![\"Dr.](\"https:\/\/update.phoenixcontact.com\/media\/2020\/02\/Jaenicke05.jpg\")
<\/a>UPDATE: Dr. J\u00e4nicke, are we safe and secure here?<\/em><\/p>\n\n\n\n (chuckles) Well, maybe 1,000 years ago. But how were castles attacked in the past? They fired, stormed, laid siege, and eventually dug tunnels to bring down the walls. In other words, they looked for weak points. This is no different today than it was 1,000 years ago. UPDATE: Once you set up security once, you\u2019re secure for good?<\/em><\/p>\n\n\n\n No, it\u2019s an ongoing process. You have to consider beforehand how to organize your defense in such a way that you are prepared for as many eventualities as possible. And then the defense needs to be as many steps ahead of the attacker as possible. In the Middle Ages you had years to do this, today it has to be done more quickly. UPDATE: Is the overall threat situation increasing?<\/em><\/p>\n\n\n\n Definitely. Statistics from our industry are difficult to obtain, but the damage reported to the FBI from cybersecurity incidents in the US has increased tenfold over the last ten years, from 2008 to 2018, from 200 million to 2 billion dollars. These are absolutely realistic figures. <\/p>\n\n\n\n UPDATE: Who are the bad guys? And what are their motives?<\/em><\/p>\n\n\n\n There are all kinds of different attackers. There\u2019s the individual who acts, but the damage usually isn\u2019t that enormous. This can be for anarchic motives, but also for very tangible economic reasons. Malware that can actually be purchased is often used, which is also common in apps. UPDATE: How do you train your cyber defenses when you\u2019re one of the \u201cgood guys\u201d yourself? How can you get the tools you need if you yourself aren\u2019t an attacker?<\/em><\/p>\n\n\n\n You don\u2019t have to go the Darknet or anything. Even the NSA publishes tools from time to time, you can just download them. Or buy it on eBay for 10 dollars. You\u2019re also allowed to use them in Germany for laboratory purposes in your own environment, but not for attack purposes in the open field. UPDATE: We live in an increasingly networked world. But we only think about safety after something has already happened. Is that an accurate perception?<\/em><\/p>\n\n\n\n Many smaller companies actually act in this way, which is very critical. Larger companies are usually much more cautious. The IT at Phoenix Contact, for example, is always alert. For example, production is completely decoupled from the normal office network. <\/p>\n\n\n\n UPDATE: What made Phoenix Contact start to think about things like this?<\/em><\/p>\n\n\n\n We started in 2002 at the Berlin startup Innominate with the topic of mobile firewalls, but quickly advanced into the field of industrial automation. Phoenix Contact then took over Innominate in 2008. UPDATE: How does cybersecurity harmonize with classic industry and conventional IT?<\/em> <\/p>\n\n\n\n Quite well, actually. We are the experts for our specialized field. This is generally appreciated in IT. The situation is often quite different in production. Usually there\u2019s no one in charge of security. When a machine is set up, nobody thinks about how it will be cleanly integrated into the network. The last thing they\u2019re going to moan about is why the controller isn\u2019t connected. There\u2019s still a lot of \u201cpulling strings\u201d to be done.
Security was and is not a technical issue, but a process issue. The important thing is that there is no gap. <\/p>\n\n\n\n
Errors often occur in classical patterns. When programming, you also rely on your colleagues having done their job well. If mistakes creep into a labor division, these are the open gates for an attack. The four eyes principle helps in this respect. As with classical castle construction, the defense concept needs to be in place from the very beginning. This is what we mean by security by design.
This is labor-intensive, annoying for creative minds, and also expensive. In the end, you end up with a product that doesn\u2019t even look different from an unsafe product, just more expensive. You have to make an argument from that standpoint first. The legislature is helping with the critical infrastructure. Or look at your our own bitter experience of production downtimes. This can quickly cost several million euros, and can even lead to massive loss of customers due to inability to deliver or corporate collapse. This is referred to as \u201csaving at the wrong end.\u201d <\/p>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n
Then there are commercial organizations where you can buy high-quality attacks for money, such as service providers for organized crime in Russia. And you hear of Chinese groups acting upon behalf of the state. The result would be a limbo.
And then there are the state actors, such as the NSA, the Chinese People\u2019s Army, or our very own Bundeswehr, which is also in preparation mode. You can get an idea of the alleged people involved by reading the time stamps of the server activities. Shockingly often, you\u2019ll find matching times from a very specific time zone. Even cyber-pirates keep regular office hours. <\/p>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n
But you also need the real environment to test your tools, and with it the defense. \u2019If you let such tools haunt your house, however, things can happen in our networked environment
that we just can\u2019t control. So we are very careful. But the goal needs to be that our networks can withstand it.<\/p>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n
However, the Phoenix Contact Group can\u2019t only rely on firewalls; we also need to consider data security in all its processes. My job is to democratize the topic of security to a certain extent. We make training programs, educate people, develop tools. Everyone who writes software has to face the issue of security and follow certain guidelines. <\/p>\n\n\n\n
But in financial controlling, we are usually looked at as just a cost factor. That\u2019s not half bad. You can do without. We often suffer very large damages, but these are quite rare. Therefore, everyone believes that it won\u2019t affect their company. <\/p>\n\n\n\n