My name is Michael Vogel. I'm a partner in KPMG cybersecurity practice. So we thought that make oh, KPMG and audit company, he's talking about borrow financial statement stuff. No, I'm not. So I learned electrical, electrical engineering many, many years ago, and I started working for an it security consulting companies more than 15 years ago. And working with KPMG since more than 10 years, I skipped for you, the, the advertising slide. So just one sentence on KPMG in Germany, we have a cybersecurity practice of about 200 people, fully dedicated to cybersecurity. And part of my team is a group that is dedicated to industrial control system security, because what we learned a couple of years ago, when we realized that this topic is coming up, that we need a different set of people to address this topic. We have good penetration test. We have good people on it, security, what we learned also with our first project.
So we need a different set of people with a different set of skill set to address this topics, but we still need the other people as well. But because typically, and that's what you see also on, on my slides is in ours. We have that connection with, with what is called OT or industrial, the industrial security and the connection to the it part. That's typically part of the challenge that we see in a lot of organizations. On the one side, you have those people who develop apps and web applications in an agile method with friends of weeks with daily stands up on, on the other side, you have those engineers thinking in terms of 10 years, 15 years, 20 years, life cycle of products. And if, and if you look into today's digitalization projects, those two have to work together.
And in addition, the security people are coming in and talking to them and telling them, well, we have to address security as well. And basically in most of the projects, my job is to help these three people to help them to understand each other and to make a project successful. Okay. Today I wanna talk to you about cybersecurity, but not cybersecurity as itself. A lot of times we see, or we see the missing link to the business objectives of the companies. What is really relevant for the company? What are they trying to achieve? What are their use cases and how does security fit into exactly the, those use use cases? And from our point of view, cybersecurity should be, or must be an integral part of the focus here on, on industry four, zero. I think we, we all have seen this example of incidents happen or seen these examples in the press of incidents happening to energy companies, to industrial manufacturers, to a lot of companies where basically a plant has been hacked water treatment plant, for example, or another plant has been hacked. We see it more and more coming, coming up to, to the press. But what we don't see is a lot of times what's, what's happening below the surface,
Just to give you one example, we are currently helping a client who is a supplier in the automotive industry, a global supplier,
His plants in Mexico and us has been hacked. At least that's what he knows. He's more than a hundred plants across a globe. And because of the shutdown of this plants, the production of the OEM of one of the global OEM has been impacted. So as you can imagine, and nothing of this wasn't pressed by the way, and will never be in the press. The discussion that's currently going on as the OEM is talking to that supply chain client and telling them, well, that's not our understanding of business continuity. That's not our understanding of a trustful relationship between our two companies. And if you don't fix this, we will look for another supplier. I think these are a lot of discussions that are going on that are not in the press that are not aware of for a lot of people, but that's most times reality for people who have, who have an incident, an industrial controlled system incident. Typically it's shutting down their business for a while. The good side for the, for, from our point of view is it's way easier to calculate what it means. If you shut down a plan for a week, it's,
You can calculate it typically in, in money very easily. It's way easier than compared to a lot of security incidents that we see. You know, you are losing 500,000 customer data. What does it mean in money? It's hard to calculate shut down of your, of your side for a week. It's way easier to calculate that one and to have the discussion with the business as well, just taking this from the federal office of information security here in Germany. So what are the typical top 10 threats in the ICS environment? I think what is most important? It's not only technology. Yes. Part of the threats are related to technology, but if you look into the first one, social engineering, fishing, still a major issue also for these kind of incidents happening. So do not only concentrate on the technology side. A lot of times also in the first discussion that we have with management is, well, it's not about buying a box or funnel or one of, one of the vendors plug it in, and then you are secure. It's maybe one part of the story, but there are many, many other parts that needs to be addressed. And I think from our point of view, the most challenging part is
What do I focus on? What do I have to concentrate on? Where do I get most bang for the back? I cannot secure everything, but what is most critical for my organization, from a business point of view, again, and now back to what I mentioned before this discussion, what is relevant for my business should be the starting point of, of a cybersecurity story. And a lot of times it's not a starting point. And as you can see, a lot of times we see a lot of presentational advanced, persistent threats. The real reality, what we see is most attacks. There is no need to be advanced, very simple.
I had a client who asked us to do an assessment across their European entities. So we have been in 12 countries to, to, to, to assess a cybersecurity state of their operational entities in the countries. And I ask one of my team members, give me an overview of their external facing external facing websites. Porwal whatever you can find external. I better understand what they're doing. He came back 30 minutes later told me, well, I found on SAP server in Norway pitched last time, eight years ago, I've just put a, you know, this tiny little statement you knew, you knew, you knew as a penetration tester in, and I've seen that it's a window system. I had the windows admin account and it looks like that it's still the default password.
I said, okay, stop doing anything because we are not engaged for that one, but it's good information for me. So it took me half an hour to basically be in the core of their internal systems because what they found out later on no network segregation completely in that environment. So basically it took us half an hour and we would've been 50, 60% done on the way into that, into that business, into the environment. So on the first day we had the first call with the, with the CSO, tell them, well, we found series weakness within new environment. That's a lot of time, the reality, what we see in a lot of organizations, there is no need to be advanced for the attack side, but as you can see, still lots of topics that needs to be addressed because sometimes it's, you know, just one, one small spot that the attacker needs to get into that environment, just forgetting this one tiny little, little entrance, and he might be in and they are very, very good in those ones. Couple of my team members has been on, on blackhead in, in Las Vegas this year. And someone presented on a, on a very interesting tech way, wire via faxes. So still using this old staff. And if you, you know, if you send a big picture, you can, you can basically hack the facts you can get into that environment if they're connected. Well they're typically today, nowadays are, you know, the printer scanner fax. So you can even use sometimes these ways to get into an environment
What you have to have in mind when we are talking about industrial control system securities, that, that there are some significant changes or significant differences compared to classic it. And I don't know, I don't wanna go through all of them, but typically just wanna highlight few of them. Typically you see a different set of life cycles for classic it, three to five years, industrial control systems, 10 to 20 years, or even longer. Typically you see issues in terms of patch management. I mean, if you look into your windows environment from a, from end user point of view, it's basically you don't, you don't see it anymore just happening. If you look into windows, but if you look into control systems might be a very complex, very complicated case. And typically also you need a manufacturer approval before you can do any updates and patches what's typically completely different. For example, is also the criticality. For example, real time processing. Typically you have delays tolerable in your it environment, but a lot of times, not in your industrial control system environment, even milliseconds can be important here. And in general, you have to understand that if you talk about industrial plant, typically it's mainly about the functionality of that plant and the production sign. Basically, we talk about CIAs availability of the data and of the service of the production.
And I wanna highlight this one. If you look into security testing, I mean, today we look into it. It's widely spread, whether it is penetration testing, other forms of security testing, I don't wanna say it's commodity. There are still a lot of companies not doing it regularly, but a lot of organizations already doing it also on a regular base. That's good. But if you look into the Indus industrial control system side, it's highly critical on the one side and you really need excellent ICS skills. I'm always telling my clients a good it, penetration tester is likely not a good ICS penetration tester, and a good ICS person is not per se, a good ICS security person. And we all have that issue of lack of finding good people, knowing security, knowing ICS. So again, a good reason, even if you get the, the money from your board, you still have the issue to find the people with the right knowledge and capabilities to help you to run your project and program. Okay. No back. So, and if you look into the future coming from today, so having already certain connections into the it side, certain parties having access to your production, it, whether it is directly by use B stick when they're on site, whether it is remote access. We look into tomorrow, we are looking into a fully interconnected system.
The client is co configuring the product that is immediately produced on the production side that is impacting the supply chain. So everything is connected with each other. And we have to, we have to keep that in mind when we think about how can we indu address industrial control system security, we are far away from being mature or at the end of the, of the journey. And what I said before, the starting point from our point of view must be to understand
The full chain, but also the different use cases that are relevant for you. And this is just an overview. I would not say that's complete, but we see, you know, different use cases. So what we typically see, you know, certain data, data analytics capabilities that you need, whether it is connecting IOT or smart devices, making certain data, data analytics, trying to send your customer better, putting that into cloud environment, but also the use case of predictive maintenance that we see a lot of organization or intelligent maintenance supported by predictive algorithm or even remote maintenance system, autonomous maintenance, self-driving vehicles, connected products, usage of robotics, additive productions, 3d printing. For example, just to mention some of them, we see a lot of organizations working on some or likely, not all, but some of those use cases and even some additional ones. And what's important to understand is when you look into it from a cybersecurity point of views, to understand what are your use cases, because it has an impact on your security strategy and on your security roadmap and what is relevant. And if you have not talked to your business people to understand their industry for a zero journey, you can't set up the right security strategy.
Unfortunately, a lot of times we see a lot of clients even spending millions on security. If we ask them this questions, what are the business issues you're addressing? There is no or very high level answer. And you have to understand those specifics. You need to talk to your business people, and you have to look into it end to end from a customer point of view through your manufacturing, and also looking likely into the, into your supply chain. I mentioned that example before from the OEM.
Okay. So I talked a lot about the problems. Now let's have a look on our experience and projects that we have seen and what has worked and what has not worked. It'll give you some, some highlights on this one. I think it's no brainer. We talk about the protection of information or services within an organization. That's what we have done since 20 years or even longer. Was it good? Was it perfect? Likely not. Was it enough? Was enough? Wasn't enough. Likely not. So we are doing more. I think you see a lot of basic stuff. You should have addressed government, the risk piece to understand what are your risks. So what do you have to address? What controls and counter measures do you need to have a sound security program in place, as I've mentioned before, it's not only about technology. User awareness is important piece of that one. You think about the top risk that I've shown you are fishing at the beginning, it's hard to address just by technology. It still, all the users are clicking on all the emails that they're getting identity and access management, data security, technical protection. So still the old stuff that we all know since 20 years, it doesn't mean get rid of it. We need new security. It's still the basics that we need to have in place. And a lot of organizations still, the basics are not in place,
Knowing all devices, just that simple questions. Do you know your environment, a lot of organization, even this simple answer, can't be answered completely. And I'm not talking about securing this environment, just knowing your environment and what it's for. We, couple of weeks ago, we had a client where we get into their environment where a web server they had in Singapore when we've shown them. So we had complete domain access in the whole environment, including the production. When we came back to them to, to present our report,
The, the CIO and the CTO asked, okay, what does the server form? We said, well, we don't know. We've just found it and used it as a way to get into your environment. And basically he talked to his people. And even after that meeting a week later, when we talked to the C about what needs to be done, he basically told us, well, we still haven't figured out what this web server is for. We've just shut it down. We don't know why it's still there. And in global organizations, it could also be that you found hundreds or thousands of service, IOT components, industrial control system components, where they don't know what it is for, or even don't know that they're existing, but we also see, and I've changed it a little bit. Here was a and B we see new aspects that needs to be addressed. And that typically on top of your internal stuff that you have to do, so I've just highlighted two of them. So I think it fits good into the presentation as you would make security by design. So how do you ensure that the right security mechanisms are in your products
Or IOT devices that you are producing? And also if you look into the extended ecosystem, how do you address security within your ecosystem? Whether it's your suppliers or parties, partners, how do you ensure that not only Euro environment is secure, but also the environment of the people you are working with, that you are providing data that are part of your supply chain that are maintaining your environment. How do you ensure that also they have the right level of security, but I think what we've learned is it's not only about protecting, even if you spend a lot of money on that one and do a good job on that one, there's still the risk that something is happening. You still have to address decides that we have basically forgotten for a long time
To detect, to respond, to recover to an incident or to an attack, whether it's intentionally or unintentionally to have a resilient organization that is able to fix it. And as we've heard this this morning, it's not only again, it's not only about technology. It's also about how you do you communicate to your customers, whether it's done by the press or other ways, how do you inform certain customers if needed, if you're producing a medical device and a severe vulnerability in that one, if you have the need to inform your customers, how do you do that one in the right way? If you're in a regulated industry, not only looking into the, into the outside view of the consumer, it's, it's a hard call when you're getting the call from the regulator. We see that there is an impact on the critical infrastructure. We get calls from customers, please explain us what's going on in your organization. And it's another form of being prepared, having that call, whether there's financial industry, electrical industry, or whatever it is, power plant shut down, you should be pre prepared for that discussion as well. But you should also be prepared for this discussion
On, on your internal, with your internal people. When we do these kind of exercises with our clients, a lot of times, what we see is that the internal communication is also not well prepared. What you have to always have to have in mind is it's, it's not like a bank robbery. So someone is coming in with a, with a pistol or a machine gum or whatever, and everyone in the room knows, okay, something really serious is going on. It's typically starting with, well, I don't have access to this file anymore. You know, dumb user server problem, whatever. And to understand at a certain point in time, and to have the right processes that someone knows, I have to make that decision to shut down our complete plant. Now, knowing that it will take two days to go back to normal business who is doing this on a Friday evening, it will not be that guy sitting at the computer in the help desk. Who's getting this first call. So you need this internal communication lines and response capabilities, but you also need the external communication. You need the right people from a, from a technology point of view involved, you may, may need the business people involved to understand the impact that it has. And you have to train these kind of activities. Because one thing that you typically don't have in, in such a case is time.
You don't have it. You're getting more information than you want, and you have to make immediately tough decisions. And it's better to be prepared for that one. But as I've mentioned before, before we set up all this, and I think we all know we've spent a lot of money on the protection side, and now we should even spend more to detect respondent, to recover from an incident and to manage all this, you have to understand what is critical. How can you focus? What are your crown jewels, gold nuggets, however you wanna call it? What makes you, what is your unique selling point from a business point of view? What makes you different from your competitors? That's critical for your organization? What are the risks that are really threatening the existence of your organizations concentrate on those ones first, and really ensure that you have the capabilities on all side to cover those risks. And unfortunately, a lot of organization haven't had this discussion in the sound way to really understand what are my crown jewels, where are my crown jewels and which system components, which third parties have access, or are we providing those crown jewels? And what other risk Associa associated with those crown jewels? Just to, to mention the three or four most critical questions from our point of view,
And if we've done all this, and it's still not a project in the end, it's a process. So we still have to continuously improve our security threat situations changing. We see new vulnerabilities. We have lots of changes in our organization affecting cyber risk, whether it's on the business side or the it side, we have seen new technologies and we have to constantly understand the big picture to improve our security measures. Still. A lot of times when we talk to sea level people about what is your status they're telling us, well, we have a good understanding of our security status. And when we ask, okay, what is it based on a lot of times, it still is, well, our internal audit has done or has done an audit nine months ago on that topic. I think it's not the maturity that we need today
To give you one example of the change that we need. So that's what we see typically in an it and production office. So we see office network, we look into the network level, we see the office network connected to the production network, nothing between, we see direct remote maintenance directly connected to your plan. So that's typically the starting point that we see in a lot of organization, and it's not that we are alone. So there are standards that can help us. What can we do on that control? How can we change that one? Just one simple example. So there are models and standards that can help us to create the right zone model from a network point of view. And as I've mentioned before, I'm just talking about one of all those controls that we need. But I think we, we believe that, you know, network segmentation is an important and critical point to control the impact of an attacker, whether there's a multi-level dual vendor firewall, it's up to you to decide whether you need it or not, but at least you should have certain segmentation within between office it and production it, but also between your different production networks.
If you look into the future, and by the way, if just take the standards, I, 62, 4 43, it's helping you to define the model to make that happen. It's not that you have to start, start from scratch the devil, like always license the details, you know, a lot of constraints from a technology point of view, from a business point of view, from operational point of view that you have to address. So, as we all know, taking a standard or taking a theory, implementing a new environment, that's typically the challenge.
But if we look into the future and what we can also see, what we need is a discussion on how do we, how can we leverage synergies, for example, with we in it and OT, what we've seen in the past, for example, in a lot of organizations, setting up certain cybersecurity, shared services within an organization, whether it is a, so whether it is cm solution, whether it's on patch management, whether it is multifactor authentication for that parties, for example, it's not a new topic, it's the same topic for it as well. And it's worth having that joint discussion with the OT people. How can we leverage the services in the right way to also synergies within our environment? This is just one example where you can extend your model from the enterprise level, the production side, to certain cybersecurity support levels. If you already have that maturity within your it, talk to those people, talk about your specific requirements and whether they can add it tools to their service and try to use it jointly. Again, think we are all lacking resources to set up two different security organization. That's a tough challenge. Even if you get the budget, it's hard to get the people
Try to use as much synergies as you can. But as I've mentioned at the beginning, there are differences and you must be aware of those ones and you must integrate those ones into those central services as well. So to summarize my presentation attacks on industrial plans are real threat. The question on for everyone is, is existence threatening for your organizations. And when it, this is the case you should think about what are the risks? What are the scenarios that are relevant for you? The increasing connectivity across company boundaries, the individual industry for the zero scenarios require a company specific security strategy. One size fits all. That's not working here, or you are spending way too much money. That's typically one of those tools that you have to keep in mind. So focus your protection, not only on,
On the protection side, against the text, you should also keep in mind that you have to detect, respond, recover. Your systems are from those attacks to have a holistic view and to be a resilient organization. And to be able to talk to your customers, to your partners in a professional way, once it's happening, what we see a lot of times the case is not, or the major issue is not. If you have a security incidents, the major issue, if you have to communicate for your key to your key customers, for example, or to your suppliers. And it's really not in a professional way, that's typically what makes it even worse. And as I've mentioned at the beginning, I see a security is not plug and play.
I wish it would. I think everyone would, would wish that one, we can just buy the box security in, plug it in, and then we are done. But unfortunately I think all of us, maybe that's a good site. We will have a lot of work in the next 10 years, 20 years. I don't see when we don't need security anymore. So lots of work to do still for everyone of us on the operator side, on the producer side, on the integrator side, on the consulting side, on the vendor side, we are still in the middle of the road, but it's not that we have to start at the beginning. There are lots of existing standards helps guidance that can help us to address it. That topic. We don't have to start with a white paper. That's typically what you have to keep in mind. Thank you very much.