We

Better protected together

With growing digital networking, the cyber security risks for the manufacturing industry are also increasing. Körber supports companies in protecting themselves against disruptions caused by ransomware.

On a Friday afternoon in May 2021, the billing system of the US company Colonial Pipeline suddenly suspended the ability to issue invoices to customers – a massive malware attack initiated by the Russian hacker group DarkSide. The blackmailers also stole almost 100 gigabytes of data and threatened to publish it on the internet if no ransom was paid. Colonial Pipeline transports oil from Texas to the southeastern United States. About 45 % of all fuel consumed on the US East Coast passes through this pipeline system.

State of emergency in 17 US states

The effect was enormous: Colonial Pipeline immediately ceased operations and paid the Bitcoin ransom demanded by DarkSide of the equivalent of around US$ 4.4 million – in exchange for a software tool to bring the IT system back online. It was only six days later that pipeline operations could restart. In the meantime, there were acute petrol shortages, panic buying and price increases in the affected regions. US President Joe Biden declared a regional state of emergency for 17 states.

The cyber attack on Colonial Pipeline was the most sensational and consequential in a growing series of similar attacks. Ransomware has long since become a global threat to companies – be it through system, order and production downtimes, massive competitive disadvantages, high recovery costs or the lasting loss of trust among business partners.  According to estimates by the US software manufacturer McAfee, global ransomware damage more than doubled between 2018 and 2020 alone - to a total of around 1.1 trillion US dollars (to the study).

The vulnerability of IT systems is particularly virulent in the area of operational technology (OT).

The insidious – and thus particularly dangerous – thing about the latest attacks à la Colonial Pipeline is that they are not carried out directly, but via hacked access to the network of a third-party company – often an IT provider that controls the software of Colonial Pipeline & Co. These so-called "supply chain attacks" have been booming for years, and they increase the threat potential especially in the manufacturing industry with its often highly complex supply chains. The advantage for the criminals: Hacking a software provider gives them access to various company networks in one fell swoop.

Dr Christian Schlögel, Chief Digital Officer (CDO) at the Körber Group

More networking, more attack surface

"The increasing convergence of information technology (IT) and operational technology (OT) exposes manufacturing infrastructures to a particular risk," says Dr Christian Schlögel, Chief Digital Officer (CDO) at the Körber Group. In the course of digitization the threat potential continues to grow: "The booming use of software in industry, cloud-based industrial controls, networking with partners and third-party manufacturers, as well as remote support as a result of the Covid 19 pandemic, are increasing the attack surfaces.

At the same time, according to Schlögel, transparent data sharing in particular is crucial for advanced, intelligent and efficient manufacturing. "The future of the manufacturing industry is digital and hyper-connected," Schlögel says. "Cyber security is increasingly becoming a central factor for sustainable business success for manufacturers. Our role at Körber is to help leverage the enormous digitization potential for the industry by also effectively protecting our customers from cybercrime."

Forgoing the benefits of digitization is not an option here, as it provides enormous advantages in increasing overall plant efficiency, faster transparency in the event of bottlenecks, networking with customers and suppliers, and making manufacturing more flexible. "The use of support systems in manufacturing through artificial intelligence is a great lever for efficiency control and sustainable production that we need to take advantage of," Schlögel explains. It is also important to understand that the security problem already exists today in the use of software in so-called on-premise operation, i.e. not only in cloud applications.

The range of potential security vulnerabilities has increased significantly in the course of digitization.
Andreas Gaetje, Chief Information Security Officer (CISO) at Körber

As Chief Information Security Officer (CISO), Andreas Gaetje is responsible for the digital security of Körber and its customers. Together with his team, he has been setting up a cross-business area Cyber Defence Center (CDC) in the Portuguese city of Porto since summer 2020 in order to develop integrated protection solutions for the increasingly complex cyber security challenges. In addition to Körber's internal systems, the main focus is on infrastructures provided for customers. "Developing effective protection mechanisms for industry requires first and foremost a strong understanding of machine manufacturing," says Andreas Gaetje.

Main focus on prevention

Gaetje's team is developing protection systems based on the Cyber Incident Response Cycle (CIRS) – a five-stage model that is used in a similar form in the security sector worldwide. "Our first focus is on systematic preparation and prevention, the Prepare and Prevent stage," says Andreas Gaetje. Here, it is a matter of quickly finding and repairing vulnerabilities and successively building up a consistent security design that corresponds to the changes in today's production landscapes. "The more the Industrial Internet of Things (IIoT) takes hold, the more the number and complexity of the sensors and end devices to be protected increase," says Andreas Gaetje. "In addition, long life cycles often apply in mechanical engineering and the software control must bridge a large age difference between the machines. This has to be taken into account in the safety concept."

Körber develops digital protection systems based on a five-stage model

The Detect level is used to identify anomalies and indications of possible attacks in running systems and to enable the most permanent monitoring possible using innovative tools - Körber uses an arsenal of security technologies here to monitor all servers and data flows and to detect suspicious activities at an early stage using AI-based solutions. At the Respond level, Körber directs effective measures in the event of acute cyber attacks – the most difficult task, according to Andreas Gaetje, as work has to be done under immense time pressure. An effective backup strategy for restoring data is central to this. Finally, the Learn level: "Crisis experiences usually offer us the highest learning potential to better master the next crisis," says Andreas Gaetje. "This allows us to constantly improve our processes and communication within the group and with our customers."

SIEM provides central control

These Mechanisms apply not least to Körber itself. "We store and transport large amounts of data for our customers," says Andreas Gaetje, "so it is fundamental for them to know that their data is in safe hands with us." At Körber, a central control system – called SIEM – ensures that the logs of all business areas are monitored centrally. In this process, the technologies in the cyber defence area are continuously being further developed. "The threat situation is constantly changing," explains Andreas Gaetje. "What seems secure today can be a gateway tomorrow. Especially in the OT area, there is a huge need to catch up in order to master these requirements together."

Back to top
Back to top