/7, maintenance that may cause the machine to stop is expensive,” says Simon Kranzer from the FH Salzburg.

The human factor

A hacker attack can happen to any company. COPA-DATA also regularly observes attacks on the company. CEO frauds are relatively common, where the sender pretends to be the company’s CEO and asks an employee for sensitive information, such as bank details. Here, the experts advise to double-check whether the email actually comes from the supposed sender.

COPA-DATA has also experienced a classic Denial of Service (DoS) attack. The website was so heavily attacked by hackers that the server was overloaded. COPA-DATA, or rather the server provider, has learned a lot from this experience.

In general, Reinhard Mayr sees the human factor as the biggest weakness in IT and OT security. Many people are not aware of this issue, which leads to attacks targeting employees’ ignorance.

Simple security measures are effective

Security measures such as document encryption can help. For production facilities, Security by Design protects against a wide range of attacks. However, the three experts agree that there is never 100% security. They advise companies without a security strategy to assess which areas need protection. Simple countermeasures help to fend off standard attacks, which in most cases are indiscriminate attacks that target as many companies as possible.

It’s all about the money

The motivation behind hacking attacks is quite simple. “In most cases, it’s about money,” the experts agree. The hackers are primarily professional criminal organizations. Using methods such as phishing emails, CEO fraud, data theft, or other criminal tactics, they attempt to extort money. This can even go so far as to halt entire production lines until the money reaches the fraudsters’ account. In very few cases, the hacking attacks are carried out by state actors who operate highly professionally. However, they usually attack critical infrastructure such as energy providers rather than producing SMEs.

Collaboration in digitalization

How can SMEs tackle the issue of IT and OT security? They often lack expertise in security matters, and IT personnel are practically non-existent. Simon Kranzer recommends collaboration and emphasizes the role of Innovation Salzburg as an intermediary: “Innovation Salzburg can connect SMEs in need of security support with the right providers. It requires cooperation between security providers, digitalization providers, and manufacturing companies.”

Dominik Engel believes that digitalization and, therefore, security are inevitable. Without digital processes, a company will eventually become uncompetitive. The experts advocate for seizing this opportunity and considering security from the outset – this way, defending against hacker attacks will work as well.