EDITORIAL
Cyber security requires communication
"I've always said that this Industry 4.0 would only cause damage," could have been the reaction to the cyber attack that befell injection moulding machine manufacturer KraussMaffei at the end of November (see Plasteurope.com of 11.12.2018). Instead, however, it was understanding and regret that clearly prevailed in the plastics industry – and rightly so.
In the light of the ever-present danger that threatens a device (and that means absolutely any device) connected to the internet, any gloating would be completely out of place. Instead, this serves as confirmation of the fact that as much as possible needs to be done for cyber security.
The main priority here is to keep the software on all systems up-to-date. Anything else constitutes gross negligence today. Apple's well-maintained mobile operating system, “iOS”, which was released in 2007, has had a total of 128 updates since “Version 1.0” (as of 5 December 2018), without counting the minor updates that have had no impact on the version number. All of these closed security gaps or eliminated functional errors. How often has the software for your machine controls, routers and most important programmes been updated over this same period? Less frequently, no doubt. Despite this, many of these are located in the same internet as all our smartphones, office PCs and televisions. And it wasn't that long ago that Siemens, for instance, delivered its programmable logic controllers (PLCs) with the server switched on and secured only with a standard password – veritably inviting cyber attacks.
In the light of the ever-present danger that threatens a device (and that means absolutely any device) connected to the internet, any gloating would be completely out of place. Instead, this serves as confirmation of the fact that as much as possible needs to be done for cyber security.
The main priority here is to keep the software on all systems up-to-date. Anything else constitutes gross negligence today. Apple's well-maintained mobile operating system, “iOS”, which was released in 2007, has had a total of 128 updates since “Version 1.0” (as of 5 December 2018), without counting the minor updates that have had no impact on the version number. All of these closed security gaps or eliminated functional errors. How often has the software for your machine controls, routers and most important programmes been updated over this same period? Less frequently, no doubt. Despite this, many of these are located in the same internet as all our smartphones, office PCs and televisions. And it wasn't that long ago that Siemens, for instance, delivered its programmable logic controllers (PLCs) with the server switched on and secured only with a standard password – veritably inviting cyber attacks.
Software often more up-to-date on robot vacuum cleaners than machine controls
Today, software for smartphones, televisions and robot vacuum cleaners is updated on almost a monthly basis. Machine controls in industry, however, which are much more important for the functioning of our society, are hardly ever touched once they have been brought into service.
At the same time, the advantages of digitalisation and Industry 4.0, cloud computing and remote work, are being praised to high heaven. Yet, just a company laptop left thoughtlessly lying around in a café can constitute a security gap that poses an immeasurable threat to the company as a whole.
A second key aspect is the security-conscious behaviour of employees, customers and visitors. This needs to be as self-evident as putting on a seat belt when driving. It is thus important for employees to receive training on how to deal with USB sticks that would appear to have just been left lying around at random, or obscure emails.
At the same time, the advantages of digitalisation and Industry 4.0, cloud computing and remote work, are being praised to high heaven. Yet, just a company laptop left thoughtlessly lying around in a café can constitute a security gap that poses an immeasurable threat to the company as a whole.
A second key aspect is the security-conscious behaviour of employees, customers and visitors. This needs to be as self-evident as putting on a seat belt when driving. It is thus important for employees to receive training on how to deal with USB sticks that would appear to have just been left lying around at random, or obscure emails.
Employees must be part of the security concept
This latter issue is what went wrong at FACC (see Plasteurope.com of 31.05.2016) and Leoni (see Plasteurope.com of 21.09.2016), which were victims of “CEO fraud”. In such cases, the attacker pretends in an email to be the CEO and convinces an employee to transfer considerable sums of money to him. These are not isolated cases in which an ingenious villain finds a thoughtless clerk – the FBI estimates that this type of fraud alone accounts for EUR 2.8 bn worth of damage!
We need to understand two things. Firstly, cyber security is a matter for the boss. As with fire protection or occupational safety, there can be no compromises here. Secondly, cyber attacks happen and can run successfully from the attacker's point of view. In the same way as building fires or accidents at work unfortunately still happen too.
It is a matter of keeping the potential damage to a minimum and learning from mistakes – including those made by others. This is why it is important to analyse such incidents thoroughly and also to share the results with other companies. In this way, security gaps can be closed more quickly. Being attacked is, after all, not something to be ashamed of. What would be embarrassing, however, would be to stand by and let others run straight into the trap.
David Löh
KI Group Deputy Editor in Chief
We need to understand two things. Firstly, cyber security is a matter for the boss. As with fire protection or occupational safety, there can be no compromises here. Secondly, cyber attacks happen and can run successfully from the attacker's point of view. In the same way as building fires or accidents at work unfortunately still happen too.
It is a matter of keeping the potential damage to a minimum and learning from mistakes – including those made by others. This is why it is important to analyse such incidents thoroughly and also to share the results with other companies. In this way, security gaps can be closed more quickly. Being attacked is, after all, not something to be ashamed of. What would be embarrassing, however, would be to stand by and let others run straight into the trap.
David Löh
KI Group Deputy Editor in Chief
17.12.2018 Plasteurope.com [241351-0]
Published on 17.12.2018