OTRS : Five-step Plan for IT Security in Manufacturing

Because the majority of machines will be connected to the Internet in the future, all parties involved - machine manufacturers, component suppliers, machine operators and, where applicable, service providers - face entirely new challenges in ensuring IT security in the industry. As production equipment and machines that are connected to internal production control systems and processes are increasingly outsourced to the cloud, the risk of malware and cyberattacks increases.

Five-step plan to protect CRITICAL infrastructure (CRITIS)

To a large extent, the manufacturing sector is one of the so-called 'critical infrastructures' (CRITIS). Critical infrastructures are organizations or facilities of vital importance to the governmental community, the failure of which would result in supply shortages, significant disruptions to public safety, or other dramatic consequences. Tighter security measures apply to these areas.

To ensure maximum IT security and adequately evaluate cyber attacks after the fact, I recommend the following five-phase plan for protecting CRITICAL infrastructure.

Phase 1: Preparation for setting up crisis management

In the run-up to setting up or expanding a crisis management system, a number of principles should be agreed upon. These include, for example, defining responsibilities, providing resources, and formulating protection goals for the facility.

When planning crisis management, an ISMS (Information Security Management System) such as CONTROL can be very helpful. This provides continuous, transparent and audit-proof documentation of structured processes in accordance with ISO/IEC 27001. The time savings of a good, well-structured ISMS are 30-40 percent.

Phase 2: Risk analysis

The second phase, risk analysis, is about evaluating potential risks in facilities. You should be able to answer the following questions:

• What types of hazards can occur?
• What is the likelihood of these hazards occurring at facility locations?
• What vulnerabilities exist that make the facility susceptible to hazard exposure?
• What damage can be expected if different hazards occur?
• What is the impact on the facility's ability to function if processes fail due to exposure to the hazards?

Phase 3: Description of preventive measures

In the third phase, protective measures should be identified and weighed. This can be, for example, the installation of a firewall, security training for employees or a solution such as STORM, which provides security processes for an effective response to attacks. A cost-benefit analysis is useful at this point.

Phase 4: Establish crisis management

Crises that cannot be prevented despite prevention should be handled by a professional crisis management team.

The most important tasks of a crisis management team are:

• to create the best conceptual, organizational and procedural conditions to manage the crisis in the best possible way
• to establish special structures for responding in the event of a crisis

Phase 5: Regular evaluation

Situations and conditions can always change, so an evaluation of processes should be carried out regularly - preferably annually.

One of our surveys of 280 IT managers showed that the majority of respondents (61 percent) record a security incident weekly or more often. On the one hand, this is a high frequency; on the other, hackers' methods are also becoming increasingly sophisticated. Therefore, continuous expansion of the security architecture is important.

In the manufacturing sector, the consequences may be even more serious than in other sectors. That is why I would like to draw particular attention once again to comprehensive prevention and preparation with regard to possible security attacks. In this way, we also strengthen public confidence in the topic of digitization, because since the outbreak of the pandemic and increased mobile work, there is no way around digital transformation.

If you have any further questions or advice on the subject of security, I would be happy to answer them personally.