The net­work guardian

When data needs to be secu­re, it’s his finest hour. Dr. Lutz Jäni­cke is respon­si­ble for the secu­ri­ty of pro­ducts and solu­ti­ons at Phoe­nix Con­ta­ct. An inter­view about cast­les, slouch hats, mafia, and motivation.

Dr. Lutz Jäni­cke is actual­ly an electri­cal engi­neer by natu­re. But while doing his doc­to­ra­te and post­gra­dua­te work, he stumb­led upon the topic. In the mean­ti­me, he has beco­me an inter­na­tio­nal­ly renow­ned expert on data secu­ri­ty, and the very first per­son to go to at Phoe­nix Con­ta­ct when it comes to the sys­temic pro­tec­tion of net­works. Appro­pria­te­ly, the inter­view was held in the old cast­le and palace com­plex of Bad Pyrmont.

Dr. Lutz Jänicke
Dr. Lutz Jänicke

UPDATE: Dr. Jäni­cke, are we safe and secu­re here?

(chuck­les) Well, may­be 1,000 years ago. But how were cast­les atta­cked in the past? They fired, stor­med, laid sie­ge, and even­tual­ly dug tun­nels to bring down the walls. In other words, they loo­ked for weak points. This is no dif­fe­rent today than it was 1,000 years ago.
Secu­ri­ty was and is not a tech­ni­cal issue, but a pro­cess issue. The important thing is that the­re is no gap. 

UPDATE: Once you set up secu­ri­ty once, you’re secu­re for good?

No, it’s an ongo­ing pro­cess. You have to con­si­der befo­re­hand how to orga­ni­ze your defen­se in such a way that you are pre­pa­red for as many even­tua­li­ties as pos­si­ble. And then the defen­se needs to be as many steps ahead of the atta­cker as pos­si­ble. In the Midd­le Ages you had years to do this, today it has to be done more quick­ly.
Errors often occur in clas­si­cal pat­terns. When pro­gramming, you also rely on your col­leagues having done their job well. If mista­kes creep into a labor divi­si­on, the­se are the open gates for an attack. The four eyes princip­le hel­ps in this respect. As with clas­si­cal cast­le con­struc­tion, the defen­se con­cept needs to be in place from the very begin­ning. This is what we mean by secu­ri­ty by design.
This is labor-inten­si­ve, annoy­ing for crea­ti­ve minds, and also expen­si­ve. In the end, you end up with a pro­duct that doesn’t even look dif­fe­rent from an unsafe pro­duct, just more expen­si­ve. You have to make an argu­ment from that stand­point first. The legis­la­tu­re is hel­ping with the cri­ti­cal infra­st­ruc­tu­re. Or look at your our own bit­ter expe­ri­ence of pro­duc­tion down­ti­mes. This can quick­ly cost several mil­li­on euros, and can even lead to mas­si­ve loss of cus­to­mers due to ina­bi­li­ty to deli­ver or cor­po­ra­te col­lap­se. This is refer­red to as “saving at the wrong end.” 

UPDATE: Is the over­all thre­at situa­ti­on increasing?

Defi­ni­te­ly. Sta­tis­tics from our indus­try are dif­fi­cult to obtain, but the dama­ge repor­ted to the FBI from cyber­se­cu­ri­ty inci­dents in the US has incre­a­sed ten­fold over the last ten years, from 2008 to 2018, from 200 mil­li­on to 2 bil­li­on dol­lars. The­se are abso­lute­ly rea­listic figures. 

UPDATE: Who are the bad guys? And what are their motives?

The­re are all kinds of dif­fe­rent atta­ckers. There’s the indi­vi­du­al who acts, but the dama­ge usual­ly isn’t that enor­mous. This can be for anar­chic moti­ves, but also for very tan­gi­ble eco­no­mic rea­sons. Mal­wa­re that can actual­ly be purcha­sed is often used, which is also com­mon in apps.
Then the­re are com­mer­cial orga­niz­a­ti­ons whe­re you can buy high-qua­li­ty attacks for money, such as ser­vice pro­vi­ders for orga­ni­zed crime in Rus­sia. And you hear of Chi­ne­se groups acting upon behalf of the sta­te. The result would be a lim­bo.
And then the­re are the sta­te actors, such as the NSA, the Chi­ne­se People’s Army, or our very own Bun­des­wehr, which is also in pre­pa­ra­ti­on mode. You can get an idea of the alle­ged peop­le invol­ved by rea­ding the time stamps of the ser­ver acti­vi­ties. Sho­ckin­gly often, you’ll find matching times from a very spe­ci­fic time zone. Even cyber-pira­tes keep regu­lar office hours. 

UPDATE: How do you train your cyber defen­ses when you’re one of the “good guys” yourself? How can you get the tools you need if you yourself aren’t an attacker?

You don’t have to go the Darknet or anything. Even the NSA publis­hes tools from time to time, you can just down­load them. Or buy it on eBay for 10 dol­lars. You’re also allo­wed to use them in Ger­ma­ny for labo­ra­to­ry pur­po­ses in your own envi­ron­ment, but not for attack pur­po­ses in the open field.
But you also need the real envi­ron­ment to test your tools, and with it the defen­se. ’If you let such tools haunt your house, howe­ver, things can hap­pen in our net­wor­ked envi­ron­ment
that we just can’t con­trol. So we are very care­ful. But the goal needs to be that our net­works can with­stand it.

UPDATE: We live in an incre­a­singly net­wor­ked world. But we only think about safe­ty after some­thing has alrea­dy hap­pen­ed. Is that an accu­ra­te perception?

Many smal­ler com­pa­nies actual­ly act in this way, which is very cri­ti­cal. Lar­ger com­pa­nies are usual­ly much more cau­tious. The IT at Phoe­nix Con­ta­ct, for examp­le, is always alert. For examp­le, pro­duc­tion is com­ple­te­ly deco­u­pled from the nor­mal office network. 

UPDATE: What made Phoe­nix Con­ta­ct start to think about things like this?

We star­ted in 2002 at the Ber­lin start­up Inno­mi­na­te with the topic of mobi­le fire­walls, but quick­ly advan­ced into the field of indus­tri­al auto­ma­ti­on. Phoe­nix Con­ta­ct then took over Inno­mi­na­te in 2008.
Howe­ver, the Phoe­nix Con­ta­ct Group can’t only rely on fire­walls; we also need to con­si­der data secu­ri­ty in all its pro­ces­ses. My job is to demo­cra­ti­ze the topic of secu­ri­ty to a cer­tain extent. We make trai­ning pro­grams, edu­ca­te peop­le, deve­lop tools. Ever­yo­ne who wri­tes soft­ware has to face the issue of secu­ri­ty and fol­low cer­tain guidelines. 

UPDATE: How does cyber­se­cu­ri­ty har­mo­ni­ze with clas­sic indus­try and con­ven­tio­nal IT?

Qui­te well, actual­ly. We are the experts for our spe­cia­li­zed field. This is gene­ral­ly appre­cia­ted in IT. The situa­ti­on is often qui­te dif­fe­rent in pro­duc­tion. Usual­ly there’s no one in char­ge of secu­ri­ty. When a machi­ne is set up, nobo­dy thinks about how it will be clean­ly inte­gra­ted into the net­work. The last thing they’re going to moan about is why the con­trol­ler isn’t con­nec­ted. There’s still a lot of “pul­ling strings” to be done.
But in finan­cial con­trol­ling, we are usual­ly loo­ked at as just a cost fac­tor. That’s not half bad. You can do without. We often suf­fer very lar­ge dama­ges, but the­se are qui­te rare. The­re­fo­re, ever­yo­ne belie­ves that it won’t affect their company. 

UPDATE: In which fiel­ds is Phoe­nix Con­ta­ct acti­ve when it comes to cybersecurity?

We are acti­ve both in our own com­pa­ny and with cus­to­mers. This hel­ps in both direc­tions, becau­se it also incre­a­ses our under­stan­ding of con­sul­ting in the pro­duc­tion are­as. And our new cer­ti­fi­ca­ti­ons show that we can com­pet­ent­ly map and offer all pro­ces­ses, inclu­ding stock­ta­king, instal­la­ti­on, com­mis­sio­ning, and trai­ning. This is TÜV-tes­ted, qui­te liter­al­ly.
We have just com­ple­ted and suc­cess­ful­ly pas­sed a very com­plex, mul­ti-sta­ge cer­ti­fi­ca­ti­on pro­cess with TÜV Süd. This shows how serious­ly we real­ly take this. 

UPDATE: In your opi­ni­on, what does the future hold for com­pa­nies when it comes to security?

In princip­le, it can be assu­med that the mas­si­ve­ly gro­wing thre­at will put manage­ment under pres­su­re. In the sup­ply chain, cus­to­mers are put­ting more pres­su­re on sin­ce secu­ri­ty is incre­a­singly beco­m­ing an issue in sup­plier eva­lua­ti­on. Legis­la­tively, new rules are also inevitable. 

UPDATE: Open­ness and pri­va­cy – isn’t the net­work pro­tec­tion indus­try its­elf beco­m­ing too inves­ted in exa­g­ge­ra­ting pri­va­cy when it comes to cyber attacks?

It’s a ques­ti­on of cul­tu­re. It is true that an exchan­ge about thre­ats and attacks that have occur­red is important for ever­yo­ne. Com­pa­nies that aren’t lis­ted on the stock exchan­ge alrea­dy com­mu­ni­ca­te qui­te open­ly here. Con­ce­alm­ent is down­right harm­ful.
But if, for examp­le, a DAX com­pa­ny reports a suc­cess­ful attack, then share values will also fall. But even here, the way of thin­king about it is slow­ly chan­ging. Ever­yo­ne is being atta­cked. It isn’t a sign of weak­ness. Only tho­se who do not act are acting negli­gent­ly. And tho­se clai­ming they haven’t been atta­cked pro­bab­ly just didn’t noti­ce the attack. 

UPDATE: Does that also app­ly to Phoe­nix Contact?

Of cour­se. If we, with our impor­t­ance on the mar­ket, are NOT atta­cked by cer­tain sta­tes from Sou­the­ast Asia for the pur­po­se of indus­tri­al espio­na­ge, then we would have done some­thing wrong. We also con­stant­ly edu­ca­te our­sel­ves in dai­ly defen­si­ve com­bat, so we’re trai­ning for our­sel­ves as well as for our customers.

This post is also avail­ab­le in: Deutsch

Back to top button