The global and independent platform for the SAP community.

Cybersecurity

Cybercriminals have discovered OT and IoT as lucrative attack targets. Many companies are poorly prepared for the threat. A structured approach helps to minimize risks.
Christian Koch NTT Data
22 July 2021
avatar
This text has been automatically translated from German to English.

Attacks on water supply systems, manipulated mixing ratios of drugs at pharmaceutical companies, outages of public transport display boards: hackers are increasingly discovering operational technology (OT) and the Internet of Things (IoT) as a lucrative target for attacks. While most people now realize that they should not click on dubious mails full of spelling mistakes, machines and plants are often unprotected.

For a long time, cybercriminals had no interest in OT because production plants or supply systems for electricity, water and gas were not connected to other IT systems, so they could hardly cause any damage or attacks were very complex.

Networked production attracts criminals

The manufacturing industry is digitizing its business processes along the entire value chain, from virtualization in the product creation process to more flexible service and business models to new manufacturing processes such as additive manufacturing. The risk of malware and cyber attacks is increasing as a result of the connection of production plants and machines to internal systems for production control or, increasingly, to the cloud.

In the process, the cybercriminals try to disrupt a plant and extort a ransom or obtain trade secrets on behalf of mostly foreign competitors or states. Then, months later, copies of car spare parts turn up that not even a service technician can distinguish from the original.

The fact that OT security lags so far behind the state of IT is due to the fact that OT is planned by engineers who have to implement technical production requirements under cost pressure and in a short time, but for whom cybersecurity was never an issue in the past. They develop a plant purely according to functional aspects.

In the event of new risks due to cybersecurity, the software of the plants would actually have to be patched. But this is not normally provided for in OT. Never touch a running system applies even more in OT than in IT. There is usually no time to apply patches either. Even if the update only takes a few minutes, it can bring an entire production line to a standstill and result in a lengthy restart, especially since functional tests are usually also necessary.

So you have to switch to maintenance windows that are planned anyway, but they are rare. In chemical production plants, for example, it can take several years before the opportunity arises for an update including all functional tests.

Network segmentation is often the first recommended complementary measure. This involves separating parts of a system from other systems according to risk level and criticality. For this, the detailed structure and communication of the system must be known. It is also advisable to separate legacy systems, which can sometimes be decades old and for which updates are no longer available, from new parts and to apply separate security strategies.

But it's not just the manufacturer and operator of a plant that are required to ensure a high level of security; the maintenance staff must also be on board. During remote maintenance, they usually access a jump server via a VPN connection. From time to time, hackers use such connections to plant malware and spyware that can then infect entire plants and facilities, especially if access to the jump server or VPN authentication is only weakly protected.

To mitigate such risks, a better architecture is needed. Some security service providers recommend an audit with a penetration test to uncover vulnerabilities in the IT and OT infrastructure. You will probably find plenty of vulnerabilities, but the gain in knowledge is low, especially if no security has been implemented in the OT systems.

It is much better to implement measures first and then check them with an audit. The starting point for better OT security is greater visibility in the OT networks. Often, companies do not even know which detailed components they have in the systems, which software versions they use, which data they exchange, and which connections to the outside exist with third-party companies.

But you can't protect what you don't know. Knowing the software versions in use, communication relationships, external access, zoning in the network and more is the basis of any cybersecurity strategy.

Many companies asking for OT security support have already had a security incident or know companies in their environment that have had such an incident. Awareness has increased in recent years and companies are motivated to do more for security. However, companies often feel overwhelmed and don't know where to start. What is needed here is a structured approach that provides the company with orientation.

NTTDataCI banner.jpg
avatar
Christian Koch NTT Data

Christian Koch, Vice President Cybersecurity and Lead for IoT/OT at NTT Data.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.