Are large corporations better positioned here than SMEs, for example, due to their larger pool of expertise?
Just because a company is large does not make the challenges any easier. The hurdles also scale accordingly. Bayer, for example, certainly has more resources to tackle security holistically than an SME, but the size of the company naturally makes it more difficult for us to actually change processes and make them more secure. This is much quicker and easier in smaller companies. In contrast, SMEs tend to find it difficult to maintain enough specialist knowledge to be able to tackle security in a structured way. External security companies can close these knowledge gaps very well and accelerate development. Nevertheless, you can't simply buy security, you need an established culture in the company on how to deal with the topic.
The notorious human factor as the biggest security risk.
It sounds trite now, but it still applies. It simply takes time for a culture and processes that have been developed over the years to change in the long term. In other words, until doors are really always locked or passwords are no longer hanging around on sticky notes, to name just a few banal examples.
How is Bayer working to raise employee awareness of this issue?
Following comprehensive global analyses, we decided in 2016 to roll out a uniform global security program that is independent of the individual divisions. In addition to technical aspects such as network segmentation and firewall implementation, change management is defined as a central pillar of this program. This also includes traditional online training and courses that offer structured access to security topics. However, something else is much more important for raising awareness.
What exactly?
Security depends on employees exchanging information. At Bayer, we attach great importance to our global community. We security officers use the associated communication channels to announce changes or explain certain procedures, but also to offer training courses if there are a particularly large number of queries on a particular topic. In these training sessions, our experts are then available to plant personnel and can provide answers in a direct exchange.
How are these formats being received by the workforce?
In our view, very well. We have noticed a very lively exchange in the communities, where employees not only ask questions, but also exchange ideas with each other, share best practices and also feed back suggestions to us. In addition to these global chat rooms, we have also set up local chat rooms in order to be able to react to regional differences, e.g. in legislation, where people can also communicate in their native language. Many of these smaller communities have actually emerged from the respective locations themselves.
Who meets in these chats?
In fact, I would estimate that around 80% belong to the automation technology sector. There are also other colleagues, for example from logistics or other areas, who already have a lot to do with digitalization and now also want to build up security expertise. And this is precisely where we need to impart much more know-how. As a rule, no IT security professional has the necessary OT knowledge to understand why they can't simply patch the system and restart it. On the other hand, OT specialists lack the necessary IT domain knowledge. Here, IT and OT need to merge even better, not only on the store floor, but also in the training of junior staff and the existing workforce. As a cross-divisional function in a global company, we are dependent on local security experts because they enable us to have an open exchange about the state of security and can tell us exactly where we are not making progress or where improvements need to be made.
In the end, security also needs someone to implement them on site.
Yes, also because nobody in the respective locations wants someone to simply apply a patch remotely and without knowing the system status. We absolutely need contact persons who are on site and help us to drive security forward locally. As a global unit, we offer training courses and organize further training and technical solutions in order to achieve synergies. With regard to this training, it is also not advisable to offer standardized training for everyone. That is not expedient. An employee in the control room needs training that shows her where to report if she notices something. An administrator, on the other hand, needs to know that “1234” is not a really good password, to put it bluntly. Security must always be user-driven!
How does this approach fit in with the status quo of systems? In the process industry in particular, we have to deal with a lot of brownfield and the associated problems.
Yes, although we also have to differentiate here. Not all assets in the chemical and pharmaceutical industry have been in use for 40 years or more. This may apply to containers and reactors, but not to electrical components and parts.
But even a 15-year-old PLC is a big risk, isn't it?
Absolutely, even such an old control system will not have the safety functions required today or offer the option of simply patching it accordingly. We won't be able to solve this problem in the foreseeable future either and will have to rely on other measures such as network segmentation. However, these are not projects that can simply be implemented overnight. Depending on the scale, something like this can take a year, including planning and implementation.
Time that you don't necessarily have today, do you?
No, but the only other alternative is to replace the outdated components. And even then, a sophisticated security concept is necessary. Ultimately, components always harbor a certain risk. The older these devices are, the higher the risk score. Nevertheless, they are ideally protected by several risk-reducing measures, such as firewalls, segmented networks and intrusion detection systems. In addition, in the process industry in particular, many components are physically inaccessible because they are enclosed, for example, meaning that this risk can be virtually eliminated. However, it is also important in this context that we not only consider the systems directly involved in production, but also, for example, elevator or building technology.
Why?
Because both elevators and ventilation systems are now equipped with control systems that, in case of doubt, are not patched. And if a freight elevator or a ventilation system that ensures air exchange does not work, it becomes very difficult to maintain production. This is because safety requirements from functional safety, such as explosion protection, may also have to be taken into account, or it may simply be impossible to transport the required products to the intended locations. At the end of the day, these boundary conditions are just as important as the direct production facilities, but are unfortunately often forgotten. They are simply too far removed from the day-to-day work.
For a long time, security regulations such as the NIS 2 Directive, which is now due to be implemented nationally in October 2024, and the Cyber Resilience Act, which is due to be passed this year, were also a long way off. What is in store for the process industry?
In addition to the directives mentioned, there are also other regulations, such as KAS51 or the IT Security Act 2.0 (KRITIS), which must be complied with. For globally active companies, there are also requirements from other countries. In my view, the biggest challenge at the moment is therefore to maintain an overview of this flood of regulations and to develop strategies with a cool head as to how the necessary requirements can best be met. There won't be one universal plan that can simply be rolled out across all locations. That would waste an enormous amount of resources. Security has to be user-friendly and help the business. So we actually look at each individual location and try to find out where it stands and how we can most efficiently bring it up to the right security level so that we are compliant with the new legal requirements, but also secure the business.
Let's take another closer look at the NIS 2 Directive, as its implementation will be laid down in law from mid-October. Where do you see the most pressing issues here?
In my view, this is not a technical aspect, but rather the exchange with the authorities. This is because we are dealing with laws that can be interpreted in different ways. If the requirements state that attack detection measures must be in place, this could mean a complex and expensive intrusion detection system or a simple anti-virus program. This scope for interpretation must be defined in close cooperation with the authorities, harmonized with the necessary business risk and anchored in an individual plan. It is just as important that the responsible authorities, manufacturers and users exchange information and share experiences. Otherwise, every implementation strategy of the NIS 2 Directive risks becoming a case-by-case approach. We need a harmonized approach on both sides of the table and must not reinvent the wheel every time.
Isn't this kind of duplication also a threat simply because of all the different regulations that now need to be implemented?
To a certain extent, yes, but the crucial question is whether this duplication of work is always negative. In recent years, for example, we have been heavily involved with the IT Security Act 2.0, which only applies in Germany. Now, with NIS2, an EU-wide regulation is being added and we need to check whether some of the requirements have already been met. For me, this reworking and perhaps partial adjustment is positive duplication of work, because the threat situation is also constantly changing. It would be worse if, for example, the German regulations were to go much further than those of the EU, creating new scope for interpretation. This could also lead to such a high level of security being legally required that economic production would become impossible.
But you don't see any technical challenges in relation to NIS2?
At least not any new ones. Of course, due to the relatively old assets in the process industry, it can be problematic if regular patching or life cycle management is required and this is either not technically possible or updates are simply no longer offered for this generation of devices. But even if there are new challenges, we have learned from the past and will find new solutions here too.
Which will also increasingly incorporate AI?
AI will certainly also be used in security, because it can naturally process much more information and recognize patterns in our domain than we humans can. I see particular advantages here in network analysis and malware detection. But AI also offers these advantages for attackers, who may be able to find weak points in the system more easily in future with the help of artificial intelligence. AI is therefore a double-edged sword for us.