Not science fiction, just a question of safety

Market analyses have shown that between 30 and 200 billion objects and devices will be networked by 2020 - in private households as well as in industrial production. Companies are already making use of machine-to-machine communication in large parts of their value chain. The goal is always to automate or optimize processes. In a vision of widespread penetration of this approach, orders steer themselves independently through entire value chains, book their processing machines as well as their material, and organize their delivery to the customer. This is made possible by the widespread and (now) affordable availability of industrially deployable (wireless) Internet connections.

A new cyber ecosystem is emerging

Gradually, networked living spaces and ecosystems are developing that - despite all the comfort and technical progress - are not immune to security risks. Attackers can penetrate digitized processes and infrastructures in our everyday working lives at any time, either arbitrarily or deliberately. To date, it cannot be assumed that security precautions will accompany this development to the same extent and at the same pace. However, a study1 conducted by Fortinet in August 2014 shows that companies are well aware of the constantly advancing cyber threats and the need for increased security measures.

Increasing demand for computing power brings new challenges

Considering that machine-to-machine communication is also required for the operation of critical infrastructures (e.g. smart grids, intelligent traffic control and monitoring systems, etc.), it becomes clear what a significant role suitable protective measures should play in this context. A central challenge here is certainly the problem of storage space: the networking of services and devices means that there is a constantly increasing demand for computing power. However, since the devices used often have limited resources, one of the most frequently chosen approaches is to outsource data and its processing to the cloud. However, this in turn creates new challenges in the areas of security and data protection.

New threat situation due to APTs

In addition, there is a completely new generation of cyber criminals and hackers who attack networked infrastructures, mostly for economic and political reasons, in order to gain access to sensitive data and specific information or to cause targeted damage. This massive emergence of so-called "Advanced Persistent Threats" (APTs for short) presents companies with completely new challenges in terms of IT security. It is no longer "just" the protection of personal data that plays a role here, but increasingly also the security of public infrastructures and industrial systems, some of which supply entire regions. If, for example, a hacker takes control of the system of a so-called "smart meter", not only the remote control of the devices and the disconnection from the power supply, but also the manipulation of the transmitted consumption quantity are possible. In addition, the transmission of manipulated load data could lead to a destabilization of the line networks - up to and including the failure of the power supply to entire residential areas. Decision-makers must realize that these new technologies not only bring benefits, but also require new security concepts.

Organizational and strategic considerations as a first step

It may sound banal, but before companies decide on specific security solutions and measures, organizational and strategic issues should be clarified in advance. In this sense, it is important to define clear responsibilities and appoint a central Chief Security Officer (CSO) for the overall strategy. If several partners or suppliers are involved in production, any security measures and guidelines should be coordinated with them and integrated into the overall concept. In this way, it can be avoided that production is compromised via partner systems and the security measures are thus reduced to absurdity. In order to find the right solutions, companies should look for an expert who can advise them on the following questions in a second step: With what organizational measures can the company take?

New technologies not only bring advantages, but also require new security concepts.

What types of attackers can be expected and what goals do they pursue? Which points of attack and interfaces does my communication system have? What is the maximum damage that a successful attack can cause? Which technical measures can prevent an attack? What is the relationship between the investment required for defensive measures and the potential damage? Once these organizational and strategic questions have been clarified, it is time to think about concrete solutions.

Appropriate measures to protect a company

Many companies only protect their Internet connections with firewalls. In times of machine-to-machine communication and APTs, this security precaution is no longer sufficient by far. Rather, security measures must be introduced at various points: e.g. also in the networking of OfficeIT and the production network as well as at the visualization and control level. It is also advisable to carry out ongoing documentation of network components and communication participants in order to avoid security-critical errors in the event of system expansions. In addition, it should be defined which devices are allowed to communicate with each other at which times. Another important aspect is the secure authentication of all communication participants, employees and machines. Smart card-based systems have proven themselves well in the past. In this context, an increasing trend towards biometric security measures can also be observed. A sensible division into subnetworks provides additional protection, since a compromised device cannot infect or even completely paralyze other devices or other subnetworks. The firmware of communicating devices should also be able to be updated by the manufacturer if necessary.

Economic performance must not suffer as a result of protective measures

Connected devices and machines promise benefits, but at the same time offer a wide attack surface for cybercriminals. To overcome the hurdles in the area of security and data protection, it is becoming increasingly important for companies to protect their network infrastructure centrally and to connect external offices efficiently and securely. For many companies, this also means upgrading existing IT structures, as many new security aspects are not automatically taken into account. At the same time, of course, economic performance must not suffer as a result of the essential protective measures: What good are ten locked doors if each one has to be laboriously unlocked, dramatically reducing the efficiency of the company? Security systems must protect, not restrict operational performance.