08 Dec 2017

Honeypots Versus Hackers

Production processes are becoming increasingly interconnected with digital communications technologies, opening new gateways for criminals operating on the Internet. The IT Security Technology Field at Siemens Corporate Technology is developing sophisticated solutions to protect against cybercrime and is subjecting them to rigorous testing, in part using its own team of hackers.

IT managers must discover vulnerabilities quickly and then take countermeasures.

IT crime is on the rise. Once mainly limited to individual Internet users, it has become a major threat to industry and business, with damages caused by cyber attacks and industrial espionage already reaching many billions of dollars per year.

Many industrial companies are worried that as digital technologies spread and machines and installations become increasingly interconnected along the entire value chain, major additional security risks are being created. But to make their production faster and more flexible, and to keep it cost-effective, they have to convert their previously largely self-contained facilities into open production systems. It’s a dilemma for which Dr. Rolf Reinema has a ready answer: “If industry uses an overarching and consistent security concept, the risks are manageable.” Reinema, who is responsible for the IT Security technology field at Siemens Corporate Technology (CT), heads a group of IT experts focused on developing comprehensive security solutions for Siemens’ businesses.

Systematically Addressing Vulnerabilities

“In the past, gates and alarm systems protected factories. Today, on the other hand, the top priority for those responsible for security in industry is to be faster than hackers and uncover security gaps themselves,” says IT security expert Klaus Lukas.

His ProductCert team, which is part of the Technology Field, addresses the vulnerabilities of Siemens products that are reported from inside and outside the company. “The digitization of our business units requires us to respond quickly to such threats,” says Lukas. As a result, his team immediately notifies a customer if weak points are identified and develops solutions as quickly as possible in order to rectify them.

At the same time, the team is continuously in touch with a network of security experts. “It’s essential — not only for creating a mutual basis of trust but also to expand the scope of our own knowledge,” says Lukas. That’s why the members of his team also visit important conferences and IT events in order to communicate with other people from this field. Examples include the Blackhat USA and Defcon conferences, where researchers present their latest findings.

Scanning Data for Anomalies

Another IT security component is a monitoring system that identifies cyber attacks in close to real time. “In general, attacks aren’t detected fast enough. Once malware has penetrated a system, it can take its time looking through data and accomplishing its objective, whether that be pilfering data or manipulating it,” says Dr. Heiko Patzlaff. The monitoring system is intended to improve matters. “We’re developing algorithms that scan data streams for abnormalities,” he adds. For example, movements of large quantities of data at unusual times of the day or night might indicate an attack. The same goes for commands that are executed countless times in succession for no apparent reason. Or, if users who only work during the day suddenly log in at night, this could be a sign of a cyber attack. “Since every IT system has its own typical routines and patterns of behaviour, the search for clues has to be adapted to that,” says Patzlaff. If the monitoring system detects anomalies, it automatically notifies the appropriate security centre. “There, IT security specialists analyse the attempted breach and take countermeasures,” he says.

Forecasts illustrate just how extensive this challenge will become in the future. Not hundreds or thousands but billions of machines, systems, sensors, and individual products will eventually communicate with one another as the cyber-physical technologies collectively known as “Industry 4.0” become increasingly common.

Recognising Attack Patterns in Time

Another important IT security component is the ability to monitor operating environments such as manufacturing facilities or power plants to detect attacks. The CERT Research Group, which is headed by Dr. Martin Otto, is working on new solutions that will enable security experts to detect such attacks early on and successfully counter them. For example, CERT investigates new attack patterns every day. It analyzes them and works together with other departments to develop effective countermeasures and detection methods that greatly reduce the risk of an attack. “Such cyber threat intelligence enables us to understand the current threat situation and to protect our systems and our customers in a more targeted manner,” explains Otto.

The experts at CERT and ProductCERT are also developing new technologies that can independently identify new attack patterns and generate recognition methods. In addition, the researchers are working to also make operating networks immune to such attacks and prevent breakdowns.

ID Check for Machines

This field is therefore in need of special security solutions. One idea, for example, is for machines to “identify” themselves before they can exchange data with one another or transmit it to databases. “This would make IT infrastructures more resistant to attacks,” says Hendrik Brockhaus. His team in Siemens’ IT Security Technology Field is currently demonstrating how an ID system of this kind for machines might work in a pilot system that was put together for the Siemens Mobility division. For the first time, Brockhaus is applying a publickey infrastructure (PKI) to industrial installations and using digital certificates to verify the authenticity of machines, sensors, or components. For example, in the context of the pilot system, if a control system issues a switching command to the control unit of a field device, both the control system and control unit make certain, based on the PKI certificate, that the counterpart really is what it purports to be and that no hacking attempt is involved. The PKI certificates are issued by a “Trust Center” that operates according to very high standards of security and thereby establishes trust in the PKI certificates.

Hackers in the Service of Research

Another team in the IT Security Technology Field is also involved in defending against cyber attacks. “Our in-house hackers deliberately look for vulnerabilities in standard software for their attacks,” says Reinema. In order to understand the methods hackers use, his department sets up what are called “honeypots.”

These are vulnerabilities that are specifically sought out by hackers. Of course, the honeypot isn’t located in the real IT system. Instead, it simulates a piece of software, a network, or a server and merely leads the hacker to believe that he is attacking the actual system. “By carefully analyzing hacker methods in this way, we can improve our threat intelligence and our ability to defend against attacks on our solutions,” says Reinema.

At the same time, in addition to IT infrastructure and Siemens products, Reinema’s IT security specialists also thoroughly examine the department’s own solutions. Only then does it becomes apparent whether the walls erected by the IT Security experts are high enough, and whether the security checkpoints are rigorous enough.