Annual Report

PRODUCT SECURITY – UNFLUSTERED AND UNDAUNTED

Mobile phone contracts, internet connections or online banking – private internet users appreciate their service providers treating their data, and access to it, carefully. Regular security updates for mobile phone and computer software are standard, as is the consistent provision of up-to-date information on vulnerabilities and software updates on suppliers’ service websites. Cybersecurity in the Industry 4.0 environment provides a dependable system for networkable products, software and services in the cloud, ensuring the security of production plants and communication paths.

SICK has its own Cybersecurity Department for this purpose. It only took SICK’s Cybersecurity Start-up Initiative a few months to build up a platform for developing and operating secure products.

“Corporate Department IT naturally had, and maintains, an overview of information security. But in addition to our own computer center security, we also saw a need to ensure that our products were developed with security in mind,” Andreas Teuscher, Chief Industrial Security Officer, describes the situation before the Start-Up began its work. “Each department, of course, also safeguarded the security of its own products – but individually and independently of one another.”

PREVENTION. RECOGNITION. REACTION.

It is necessary to take security aspects into account during product and software development to ensure cybersecurity throughout the life cycle of SICK products. This is not straightforward, and is the reason why a training program has been developed in collaboration with the SICK Academy. The Start-up Initiative also set up an Industrial Security Test Center at SICK to test the cybersecurity of products.

»AN IMPORTANT TASK FOR US LAST YEAR WAS TO BRING THE TOPIC TO THE ATTENTION

OF THE WHOLE COMPANY AND BUILD UP A COMMUNITY. WE ORGANIZED EVENTS AND FOUND

THAT THERE WERE NOT JUST TEN OF US, BUT LOTS.«

OPEN HANDLING OF WEAKNESSES

The SICK Product Security Incident Response Team (SICK PSIRT) is the central contact for customers and other interest groups (e.g. authorities and security researchers) regarding product security. A major task of SICK PSIRT is to coordinate the handling of weaknesses in products. Any report of a weakness – either from outside the company, by employees, or through active observation of the security situation – results in a reaction. A risk assessment is carried out if a weakness is verified in a product, after which customer communication is coordinated and corrective measures are defined. “I still remember what happened when, one year after our unit was founded, I explained that from now on product weaknesses would be published on our website – I got incredulous stares,” Mirko Böttger, Cybersecurity Specialist, describes the Start-Up’s first steps. “But this is now the case. The treatment of faults, the fault culture, has changed. We had very good feedback after the initial cases that we worked on.”

“I find the change during the last two years quite remarkable,” adds Wolfgang Stadler, Product Security Architect. “This is also because of the attitude of the people here. One approaches a new challenge openly and positively.”

»THE OPPORTUNITIES RESULTING FROM IN CREASINGLY NETWORKED AND MERGED

PRODUCTION AND IT ALSO INCREASE THE RISKS.«

Acceptance of the Cybersecurity Start-Up is also the result of a well-functioning cybersecurity community within SICK. “An important task for us last year was to bring the topic to the attention of the whole company and build up a community,” explains Benjamin Holdermann, Cybersecurity Specialist. “We organized events and found that there were not just ten of us, but lots. ”The opportunities resulting from increasingly networked and merged production and IT also increase the risks. The rise in digitalization leads to greater replacement of analog bus systems by digital communication interfaces based on internet technologies. The advantage is that communication is considerably more transparent and interoperable. So it is necessary to have a dependable system to secure SICK products. This is what the Cybersecurity Start-up Initiative is committed to achieving.

INDUSTRIAL INFORMATION SECURITY

> Back