German industry survey: cyber security in production has room for improvement

Production plants and their control systems are among the most sensitive areas in the manufacturing industry. To increase efficiency and profitability, these systems are increasingly networked and therefore automatically a target for cyber criminals. In many cases, a cyberattack does not start directly with the OT systems, but via gaps in the traditional IT. From there, the attackers gradually gain access to other IT and control systems in order to attack the most sensitive areas of production. Their goal: maximum disruption to operations, theft and encryption of production and operationally relevant data as well as blackmail.

Companies have recognized risks

IT security company Sophos conducted a targeted survey of industrial companies in Germany to find out the status of attack risks and defenses. The results show a positive development: many companies have recognized this danger and are setting up their organization accordingly. Responsibilities are being more clearly defined and cooperation between IT and production is developing well for the most part. SMEs in particular are increasingly relying on support from external security partners.

Almost every second company has its own security officer

The days when cyber security was a sideline are clearly over in many companies. 47.9% of the companies surveyed have now appointed a permanent person responsible for IT security. A further 33.6 percent combine this task with other areas - a model that is mainly practiced by smaller companies where resources are scarcer.

SMEs strengthen themselves with external security partners

The way smaller companies deal with cyber security is particularly interesting. One in four companies with fewer than 250 employees (25 percent) now work with specialized external IT security partners. In large companies with over 1,000 employees, however, this figure is only 11.1 percent; most of these companies have set up their own specialist departments.

This development shows that medium-sized companies are countering the lower availability of resources (compared to large companies) with pragmatic solutions to a complex problem: Instead of looking for and building up security experts themselves, they are turning to specialized service providers who already have the necessary experience and infrastructure.

IT has the leading role in production security

A clear picture emerges regarding the distribution of responsibilities in the companies: In seven out of ten companies (70.1 percent), the IT department is responsible for the IT security of production facilities. Production itself only bears the main responsibility in 19 percent of cases. This distribution clearly reflects the fact that production systems are now part of networked IT structures that need to be protected holistically.

 Exchange, coordination, joint task

Coordination between departments also appears to be common practice in many companies. In 68.7 percent of companies, IT and production regularly talk to each other about security issues. Only 4.3 percent do not coordinate between the two departments at all. This very low percentage makes it clear that most companies have apparently internalized the fact that robust cyber security can only be achieved as a joint task.

Suppliers are also increasingly part of the security strategy

A look at the supply chain reveals another dynamic relevant to cyber security: more than half of companies (57.3%) now impose contractual requirements on the cyber security of their partners. Almost two thirds also check their IT security regularly, and a further 19.4 percent at least occasionally. These are all crucial measures, as vulnerabilities at suppliers are among the riskiest points of attack in cyberattacks.

"A clear assignment of responsibilities is the foundation for effective protection in production," says Michael Veit, security expert at Sophos. "Where IT and production work hand in hand, companies can react much faster in the event of disruptions or attacks. Medium-sized companies in particular benefit from clear structures - whether with their own specialists or with the help of external partners. Anyone who also keeps an eye on their supply chain closes one of the most dangerous gaps."

A solid basis has been created

The survey clearly shows that German production companies have made significant organizational progress in terms of cyber security. Clear responsibilities, well-functioning cooperation and the involvement of suppliers create a solid basis for more protection in production. SMEs in particular show that this is possible even without large internal teams - if the network of partners is right.

Or: not everyone has to reinvent the wheel. If you get the right support, you can build effective protection even with limited resources.

Source: www.sophos.de

This article originally appeared on m-q.ch - https://www.m-q.ch/de/deutsche-branchen-umfrage-cybersicherheit-in-der-produktion-hat-luft-nach-oben/