IT Security

Cyber Security Starts with Employees

PrintPrint page Read duration ca. 0 minutes

The food and beverage industry increasingly relies on digital systems. However, this also means that the potential targets for cyber attacks are increasing. What can producers do to protect themselves from the risks? Laurin Dörr, Managing Director at TG alpha, has the answers. His speciality: Creating IT security concepts for the process and automation industry.

Laurin Dörr, Managing Director at TG alpha Copyright: ©Photo Porst Deggendorf

Mr Dörr, how do you rate the risk of cyber attacks?

As very high. The digital association Bitkom has calculated that the German economy will suffer losses of over 266 billion euros in 2024 alone. At the same time, I see that large sums are being invested in the IT security of office networks, while production networks are barely protected at all. In most cases, there is no strategy for how to react in the event of an attack. Recognising and tracing attacks is also usually extremely difficult, as log data is often not monitored and backed up.

That means most companies are not sufficiently protected on the production side...

They are flying blind, so to speak, and the consequences can be dramatic. From simple production stoppages to serious damage to systems - anything is possible. Often, food safety cannot be guaranteed either, as an unnoticed attacker can also change recipes and settings. As a result, food producers are considered to be part of the critical infrastructure under the new EU Network and Information Security Directive, NIS 2, above a certain size. They are therefore obliged to protect their production against cyber attacks.

Where do you think the most common weak points tend to lie for food and beverage producers – in the technology, in the processes or in the behaviour of the employees?

It's a combination of everything. Many companies only see the dangers from the Internet. However, a disgruntled employee or a lack of physical protection can be used in exactly the same way to disrupt production. The German Federal Office for IT Security, for example, sees removable storage media as the greatest threat to industrial plants.

... the security risk that is often mentioned in this context is private USB sticks, which can transfer not only data but also malware when connected to a system.

That's why removable storage devices and employee misconduct usually pose the greatest threat to automation systems. In this respect, the food and beverage industry is no different from other industries. For example, I know of two beverage manufacturers where production stoppages occurred because employees were looking at holiday photos on a control panel that had been saved on a USB stick.

How do the risks differ for older, retrofitted machines compared to modern, smart systems?

Older machines in particular often have no protection against cyber threats because the issue was not as important to plant manufacturers back then as it is today. Therefore, additional protection must usually be provided upstream here. This often makes it expensive to protect older machines. New modern systems, on the other hand, already come with a variety of security functions. However, these must be configured and integrated into an overall security concept. Unfortunately, I often see that many things remain unused because there is no security concept.

Many companies only see the dangers from the Internet. However, a disgruntled employee or a lack of physical protection can be used in exactly the same way to disrupt production. Copyright:: Pixabay

Which solutions are particularly effective for protecting industrial control systems?

In principle, the same security solutions are used in control systems as in traditional IT networks. However, their planning and configuration must be adapted to the requirements of an automation environment. The specifications of IEC 62443, which has established itself as the most important standard for IT security in the industrial sector and as the international standard for demonstrating conformity in the process and automation industry, help here. The basis is always a risk assessment and a zone concept in which the various safety requirements of individual system components can be taken into account. The actual technical measures such as firewalls, network monitoring or customised user management can then be derived from this.

Another standard for IT security is ISO 27001 – how does IEC 62443 differ from this standard?

ISO 27001 helps to secure the "normal" IT infrastructure, but it doesn't address the special requirements in a production environment. IEC 62443 was created to secure production and machines. Both standards are a good guide to building and systematically organising protection against cyber threats.

How does TG alpha support companies in integrating cyber security into existing production environments – especially when older machines and heterogeneous systems are already in use?

We've already helped a number of producers and critical infrastructures to secure their production. We also support machine manufacturers in adapting their system solutions to today's cyber security requirements. Our goal is always to implement a security concept that optimally meets the needs of the systems.

What strategic measures do you recommend to companies for maintaining a high level of cyber security in the long term – beyond purely technical protective measures?

Cyber security starts with employees. The human being is the weakest link in any system. Therefore, the most important thing is to reach out to employees so that they understand the restrictions imposed by cyber security and also go along with them and don’t undermine them.

What advice would you give to companies that are just starting to address the issue systematically?

First of all, it is important to find out what criteria can be used as a basis. The next step is to gain an overview of the production network and to carry out a risk analysis. I see time and again that these steps are skipped and technical solutions are purchased straight away. However, these are associated with high investments and often don't meet the actual requirements. It makes more sense to invest in cyber security based on your needs – and this is precisely where a risk analysis helps. This helps to determine where the company stands and where action is still needed.

How can small and medium-sized food businesses with limited resources achieve a solid level of security?

Only in the rarest of cases are extensive resources required for a solid level of security. Therefore, I can only advise starting with a risk analysis and using it to create a roadmap for gradual improvement. A risk analysis also reveals organisational measures that cost little or no money. It's important to create an awareness for cyber security in the company.

Contact

Laurin Dörr
Managing Director
TG alpha GmbH
Deggendorf, Germany
E-Mail: l.doerr@tgalpha.de
https://www.tgalpha.de/

Automation & Digitalization

The grippers are used in diverse applications and apply burger patties, for instance.

Hygiene-design grippers

Robot-aided automation and gripping technology are becoming increasingly important in the food industry.

Award-winner Dr Thomas Jackson in his family’s own diary with cheese shop in the United Kingdom.

Net zero for the dairy industry – GEA and OmegaLambdaTec are adopting new approaches

GEA and OmegaLambdaTec are cooperating to develop AI-based sustainability solutions for water management in dairies.

Single Pair Ethernet Alliance

VEGA is involved in the Single Pair Ethernet Alliance (SPE) in order to offer customers the best possible networking in digital infrastructures.

Cyber Security Starts with Employees

Automation & Digitalization

Hygiene-design grippers

Net zero for the dairy industry – GEA and OmegaLambdaTec are adopting new approaches

Single Pair Ethernet Alliance

Stay up to date