What the Industry Can Learn from Germany’s Data Leak

“Massive hack of German politicians’ data”, “German police investigating data theft”: At the beginning of the year, one story took the headlines of top news giants in Germany. An amateur had stolen and leaked personal data of politicians and celebrities. A mere stunt in comparison to the potential impact of a professional cyberattack in the industry.

It was the kind of news that journalists love: A 20-year-old student had leaked personal data of politicians and celebrities online, including phone numbers, chat histories, and photos. He was motivated by his frustration with politicians and a desire for recognition. While the data leaked was not particularly sensitive, nor posed immediate concern, the victims reacted hysterically. However, they may be partly to blame as media investigators have since revealed. In many cases, their accounts were barely protected, with some information even freely accessible.

Cybersecurity Is Still Totally Underestimated

The incident highlights what could be possible if state-sponsored hackers or professional criminals were to enter a system and gather data, says Michael Waidner. The leader of the Fraunhofer Institute for Secure Information Technology emphasizes that hackers could compile much more compromising data sets and attack critical infrastructures.

Industry Is a Number One Target

And these infrastructures are no longer in the control of governments. As factories become increasingly networked, industrial companies worldwide find themselves in the firing line. To enable networked plants to communicate with each other, they are connected by the Internet of Things. And with this, they are more vulnerable to outside threats.

“Here, we’re not just talking about data theft,” says Dr. Alexander Horch, Head of Development at HIMA – the world’s leading supplier of industrial safety technology. “Criminals are interested in stealing construction drawings for machines or formulas for medicines and selling them on, for example. On a much more dangerous scale, they could gain access to a process control system.” If the company that comes under attack has neglected cybersecurity, the attacker could gain complete control of a factory.

“Here, we’re not just talking about data theft. On a much more dangerous scale, a criminal could gain access to a process control system.”
Dr. Alexander Horch,
Head of Development, HIMA

Threats to the Economy, the Environment, and People

In 2010, the computer worm Stuxnet showed the world what well-funded, precisely targeted cyberattacks are capable of. Unknown persons used the malware to sabotage a uranium enrichment plant in Iran. In an interview with German newspaper Die Zeit two years ago, renowned cyberwarfare expert Sandro Gaycken stated that Stuxnet would be a “test for future sabotage on industrial plants” – including infrastructures such as electricity, water, and gas.

In fact, just a few months ago, an American water supply system became a victim of cybercrime. In another case attackers took control of a process control system and altered, among other things, the amount of chemical additives in water treatment.

Most Technology Is Not Up to Speed

Just one case in many, but nearly always the same problem: outdated technology. Unlike office computers which are replaced by new ones every few years, industrial plants and robots stay in use for much longer, as summarized by Gordon Mühl, Vice President of Industrie 4.0 at global IT provider Infosys. He suggests that the system buses used by machines to transmit data are just as outdated. The internet had not even been taken into consideration during the development of these systems, nor had the need for data security measures.

Does this mean that plant managers need to implement completely new technologies? Can they even use the Internet of Things without introducing incalculable risks? The questions are plenty, but answers are few. That’s why experts like Sandro Gaycken are in even higher demand today than in the times of Stuxnet. In an interview with FAZ, Germany’s newspaper with the widest circulation abroad, Gaycken stated that if you want to protect critical infrastructures against cyberattacks, you need to decouple as many systems as possible from the internet and separate them from each other.

Is it Negligent to Use Integrated Systems?

The engineers at HIMA have been following this approach for years. The company develops safety instrumented systems (SIS) for industrial plants in the digital age. For this, HIMA insists on a strict, physical separation of SIS from process control systems. The international standards for functional safety and cybersecurity – IEC 61511 and IEC 62443 – have long since demanded this separation. “Many companies are still using integrated systems. They think that by using these systems they can save on costs, and see making modifications as unnecessary,” says HIMA expert Horch. The risk with this is that once hackers have infiltrated a process control system, they are also in control of security systems. The potential for damage is not to be underestimated. “Integrated systems can therefore no longer be seen as a responsible option,” states Horch.

“The potential for damage [from a successful cyberattack] is not to be underestimated.”
Dr. Alexander Horch,
Head of Development, HIMA

The Industry Is Waking Up

Of course, professionally orchestrated, well-funded hacks on industrial companies are in a completely different league to the recent German data leak. But personal information on celebrities is certainly more likely to get the public’s attention. Still, the incident means that cybersecurity will be a number one topic of discussion for some time in Germany and worldwide. One can only hope that the call for increased security in industry will be heard.

Or else, as Gaycken predicts, “all kinds of threats could emerge.”