TempBannerImage
TempBannerImageR


 

Keeping IT Systems Safe in the Modern Era

 

Dr. Thorsten Henkel is the head of Secure Engineering, Industry 4.0 and the Security Test Lab at the Fraunhofer Institute for Secure Information Technology (SIT). Fraunhofer SIT is a leading expert in the realm of IT security, and the institute offers a range of services and solutions for companies, such as assistance with crafting an effective IT security management strategy and auditing assistance to vet products and systems for potential vulnerabilities. We spoke with Dr. Henkel to learn more about the realities of IT security today and how Fraunhofer SIT can help businesses make sure they are protected against cyber crimes.

GSC: A main component of the Industry 4.0 concept is a vision of machines and systems communicating with one another seamlessly, driving each other's processes without necessarily needing a person to guide and control everything. On the surface, this seems like it could be a risky move with regards to IT security, since systems would have a great degree of interconnectedness, in theory making it easier for cyber criminals to compromise entire networks by gaining access to only a portion of it. Are such fears legitimate? How difficult would it actually be to protect a system that operates on Industry 4.0 principals?

Dr. Thorsten Henkel: Connecting machines in a way described above means, that a wide scope of spatially distributed systems will start working in a very independent way. Such systems of systems – so called cyber physical systems – become a critical infra-structure. In the past only nuclear power plants etc. had been listed as critical systems. With regard to I 4.0 the interaction between systems becomes more and more interesting, especially from an IT-security perspective. Even today the world of those systems is extremely heterogeneous, and so it is already demanding to protect current systems in a proper way. The attack surface increases enormously with interaction between different producing participants. There is an emerging threat of cascading problems, if one of the systems will be compromised or starts to cause problems. On the other hand it becomes more and more difficult to enforce regulations concerning issues like data protection and to prevent product piracy while everything starts working with its next neighbor. 

So the answer is yes, there is an increasing security problem that emerges along with I 4.0 paradigms.

Today no system exists that operates on I 4.0 principals. But there is a lot of methodology and technology available that could be adopted and deployed to such future systems.

GSC: Frauenhofer SIT has worked to develop new and improved standards for secure engineering with regards to IT systems. On your website, you specifically mention that you focus on offering "support for stakeholders who are not experts in IT security" but who need this knowledge to make critical IT design decisions. What are some basic tenets of secure engineering that such stakeholders (e.g., executives of innovative companies) should be aware of when overseeing the designing of their systems? What do non-IT experts who still have an interest in creating secure IT networks need to know about IT security in this day and age?

Dr. Thorsten Henkel: Most of our customers already have a budget for security measures but they lack methodologies to identify indicators for the performance of their security activities. We can help them to analyze and evaluate their product and component portfolio. After that we can make recommendations where to invest money and help to benchmark the impact of such decisions. The basic tenant is to organize the engineering process in a way that enables average computer engineers to avoid 80% of the main faults during an early design and implementation phase. This helps saving money and avoids most of the known security problems.

GSC: More companies are also struggling with whether or not to allow employees to use their personal electronic devices (e.g. smartphones and tablets) to access information from their workplace. What recommendations does Frauenhofer SIT have regarding how companies should approach this issue?

Dr. Thorsten Henkel: Bring your own device – BYOD – is a hot topic. Our institute has built an own technology that helps to separate business information from private information while using the same smart phone. It is called BizzTrust and you can buy it as a product. There are competitive technologies available from other vendors like good technologies or Blackberry as well.

We recommend to analyze the actual demand for information protection and to identify the threats according to business continuity aspects.

There is another product from Fraunhofer SIT available called Appicaptor. With this test service you can scan and evaluate a big number of apps for mobile systems with regard to their security aspects in a short time. Companies can use that for whitelisting, blacklisting or impact assessment.

GSC: With both the rise of big data and social networking, people are sharing more information online than ever before, and this information is being collected and analyzed in greater volumes than previously. In this context, what risks does this combination pose for companies trying to develop more robust security standards?

Dr. Thorsten Henkel: The collection of data from social networks and the enrichment of those data bases with data from the cyber physical world opens more advantages than risks for producing companies. The problem emerges on the customer side. The collected information might be used to create detailed customer profiles and that may violate personal data protection rights. On the other hand sharing such data across companies might do some harm to their assets as well. The joint usage of producing environments as production service infrastructure will cause a need for data separation and knowledge protection. Thus, the risk of loss of confidential data might increase and companies have to take that into account.

GSC: Given all of the new technologies and possibilities available in the modern era, from cloud computing to mobile devices, it's understandable that some companies find themselves overwhelmed at how best to proceed in ensuring their data and systems are fully protected. How can services like Frauenhofer SIT Test Lab help prepare and educate businesses on how to survive and thrive in the realm of IT security and data protection?

Dr. Thorsten Henkel: We try to help customers to make the right decisions for their security needs. Our testlab provides a dedicated methodology to analyze and evaluate soft- and hardware products against IT security issues. We can test nearly every system form a web based direct banking software product to producing environment from the industrial domain. During the last 10 years we gained good understanding of our customers' needs and we have tested a wide scope of systems. Today we provide services like Appicaptor, which helps companies to keep up with exploding number of mobile apps and helps them to scan a big number of apps in a short time.

For bigger projects we can create an expert report e.g. for companies thinking about the usage of cloud-based human resource software. Within such projects we analyze and evaluate the technology and business processes with regard to company compliance. Together with strategic partners we can even offer legal and economical consultancy.

GSC: Thank you very much for the interview, Dr. Henkel.