CyberCompare

Digitization won’t work without security | Expert interview with Michael Krammel, CEO and founder of K4 DIGITAL GmbH

Our interview partner:

Michael Krammel

Michael Krammer is the CEO and founder of K4 DIGITAL GmbH. He has worked intensively in OT security since the early 2000s.

Hello Michael, what’s your background and how did you get involved in the crazy field of OT security?

It’s kind of a long story: I started my career in process control and automation technology at the end of the 1980s. My colleagues and I were very successful in digitally integrating business processes to realize projects in a highly automated, efficient way.  

At the end of the 1990s I joined a limited partnership (small company). Our goal was to develop digital factory solutions. We worked very closely with the large automation manufacturers. It was a front-row seat for the transformation of proprietary OT technology into increasingly standardized IT and connected infrastructure technology in the automation industry.

What happened after that?

Around 2005 I encountered Industrial Defender. This US company took a comprehensive and highly competent approach to OT consulting and OT security solutions. Even then, the importance of OT security was already clear: from the role it plays in the resilience of critical production facilities to secure digitization strategies. The topic of OT security has fascinated me from that point on.

As one of the acknowledged first movers in field, we began building new business areas in the OT/industrial security context. And at K4 DIGITAL GmbH, which I founded in 2020, we continuously develop these topics with holistic approaches and solution concepts that take the big picture, the human element, and the organization, processes, and technology into account.

So you see, Jannis, OT security isn’t such a crazy topic after all.

When it comes to security, many companies are just getting started. Can you describe a situation in which attackers took advantage of OT or IoT weaknesses?

The question is always: where’s the interface with the weak point? Many companies have been attacked via their IT systems, but there must have been an unprotected interface with the OT – otherwise production areas wouldn’t have been affected. And look at the incidents involving Havex/Dragonfly malware – they represented a much more concrete effort to penetrate into the OT. Those cases involved watering hole attacks that compromised the system patches. Remote access solutions installed at the customer enabled backdoor access. But in general many of these OT attacks aimed to obtain information and know-how rather than intentionally cause ongoing outages.

Attacks still frequently take place through IT systems, and then the OT – which often lacks adequate protection – is usually affected as well. Critical OT areas I typically see involve remote access solutions and the use of USB data storage devices to reuse data inside or outside the systems. The threat of a virus or Trojan horse is very high in those situations because companies far too rarely implement endpoint protection measures.

So direct attacks on OT systems never take place?

Of course attackers also target OT systems directly – and sometimes successfully. The question is whether these incidents are even identified as attacks, or if the OT is simply restored quickly so that production can continue. Or put another way: what information  reaches the media or the public in the first place?

Today OT security may still benefit from the obscurity of these systems. But I believe this will change significantly as digitization and connections between system increase, and as more know-how about OT accumulates.

And not to forget: most organizations have far fewer ways to detect attacks on their OT than on their IT. As a result, only a small number of companies even realize that their OT has been breached – especially when their know-how is being siphoned off – because they have no detection systems or operating concepts for OT security in place.

When customers contact you, what kinds of problems do they typically have?

The issues can be very different. But customers’ awareness of the topic is growing. They have neglected their OT issues for years, but now digitization and links to the cloud are making the need for action more concrete. Large end customers increasingly demand secure supply chains, and consumers want more secure products.

Typical questions are: What is the right approach to add-on IT solutions? What OT security products should I use? Which security functions do we need in our equipment, who should install them, and how should they do it? How can I continue using old systems so that I can avoid or delay the need to replace them? How can I implement a defense-in-depth approach for active production? How can I ensure that remote access is secure?

What is the process usually like?

Most customers start by taking stock of their current situation – where do I stand today? To find the answer, we often conduct analyses of risks, gaps, or weak points.

One example is a gap analysis based on regulatory standards (ISO 27001 and IEC 62443) – often covering both OT and IT.

Then in many cases we act as coaches to build security know-how at the company. The form of this coaching, along with any needed implementation and integration work, is co-created with the affected stakeholders. We work with customers in a holistic approach that takes people, the organization, processes, and technology into account and supports implementation. More and more, these activities cover all domains: OT, IT, and new infrastructure like IIoT.

What’s the biggest technical challenge your team has faced?

Ensuring the secure operation of legacy systems like XP or NT – which are still common in OT – in infrastructure that’s increasingly connected. We’ve been pioneers in this area since 2010, finding ways to design applications of whitelisting and sandboxing technologies for the OT environment. When it comes to OT, the principle of “never change a running system” still holds whenever possible. But classical patching, antivirus, and blacklisting approaches rarely provide a long-term OT fix. In the last few years, whitelisting concepts for OT caught on. But few people are aware that technologies like sandboxing also offer very secure ways to freeze legacy or current systems. Today interesting best-practice solutions are emerging from manufacturers using virtual patching and domain segmentation concepts in OT. It’s important to remember that there’s no single right approach that should always be used as the blueprint. Instead, you should assess your assets and the related processes from a risk perspective based on your security objectives. Often the findings show that a mix of technical and organizational changes make sense. Employee awareness is a key element, too. In the end, there needs to be a reasonable balance between the costs and the benefits.

What are your thoughts on cloud connections and cloud services for industrial environments?

There’s  lot of momentum there. But I worry about a lack of coordination among the stakeholders involved, like management, IT, OT, and those responsible for digitization. Cases like this are more and more common. And here in Germany we are lagging behind the international market when it comes to digitization, in areas from industrial process optimization to new business models. Companies often pursue digitization for its own sake. As a result, some stakeholders set up infrastructure approaches quickly in a “just do it” approach that, in some cases, is driven by the solutions available on the market. There’s no overall perspective on the secure infrastructure and what makes business sense among all the stakeholders. And the topic of data privacy matters too. Of course good, secure concepts exist, with encryption and options for use in the cloud. There’s no end to the certifications for some providers‘ solutions, but you should still ask questions and get everything important in writing. The cloud solutions themselves are usually secure – the biggest security challenge is often the infrastructure for connecting to them.

I believe that we still don’t have the right concepts and terminology to describe this comprehensive view of security across IT, OT, and cloud infrastructure. The questions are just arising now: How can we build security across different domains? What’s needed at the security management level? At the same time, each domain requires different kinds of actions, and the interfaces and overlapping areas of authority vary widely. It’s going to be exciting …

When would you recommend an OT monitoring solution (anomaly detection, SIEM) to your customers?

In general, there’s lots of room for improvement in terms of detection in OT. As we saw with Havex, malware can go unnoticed for years. Most companies definitely need to get better at this. In fact, IT-SIG 2.0 (Germany’s latest federal law on IT security) makes it a must-have for operators of critical infrastructure.

Detection is also related to prevention and response. When talking with companies about security in general, I always ask the question: At the end of the day, how resilient do you want to be in terms of cybersecurity? In other words, how quickly can you restart your production operations after an incident? And how soon do you realize that someone is tapping into your knowledge or manipulating your products – and what can you do about it? Detection plays an important role in this context.

What do you do with the information from your detection system? Should you buy an SOC (Security Operations Center) managed service, or would you rather run your SOC internally? Doing so requires a team with the right resources and authority. Many SOC operators still lack OT experience, no matter what their public image may suggest.

Do you have any final advice?

The point is not simply to buy a solution. Thinking about the concept for operating the solution is essential, along with the costs and benefits. If a solution is capable of a lot, the entire operating concept probably requires a lot more knowledge, too.

What do you consider to be interesting developments in OT/IoT security?

Two areas that I find very exciting are new OT domain segmentation concepts and virtual patching as further endpoint protection beyond sandboxing or whitelisting. We are working right now with selected customers on best practices in these areas. Edge computing (for example, to extract data in the cloud) is another: it opens up possibilities for implementing security functionalities like firewalls or monitoring systems on docker systems in a hybrid approach instead of simply always installing “metal barriers”.

Are there any common claims or half-truths in the security business that you would question?

It’s often said that the three security objectives in OT are 1) availability, 2) availability, and 3) availability. But integrity and ensuring that data and information can’t be altered will continue to gain significance as digitization and I4.0 progress and the amount of software involved keeps growing. In the end, security objectives will always depend on the customer’s needs and processes.  

If you could send an e-mail to every IT manager on earth, what would your message be?

Dear IT managers, please get on board the transformation process with your employees as supporters and enablers of digitization. And remember: digitization won’t work without security.

Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.