Cyber security: from 'cost item' to behavioral change
News | February 3, 2020
Because online security is mainly behavior – and not so much technology – 25 technicians in the ICD Cyber Security workshop learn how to prevent a hack of factory systems. Not only employees of ICD companies also join colleagues from other companies. After all, with serious threats it is better to warn and help each other than to compete.
The trainees have barely set up their laptops when some Raspberry Pi's begin to vibrate and 'chirp'. The computers are on the tables and are connected to the laptops brought along to simulate practical situations today. A few complain that they cannot connect to the local Wi-Fi network. Others ignore a prompt to create a new password. ,,I'm making it a bit more difficult for the students today'', laughs Vincent Denneman. He is a student of ICT Technology and Cyber Security at the Fontys University of Applied Sciences in Eindhoven and earns a little extra as a 'hacker'. “I just sent a message that the password needs to be changed. Whoever follows this message thinks to change his password, but in reality gives me permission to take over his system. Meanwhile, the user thinks he is safe with a new password.”
A nice introduction, but necessary to feel the urgency of well-secured systems. Throughout the day, Vincent breaks in and sets off activities that are not intended. This is how he trains together with course leader Egbert-Jan Sol, director at TNO and program director Smart Industry, awareness of the dangers that companies run with digital systems. ,,That is necessary, because safety is all too often seen as a cost item'', Sol tells the men's audience. “Anyone who shares data runs great risks, greater than many companies are aware of. Today you will experience for yourself what it is like to be hacked, which makes you more alert to the risks to which you are exposed. Get your chest wet! If you were in school, it would take you six months to cover what we discuss today in one day."
As contradictory as it seems and aware of all the risks, Sol advocates more use of open source. “Five years ago I wouldn't dare say that, but nowadays open source is reliable. Not only the software, but also the hardware. And it now costs a fraction of what you had to pay years ago. Just look at the PI.” Sol notices a trend, but immediately notes that someone who has been working in IT for years and relies on systems from the well-known major brands does not want to work with open source. “People doubt the reliability, especially in the production environment of a factory. But that is changing.” Besides the attractive cost of open source, Sol argues that everyone is working on solutions to make open source better. This makes it at least as resistant to burglary as the established systems and also much more flexible.
,,This is interesting'', thinks Christian van der Kooi† He is a business analyst at CSK Food Enrichment and is working on factory optimization. “I came here because I want to know more about data security. I am not a programmer myself, so the practical exercises with the PI are not for me. It is interesting to hear what others are doing to protect business systems and data. And maybe there's an interesting collaboration with one of these companies. Because it is better to warn and help each other instead of keeping smart solutions only to yourself.”
No matter how well your own security is in order, if that does not apply to the entire supply chain, it is still difficult to resist cyber attacks and hacks. After all, the chain is only as strong as its weakest link. Sol: ,,PLCs are becoming IoT computers and you see more and more computers of this type built into end products to collect all kinds of data about end-use. The ambition of the smart industry is to achieve 'zero defaults'. That's why you collect data. This data is worth its weight in gold and you want to protect it. Just like data of the entire lifespan of a product. For example, what data is needed to understand what a customer is doing? So which data is really important for the customer to function better? You get this data from the product, from all copies, from all users, always. The customer therefore buys a service and no longer a product. This means that we are going to collect a huge amount of data. And we all want to protect that against unwanted use.”
Time for the assignment. Pears are stored in a large department store. The indoor climate has a constant temperature and humidity and everything works as energy-efficiently as possible. A special lock of doors gives access to the department store. The assignment: find out how these doors can be used as optimally as possible with the least energy loss, while keeping the indoor climate constant. This order comes according to Pieter Haantjes, service engineer at YP Your Partner, straight from practice. ,,It could have been my job! We manage, monitor and secure installations from Hamburg to Amsterdam. For example, the quality of the water in the elephant enclosure in Artis is monitored with our software.” Haantjes also monitors whether safety systems are working properly. That is why it is interesting to participate in this workshop. I am learning other angles that I can use in my work.”
That is exactly the aim of the workshop, in addition to developing a sense of urgency for increasing cyber risks in the production environment. More and more production equipment is connected to the factory network and to the Internet. Thanks to the larger amounts of data and its analysis, processes can be adjusted. But the link between production and the office domain and the Internet is precisely where the cyber risks arise. Therefore, production lines and equipment must be securely linked. After all, a hack can cause extensive damage. Therefore, cyber risks must be understood so that companies can take appropriate measures. That is precisely why information advisor Sjaak Stuiver van municipality of Weststellingwerf is also participating. ,,Well, mainly listen in'', Stuiver explains his participation. He's a civil servant, not a technician, and he can't program either. ,,I am the odd one out today, but I do feel the urgency of the problem. We are now dealing with the faltering Citrix security, which means that part of our systems is forced to shut down.” Stuiver mainly wants to understand exactly what cyber risks are and also finds it amusing to see how easily professionals can be hacked. ,,I am surprised by the simplicity with which you can enter a system and collect data. With this knowledge I can now better explain to colleagues and entrepreneurs in our municipality which risks they may be exposed to. (laughing) Well, that brings a civil servant to this workshop!"