The net­work guar­di­an

When data needs to be secu­re, it’s his finest hour. Dr. Lutz Jäni­cke is respon­si­ble for the secu­ri­ty of pro­duc­ts and solu­ti­ons at Phoe­nix Con­tact. An inter­view about cast­les, slouch hats, mafia, and moti­va­ti­on.

Dr. Lutz Jäni­cke is actual­ly an elec­tri­cal engi­neer by natu­re. But while doing his doc­to­ra­te and post­gra­dua­te work, he stumb­led upon the topic. In the mean­ti­me, he has beco­me an inter­na­tio­nal­ly renow­ned expert on data secu­ri­ty, and the very first per­son to go to at Phoe­nix Con­tact when it comes to the sys­temic pro­tec­tion of net­works. Appro­pria­te­ly, the inter­view was held in the old cast­le and palace com­plex of Bad Pyr­mont.

Dr. Lutz Jänicke
Dr. Lutz Jäni­cke

UPDATE: Dr. Jäni­cke, are we safe and secu­re here?

(chuck­les) Well, may­be 1,000 years ago. But how were cast­les atta­cked in the past? They fired, stor­med, laid sie­ge, and even­tual­ly dug tun­nels to bring down the walls. In other words, they loo­ked for weak points. This is no dif­fe­rent today than it was 1,000 years ago.
Secu­ri­ty was and is not a tech­ni­cal issue, but a pro­cess issue. The important thing is that the­re is no gap.

UPDATE: Once you set up secu­ri­ty once, you’re secu­re for good?

No, it’s an ongo­ing pro­cess. You have to con­si­der befo­re­hand how to orga­ni­ze your defen­se in such a way that you are pre­pa­red for as many even­tua­li­ties as pos­si­ble. And then the defen­se needs to be as many steps ahead of the atta­cker as pos­si­ble. In the Midd­le Ages you had years to do this, today it has to be done more quick­ly.
Errors often occur in clas­si­cal pat­terns. When pro­gramming, you also rely on your col­leagues having done their job well. If mista­kes creep into a labor divi­si­on, the­se are the open gates for an attack. The four eyes princip­le helps in this respect. As with clas­si­cal cast­le con­struc­tion, the defen­se con­cept needs to be in place from the very begin­ning. This is what we mean by secu­ri­ty by design.
This is labor-inten­si­ve, annoy­ing for crea­ti­ve minds, and also expen­si­ve. In the end, you end up with a pro­duct that doesn’t even look dif­fe­rent from an unsafe pro­duct, just more expen­si­ve. You have to make an argu­ment from that stand­point first. The legis­la­tu­re is hel­ping with the cri­ti­cal infra­st­ruc­tu­re. Or look at your our own bit­ter expe­ri­ence of pro­duc­tion down­ti­mes. This can quick­ly cost several mil­li­on euros, and can even lead to mas­si­ve loss of custo­mers due to ina­bi­li­ty to deli­ver or cor­po­ra­te col­lap­se. This is refer­red to as “saving at the wrong end.”

UPDATE: Is the over­all thre­at situa­ti­on increa­sing?

Defi­ni­te­ly. Sta­tis­tics from our indus­try are dif­fi­cult to obtain, but the dama­ge repor­ted to the FBI from cyber­se­cu­ri­ty inci­dents in the US has increa­sed ten­fold over the last ten years, from 2008 to 2018, from 200 mil­li­on to 2 bil­li­on dol­lars. The­se are abso­lute­ly rea­listic figu­res.

UPDATE: Who are the bad guys? And what are their moti­ves?

The­re are all kinds of dif­fe­rent atta­ckers. There’s the indi­vi­du­al who acts, but the dama­ge usual­ly isn’t that enor­mous. This can be for anar­chic moti­ves, but also for very tan­gi­ble eco­no­mic rea­sons. Mal­wa­re that can actual­ly be purcha­sed is often used, which is also com­mon in apps.
Then the­re are com­mer­ci­al orga­ni­za­ti­ons whe­re you can buy high-qua­li­ty attacks for money, such as ser­vice pro­vi­ders for orga­ni­zed crime in Rus­sia. And you hear of Chi­ne­se groups acting upon behalf of the sta­te. The result would be a lim­bo.
And then the­re are the sta­te actors, such as the NSA, the Chi­ne­se People’s Army, or our very own Bun­des­wehr, which is also in pre­pa­ra­ti­on mode. You can get an idea of the alle­ged peop­le invol­ved by rea­ding the time stamps of the ser­ver activi­ties. Sho­ckin­gly often, you’ll find matching times from a very spe­ci­fic time zone. Even cyber-pira­tes keep regu­lar office hours.

UPDATE: How do you train your cyber defen­ses when you’re one of the “good guys” yours­elf? How can you get the tools you need if you yours­elf aren’t an atta­cker?

You don’t have to go the Dar­knet or anything. Even the NSA publishes tools from time to time, you can just down­load them. Or buy it on eBay for 10 dol­lars. You’re also allo­wed to use them in Ger­ma­ny for labo­ra­to­ry pur­po­ses in your own envi­ron­ment, but not for attack pur­po­ses in the open field.
But you also need the real envi­ron­ment to test your tools, and with it the defen­se. ’If you let such tools haunt your house, howe­ver, things can hap­pen in our net­wor­ked envi­ron­ment
that we just can’t con­trol. So we are very care­ful. But the goal needs to be that our net­works can with­stand it.

UPDATE: We live in an increa­singly net­wor­ked world. But we only think about safe­ty after some­thing has alrea­dy hap­pen­ed. Is that an accu­ra­te per­cep­ti­on?

Many smal­ler com­pa­nies actual­ly act in this way, which is very cri­ti­cal. Lar­ger com­pa­nies are usual­ly much more cau­tious. The IT at Phoe­nix Con­tact, for examp­le, is always alert. For examp­le, pro­duc­tion is com­ple­te­ly decou­pled from the nor­mal office net­work.

UPDATE: What made Phoe­nix Con­tact start to think about things like this?

We star­ted in 2002 at the Ber­lin start­up Inno­mi­na­te with the topic of mobi­le fire­walls, but quick­ly advan­ced into the field of indus­tri­al auto­ma­ti­on. Phoe­nix Con­tact then took over Inno­mi­na­te in 2008.
Howe­ver, the Phoe­nix Con­tact Group can’t only rely on fire­walls; we also need to con­si­der data secu­ri­ty in all its pro­ces­ses. My job is to demo­cra­ti­ze the topic of secu­ri­ty to a cer­tain extent. We make trai­ning pro­grams, edu­ca­te peop­le, deve­lop tools. Ever­yo­ne who wri­tes soft­ware has to face the issue of secu­ri­ty and fol­low cer­tain gui­de­li­nes.

UPDATE: How does cyber­se­cu­ri­ty har­mo­ni­ze with clas­sic indus­try and con­ven­tio­nal IT?

Qui­te well, actual­ly. We are the experts for our spe­cia­li­zed field. This is gene­ral­ly appre­cia­ted in IT. The situa­ti­on is often qui­te dif­fe­rent in pro­duc­tion. Usual­ly there’s no one in char­ge of secu­ri­ty. When a machi­ne is set up, nobo­dy thinks about how it will be clean­ly inte­gra­ted into the net­work. The last thing they’re going to moan about is why the con­trol­ler isn’t con­nec­ted. There’s still a lot of “pul­ling strings” to be done.
But in finan­ci­al con­trol­ling, we are usual­ly loo­ked at as just a cost fac­tor. That’s not half bad. You can do wit­hout. We often suf­fer very lar­ge damages, but the­se are qui­te rare. The­re­fo­re, ever­yo­ne belie­ves that it won’t affect their com­pa­ny.

UPDATE: In which fields is Phoe­nix Con­tact active when it comes to cyber­se­cu­ri­ty?

We are active both in our own com­pa­ny and with custo­mers. This helps in both direc­tions, becau­se it also increa­ses our under­stan­ding of con­sul­ting in the pro­duc­tion are­as. And our new cer­ti­fi­ca­ti­ons show that we can com­pet­ent­ly map and offer all pro­ces­ses, inclu­ding stock­ta­king, instal­la­ti­on, com­mis­sio­ning, and trai­ning. This is TÜV-tested, qui­te liter­al­ly.
We have just com­ple­ted and suc­cess­ful­ly pas­sed a very com­plex, mul­ti-sta­ge cer­ti­fi­ca­ti­on pro­cess with TÜV Süd. This shows how serious­ly we real­ly take this.

UPDATE: In your opi­ni­on, what does the future hold for com­pa­nies when it comes to secu­ri­ty?

In princip­le, it can be assu­med that the mas­si­ve­ly gro­wing thre­at will put manage­ment under pres­su­re. In the sup­ply chain, custo­mers are put­ting more pres­su­re on sin­ce secu­ri­ty is increa­singly beco­m­ing an issue in sup­plier eva­lua­ti­on. Legis­la­tively, new rules are also ine­vi­ta­ble.

UPDATE: Open­ness and pri­va­cy – isn’t the net­work pro­tec­tion indus­try its­elf beco­m­ing too invested in exa­g­ge­ra­ting pri­va­cy when it comes to cyber attacks?

It’s a ques­ti­on of cul­tu­re. It is true that an exchan­ge about thre­ats and attacks that have occur­red is important for ever­yo­ne. Com­pa­nies that aren’t listed on the stock exchan­ge alrea­dy com­mu­ni­ca­te qui­te open­ly here. Con­ce­alment is down­right harm­ful.
But if, for examp­le, a DAX com­pa­ny reports a suc­cess­ful attack, then sha­re values will also fall. But even here, the way of thin­king about it is slow­ly chan­ging. Ever­yo­ne is being atta­cked. It isn’t a sign of weak­ness. Only tho­se who do not act are acting negli­gent­ly. And tho­se clai­ming they haven’t been atta­cked pro­bab­ly just didn’t noti­ce the attack.

UPDATE: Does that also app­ly to Phoe­nix Con­tact?

Of cour­se. If we, with our impor­t­an­ce on the mar­ket, are NOT atta­cked by cer­tain sta­tes from Sou­the­ast Asia for the pur­po­se of indus­tri­al espio­na­ge, then we would have done some­thing wrong. We also con­stant­ly edu­ca­te our­sel­ves in dai­ly defen­si­ve com­bat, so we’re trai­ning for our­sel­ves as well as for our custo­mers.

This post is also avail­ab­le in: Deutsch

Back to top button