Magazine for the Annual Report
Mind the gap
Since 2019, SICK has had its own Product Security Incident Response Team (PSIRT) to handle the data security of all its products and services. Whereby the uncovering of vulnerabilities is an aspiration shared by a wide variety of interested parties – so customers receive a consistently high level of security. Ulrike Gehring (Project Manager Cybersecurity) and Benjamin Holdermann (Cybersecurity Specialist) explain the roles and tasks of the PSIRT, and talk about systematization with the courage to leave gaps.
In addition to the protection of information technology (IT), why is the protection of operative technology (OT) gaining in importance?
GEHRING: More and more industrial products – such as sensors, actuators or entire control systems – offer supplementary cloud or network functions in addition to their actual product functions. The increasing integration of microcontrollers, however, has a price: The risk of security gaps. Operative technology is now just as affected by this as IT systems. The risks facing IT have been present for some time now, and appropriate cybersecurity processes have already been established. With their integrated software, products can now also interact with the IT and run external programs. This means that such products can now also pose major security problems which, in the worst case, could affect a company’s entire IT network and production facilities.
SICK has had its own Product Security Incident Response Team for more than three years now. What is this PSIRT and why was it founded?
HOLDERMANN: When the data security of our products is involved, the PSIRT team is the central contact at SICK for customers and other reference groups (such as the authorities or security researchers). We set it up in 2019 within a few months, and it can already look back on many successfully concluded cases.
GEHRING: It was founded because in this networked world we saw that it was no longer enough to handle weak points locally and individually in our subsidiaries, but overall for the entire company. Whereby we rely on absolute transparency. Anyone, whether a customer or not, can report potential weaknesses to us. After we have confirmed the problem, we unreservedly go public on our website – entirely in the interests of our customers.
What are the PSIRT’s tasks?
HOLDERMANN: Absolute security from the first time a networked product is used cannot solely be achieved by means of technical methods. Ultimately, one must have the courage to leave gaps. It is possible to improve security only gradually, by learning from incidents and reacting as quickly as possible. The PSIRT plays a central role here with its systematization: It coordinates the handling of vulnerabilities in our products, controls the development of countermeasures by our local experts, and provides feedback for implementation in guidelines as well as in practice. What matters is that we gain control over the situation using this systematic approach.
GEHRING: Our team is thus not just the key point for continuously increasing product security, but also the central contact and coordinator for vulnerabilities and security reports
What are the typical incidents that it becomes involved in?
HOLDERMANN: The appearance of the so-called Log4Shell weak point in December 2021 was a typical incident and, at the same time, a major operation for our PSIRT. This was because it involved a security gap in a library used in the Java programming language. Java is used worldwide, and practically every company laptop was affected. And, of course, such libraries are also active in networked SICK products. Log4Shell was just the kind of vulnerability that would enable a hacker to access an entire corporate network and hijack the IT system. Our customers were naturally nervous, and we had a lot of queries about it. But thanks to our standardized processes and systematics, we were quickly able to dispel their anxieties. Here, too, we rapidly gained control of it by determining the weak point and making it measurable. In collaboration with our developers, we have inspected all 40,000 SICK products and there is now a patch available to close the security gap for each affected device.
GEHRING: Our systematization approach also enables us to be brave regarding cybersecurity. We know that we can get every situation under control according to the motto ‘recognize the risk, avert the risk’. So our customers can exploit the benefits of digitalization with a good feeling
How should SICK’s PSIRT develop in future?
HOLDERMANN: The location and correction of security gaps in all products is no easy task. The organizational competences and the knowledge of a PSIRT can increase the maturity of product security in the company and ultimately reduce costs. The difference that a PSIRT can make is to the level of preparation of an organization for vulnerability reports. Good preparation is decisive for how the company is perceived by customers, security researchers and the media. So we continuously work on improving our unit so that we can close future, and even more complex, security gaps efficiently.
