When data needs to be secure, it’s his finest hour. Dr. Lutz Jänicke is responsible for the security of products and solutions at Phoenix Contact. An interview about castles, slouch hats, mafia, and motivation.
Dr. Lutz Jänicke is actually an electrical engineer by nature. But while doing his doctorate and postgraduate work, he stumbled upon the topic. In the meantime, he has become an internationally renowned expert on data security, and the very first person to go to at Phoenix Contact when it comes to the systemic protection of networks. Appropriately, the interview was held in the old castle and palace complex of Bad Pyrmont.
UPDATE: Dr. Jänicke, are we safe and secure here?
(chuckles) Well, maybe 1,000 years ago. But how were castles attacked in the past? They fired, stormed, laid siege, and eventually dug tunnels to bring down the walls. In other words, they looked for weak points. This is no different today than it was 1,000 years ago.
Security was and is not a technical issue, but a process issue. The important thing is that there is no gap.
UPDATE: Once you set up security once, you’re secure for good?
No, it’s an ongoing process. You have to consider beforehand how to organize your defense in such a way that you are prepared for as many eventualities as possible. And then the defense needs to be as many steps ahead of the attacker as possible. In the Middle Ages you had years to do this, today it has to be done more quickly.
Errors often occur in classical patterns. When programming, you also rely on your colleagues having done their job well. If mistakes creep into a labor division, these are the open gates for an attack. The four eyes principle helps in this respect. As with classical castle construction, the defense concept needs to be in place from the very beginning. This is what we mean by security by design.
This is labor-intensive, annoying for creative minds, and also expensive. In the end, you end up with a product that doesn’t even look different from an unsafe product, just more expensive. You have to make an argument from that standpoint first. The legislature is helping with the critical infrastructure. Or look at your our own bitter experience of production downtimes. This can quickly cost several million euros, and can even lead to massive loss of customers due to inability to deliver or corporate collapse. This is referred to as “saving at the wrong end.”
UPDATE: Is the overall threat situation increasing?
Definitely. Statistics from our industry are difficult to obtain, but the damage reported to the FBI from cybersecurity incidents in the US has increased tenfold over the last ten years, from 2008 to 2018, from 200 million to 2 billion dollars. These are absolutely realistic figures.
UPDATE: Who are the bad guys? And what are their motives?
There are all kinds of different attackers. There’s the individual who acts, but the damage usually isn’t that enormous. This can be for anarchic motives, but also for very tangible economic reasons. Malware that can actually be purchased is often used, which is also common in apps.
Then there are commercial organizations where you can buy high-quality attacks for money, such as service providers for organized crime in Russia. And you hear of Chinese groups acting upon behalf of the state. The result would be a limbo.
And then there are the state actors, such as the NSA, the Chinese People’s Army, or our very own Bundeswehr, which is also in preparation mode. You can get an idea of the alleged people involved by reading the time stamps of the server activities. Shockingly often, you’ll find matching times from a very specific time zone. Even cyber-pirates keep regular office hours.
UPDATE: How do you train your cyber defenses when you’re one of the “good guys” yourself? How can you get the tools you need if you yourself aren’t an attacker?
You don’t have to go the Darknet or anything. Even the NSA publishes tools from time to time, you can just download them. Or buy it on eBay for 10 dollars. You’re also allowed to use them in Germany for laboratory purposes in your own environment, but not for attack purposes in the open field.
But you also need the real environment to test your tools, and with it the defense. ’If you let such tools haunt your house, however, things can happen in our networked environment
that we just can’t control. So we are very careful. But the goal needs to be that our networks can withstand it.
UPDATE: We live in an increasingly networked world. But we only think about safety after something has already happened. Is that an accurate perception?
Many smaller companies actually act in this way, which is very critical. Larger companies are usually much more cautious. The IT at Phoenix Contact, for example, is always alert. For example, production is completely decoupled from the normal office network.
UPDATE: What made Phoenix Contact start to think about things like this?
We started in 2002 at the Berlin startup Innominate with the topic of mobile firewalls, but quickly advanced into the field of industrial automation. Phoenix Contact then took over Innominate in 2008.
However, the Phoenix Contact Group can’t only rely on firewalls; we also need to consider data security in all its processes. My job is to democratize the topic of security to a certain extent. We make training programs, educate people, develop tools. Everyone who writes software has to face the issue of security and follow certain guidelines.
UPDATE: How does cybersecurity harmonize with classic industry and conventional IT?
Quite well, actually. We are the experts for our specialized field. This is generally appreciated in IT. The situation is often quite different in production. Usually there’s no one in charge of security. When a machine is set up, nobody thinks about how it will be cleanly integrated into the network. The last thing they’re going to moan about is why the controller isn’t connected. There’s still a lot of “pulling strings” to be done.
But in financial controlling, we are usually looked at as just a cost factor. That’s not half bad. You can do without. We often suffer very large damages, but these are quite rare. Therefore, everyone believes that it won’t affect their company.
UPDATE: In which fields is Phoenix Contact active when it comes to cybersecurity?
We are active both in our own company and with customers. This helps in both directions, because it also increases our understanding of consulting in the production areas. And our new certifications show that we can competently map and offer all processes, including stocktaking, installation, commissioning, and training. This is TÜV-tested, quite literally.
We have just completed and successfully passed a very complex, multi-stage certification process with TÜV Süd. This shows how seriously we really take this.
UPDATE: In your opinion, what does the future hold for companies when it comes to security?
In principle, it can be assumed that the massively growing threat will put management under pressure. In the supply chain, customers are putting more pressure on since security is increasingly becoming an issue in supplier evaluation. Legislatively, new rules are also inevitable.
UPDATE: Openness and privacy – isn’t the network protection industry itself becoming too invested in exaggerating privacy when it comes to cyber attacks?
It’s a question of culture. It is true that an exchange about threats and attacks that have occurred is important for everyone. Companies that aren’t listed on the stock exchange already communicate quite openly here. Concealment is downright harmful.
But if, for example, a DAX company reports a successful attack, then share values will also fall. But even here, the way of thinking about it is slowly changing. Everyone is being attacked. It isn’t a sign of weakness. Only those who do not act are acting negligently. And those claiming they haven’t been attacked probably just didn’t notice the attack.
UPDATE: Does that also apply to Phoenix Contact?
Of course. If we, with our importance on the market, are NOT attacked by certain states from Southeast Asia for the purpose of industrial espionage, then we would have done something wrong. We also constantly educate ourselves in daily defensive combat, so we’re training for ourselves as well as for our customers.
This post is also available in: Deutsch