A few real-life examples of the potential danger posed by vulnerabilities in new machines
Machines and devices are often supplied to companies with weak points or limited protective measures by the manufacturer. In this article, you will learn about typical scenarios where machines and devices are delivered with vulnerabilities, as well as about specific components for integration in order to mitigate those vulnerabilities directly in your purchasing department.
Real examples based on our experience:
The built-in camera in a new machine pings non-EU IP addresses from the OT network
- New but infected machines are unintentionally delivered to end customers by the manufacturer
- IT services not required from the OS are not switched off (e.g., printer service), and this results in unwanted communications traffic in the operator’s network
- Applications run with administration rights, and user access to the machine cannot be regulated.
Core components for the integration of security requirements for IOT and OT in the purchase of devices, software, and services
Definition of a scope for guidelines (mandatory IT security requirements for machinery, equipment, and manufacturing facilities).
Use of best-practice norms for creating requirements (e.g., ISO/IEC 62443, VDI/VDE 2182)
Established system security requirements and level(s):
- Authentication measures for new systems
- WLAN (e.g., definition of a frequency and channel for point-to-point connection, WPA2-PSK)
- Export control (e.g., compliance with export control for the foreign transactions of IT software and technologies)
The use and documentation of an IT security survey for systems and facilities for the evaluation of:
- Operating system information and its protection (e.g., version; security patch guarantee; firewall on the controller; and disabling of USB, Smartcard, or FireWire ports).
- Network information (e.g., use of critical ports, WLAN components, and authorization and encryption procedures)
- Application information (e.g., a list of software components, emergency access, storage space monitoring, and deactivation of unnecessary services)
- Authorization information
- Service components (e.g., infrastructure required for on-site and remote maintenance)
Pre-certification and certification inspection (e.g., technical safety inspection and comparison with a questionnaire)
How we can provide support together with our partners:
➢ A needs analysis (by telephone or on-site) for efficient and effective risk-based safeguarding, and for the establishment of transparency concerning security status
➢ Purchasing guidelines and checklists (particularly for medium-sized companies and the manufacturing industry)
➢ Establishment of a supply chain risk program (e.g., for requirements from VDA TISAX and UNECE WP.29)
➢ Training of employees for implementation of a process in their organizations
Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.