Moving from knowledge and will to action
Sure – cybersecurity is a good thing. We know that. And we want it, because who wants to open the door to malicious code? But it’s crucial to finally do something about it, says our columnist Siegfried Müller.
A useful idea, if you don’t know what to do, is to type the term “take action” into your favorite search engine. There you will find a lot of people offering good tips – in the majority there are five of each – to motivate the searcher, to finally get moving (in a figurative sense, of course) with respect to his goal. Although in the first recommendation contrary to it first once one advises “to keep calm”. Basically a good idea, because hectic acting without goal brings just as little as doing nothing. Who has not experienced this himself?
But even after that, things still can’t really get started, because in the second step, the majority of advisors point out the need to assess all the “risks” in advance – in other words, to consider what could happen in the worst case and whether there is any willingness to take a risk at all. Only if this analysis turns out accordingly, it is then finally possible to begin with the start: the phases of the “planning” as well as “conversion” follow. Those who have persevered up to this point will learn at the end that a critical questioning of whether the envisaged “goal has been reached” should not be missing. Good – that should actually go without saying, shouldn’t it? I also liked a tip from an otherwise rather esoteric author – apparently there is more than just one true way to move from wanting to acting – who advises to “start in small steps”.
In principle, thought-provoking impulses that encourage people to take action are probably not all that wrong, or perhaps even necessary at the moment – because waiting around in the hope that a problem will solve itself makes no sense, nor is the probability of this happening very high. Admittedly, some of the suggestions I have read could well provide the impetus to finally deal with cybersecurity and perhaps even provide beneficial pointers. Because even if there are tried and tested procedures with regard to the security strategy – among other things with regard to the necessary steps – it nevertheless does not seem to be at all easy to take action.
What are the bottlenecks?
Specifically related to securing production and manufacturing, I believe this is due to the fact that it is often unclear into whose area of responsibility IT and cyber security falls. As a result, responsibilities are often not clearly assigned at companies – either internally or, for example in the case of machine and plant manufacturers, in relation to the customer. In practice, this leads to a wide variety of manifestations – in some cases, the IT department even has sole responsibility here, meaning that the IT specialists act without communicating with those responsible for the OT networks. In fact, I believe that the lack of coordination between IT and OT is one of the reasons why the initialization and execution of processes to secure production networks does not run smoothly. This is because, among other things, this leads to differing views on the prioritization of necessary projects. In addition, this results in divergent concepts that are by no means comprehensive enough to ensure the required level of protection.
In the relationship between machine and plant manufacturers and their customers, it is also essential that responsibilities are clearly defined. If only to avoid responsibility being shifted back and forth at will. Theoretically, it should even be in the interest of both parties to ensure that the functionality of the machines is optimally guaranteed. In practice, this requires not only dedicated IT solutions but also a holistic approach, since the prevention of production downtimes is not based solely on defense against cyber attacks. but also on process-secure networking, where it is important to prevent external interference by delimiting functionalities and thus to ensure the proper forwarding of network protocols.
First steps to take action
An essential point here is to put responsibilities with regard to IT/cyber security to the test and possibly redefine them. For example, from the point of view that IT departments may not have the appropriate know-how regarding products, such as those for securing production networks, nor whether their respective use is actually suitable for the requested application purpose.
Furthermore, account should be taken of the fact that network segmentation – the classic measure with an immediate major impact on IT and cyber security – can in principle also be carried out by an experienced OT specialist. This makes sense solely from the point of view that the specialist can immediately initiate the implementation of the products that are required to secure the machines.
With regard to the use of IT security solutions, I recommend the following: Even or especially if these are modern, secure products that are easy to implement, employees should still be instructed in their use. After all, no matter how secure a product is designed, negligent use will lower the level of protection in a defined way – just think of technical regulations for high password security, which are of no use if a Post-it with the password is stuck to the computer.
As mentioned at the beginning, I am of the opinion that the – admittedly very generally valid – advice “start with small steps” should unquestionably be given more attention. Because exactly this maxim makes it possible to get into action. Of course, small steps help at most to create a solid basis and not to achieve a final result. This should not be the intention behind it. But for the simple reason that IT is not static and new requirements are constantly arising through the use of innovative technologies, constant adjustments must be made here.
In order to master these requirements, IT and OT absolutely have to pull together, both know and recognize the strengths of the other department and, above all, remain in constant exchange.
The column was published in its original German version on produktion.de.
Find your sales partner
Find your personal contact person in your area.
Start your remote services
Are you looking for an all-in-one solution? Try our web-based remote access portal today.
We are here to help you
Questions? We can help you. For direct support, you can also call us.
Subscribe here to get updates on IoT and remote access solutions, products and features and get the latest cybersecurity updates.