Industrial Security

While connectivity can deliver valuable business insights and efficiency, massive networking using standardized data lines and protocols over the Internet makes machines and systems more vulnerable, thereby creating new challenges. “Almost 70% of companies and institutions in Germany fell victim to cyberattacks in 2016 and 2017,” writes the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) in its newest report, The State of IT Security in Germany 2018. “In nearly half of the cases, the attackers were successful and were able to gain access to IT systems, influence the functioning of IT systems or manipulate companies’ Internet sites, for example. Every second successful attack led to production or operational downtimes. In addition, there were often costs for investigating the incidents and restoring the IT systems as well as damage to reputation.” An average data breach in Germany costs € 3,390,000 as calculated by the study Cost of Data Breach from the Ponemon Institute sponsored by IBM in 2018.

The costs and damage to the reputation of a company are one thing. The long time that passes until attacks are found is another. According to the Cyber Alliance Center Bavaria (Cyber-Allianz-Zentrum, CAZ) in the Bavarian Office for the Protection of the Constitution, it takes 260 days on average for a discrete attack on IT infrastructures to be discovered.

Furthermore, when the security systems finally report a hacker attack, only four in 10 companies (43 percent) have an emergency management plan that specifies what is to be done in such a case. Even operators of critical infrastructures such as power utilities and financial services are ill equipped to handle breaches. Of the critical infrastructure companies, 53 percent have an emergency plan compared to 41 percent in industries that are not considered to have critical infrastructures.

This offering is based on more than 150 years of experience in the manufacture and reliable operation of machines for paper production and hydropower plants based on Voith technologies. These are often security-critical systems that would jeopardize human life in the event of an operational malfunction that led to power failures or flooding. Seen in this light, Voith is not just simply a machine builder but has always been a designer of safety-related systems.

Voith’s approach to integrated security is also based on many years of commitment by the company to IT and OT security, for example, in the German Mechanical Engineering Industry Association (VDMA) and the Open Group Forum, which is involved with interoperability and the security of industrially networked systems. It is also based on the experience accumulated by Voith as one of the first companies with certifications as per ISO 27001. Starting from this approach, the manufacturer has developed an entire series of products that allow for the protection of industrially networked systems for itself and its customers. In this way, Voith established a Competence Center for Data Protection and Information Security many years ago. The Voith Security Operations Team consists of qualified experts who are involved with protecting IT infrastructures. The team monitors and analyzes all security-related systems – company networks, servers, workplace computers and Internet services – and investigates them for anomalies.

The central component in the task is a sensor system that automatically analyzes, correlates and displays the large quantities of IT and OT information on its own. The automation of security processes is one of the most important measures for effective protection against attacks while providing additional advantages. Security automation meets the increasing expectations of cyber security because of the more and more complex threat scenarios and the increasing complexity of IT infrastructures. In addition, it relieves IT from some of the perpetual cost pressure through the reduction of manual activities during inspections, actions and reports. Finally, automation supports companies in better meeting their regulatory and compliance requirements, even if they are not explicitly required by law.

Every sixth employee, approximately 18 percent, would respond to a phony email from the executive suite and divulge sensitive company information, according to a survey of BSI 2018. That this is more than just a theoretical hazard is substantiated by other studies. The German Federal Criminal Police Office counted 250 cases of fraud in three years. The most well-known in 2016 were the Bavarian automotive supplier Leoni AG who suffered damages of €40 million and the Austrian-Chinese aviation industry supplier FACC who lost about €50 million. Information about responsibilities in the company, the composition of departments, internal processes and organizational structures were harvested from emails sent via purportedly trustworthy senders. The information serves cyber criminals as a valuable foundation in the preparation of targeted attacks on the company. Gaining information by trickery, known as social engineering, purposefully exploits the trust and helpfulness of people. They make contact with the employees of a company by mail, on the telephone or even using conversations in real life – at events or trade fairs, for example.

The best option for avoiding such incidents is – even here, Voith leads with its own good example – the regular training of employees regarding security issues with the purpose of raising and refreshing awareness. As far back as 12 years ago, Voith was one of the first companies to establish a worldwide awareness campaign on the topics of data protection and data security throughout its branches. With the Privacy and Security Information Portal, Voith provides its employees with all the information they need to practice proper behavior. In addition, the company has established a globally standard telephone hotline that provides help – around the clock – in the event of security-related incidents and questions.