As online security concerns behavior rather than technology, 25 engineers learned how to prevent hacking of factory systems during an ICD-organized Cyber Security Workshop. The workshop was also open to employees from companies and organizations outside ICD. After all, in a cyber emergency, it is far better to warn and help each other than to compete with each other.
The participants in the workshop had hardly managed to install their laptops when a few Raspberry Pi mini computers started to vibrate and chirp. These mini computers were on the tables and were connected to the laptops participants had brought to the workshop to simulate real-life situations. Some participants complained that they could not connect to the local Wi-Fi network, whereas others ignored the message asking them to create a new password. ,,I am giving the participants a hard time today,” said Vincent Denneman, student in ICT Technology and Cyber Security at Fontys University of Applied Sciences in Eindhoven. During this workshop, Vincent earned some extra cash as a ‘hacker’. ,,I just sent them a message to change their password. People who think they are changing their password are actually giving me permission to take over their systems. All the time they keep thinking that their password is safe.’’
This was a great opening for a workshop aimed at making people aware of the urgency to ensure good cyber security for their systems. Vincent’s role as a hacker was to break into systems and start unintended activities. This is how he and workshop leader Egbert-Jan Sol, CTO of TNO and Director of the Smart Industry program, tried to make people aware of the risks to companies that depend on digital systems. ,,This is necessary because security is too often regarded as a cost item,” Sol told the all-male audience. ,,When you share data, you run a much bigger risk than many companies are aware of. Today you will experience what it feels like to be hacked. This will make you aware of the risks to which you are exposed. Be prepared. You will learn more in this one day than in six months at school!”
Although it may sound contradictory in the light of all the cyber risks, Sol recommends the use of open source. ,,I would not have said this five years ago, but nowadays open source is reliable, not only the software but also the hardware. The costs are much lower than years ago. Just look at the Pi.” Sol pointed out the trend but stated that people who had been working in IT for many years relying on systems made by major brands were likely to refuse using open source. ,,People don’t trust its reliability, especially not in a production environment, but things are changing.” Besides the attractive cost price, Sol also pointed to the efforts made by many parties to realize solutions that further improve open source. ,,This ensures that open source is just as good at withstanding hacks as systems made by well-known brands and it is also much more flexible.”
,,This is interesting,” said Christian van der Kooi, business analyst at CSK Food Enrichment and working on factory optimization. ,,I came here to find out more about data security. I am not a programmer, so practical exercises with the Pi would not work for me. What I do find interesting is learning what other people are doing to protect company systems and data. Perhaps there are openings for an interesting partnership with one of these companies. It is better to warn each other and help each other than keep smart solutions to yourself.’’
Even if you have arranged proper security, it will be difficult to withstand cyber attacks and hacks if the rest of the supply chain has not done the same. After all, a chain is as strong as its weakest link. Sol: ,,PLCs become IoT computers and you see computers of this kind being built into finished products to collect all kinds of data on end use. The ambition of smart industry is to achieve zero-fault production. To this end, you collect data. This data is very valuable and worth protecting. The same applies to data of the total lifetime of the product. Which data is necessary to understand what a customer is doing? Which data is important for customers to function better? You obtain this data from the product, from all samples, from all users, at all times. Customers buy a service and no longer a product. This means that we are going to collect huge amounts of data. We want to protect this data against unwanted use.”
Then it was time for the assignment. This assignment concerned a large warehouse filled with pears. This warehouse has a regulated, energy-efficient climate with a constant temperature and air humidity level. Doors with a special airlock give access to the warehouse. The assignment was to find a way to use the doors in the airlock as optimally as possible, while keeping the climate inside constant and losing as little energy as possible. According to Pieter Haantjes, service engineer at YP Your Partner, this was an example from everyday practice. ,,This could have been my job! We manage, monitor and protect installations from Hamburg to Amsterdam. Our software is for instance used to monitor the water quality in the elephant house in Artis.” Haantjes also monitors the working of security systems. ,,This makes it interesting to take part in this workshop. I learn from people who look at things from different angles and I can use this in my work.”
This is the purpose of the workshop, next to developing a sense of urgency and awareness of the increasing risks of cyber attacks in a production environment. More and more production equipment is connected to the factory network and the internet. Large amounts of data and data analysis are used to manage processes. The connection of the production environment to the office network and the internet leads to cyber risks. A hack can cause major damage. It is therefore important to understand the cyber risks so that companies can act appropriately. This was exactly the reason why information adviser Sjaak Stuiver of the municipality of Weststellingwerf took part. ,,I mainly listen,” said Stuiver. He explained that he was a civil servant, not an engineer and he could not program either. ,,I am the odd man out, but I am aware of the urgency of the problem. As a municipal organization, we are currently facing problems due to failing Citrix security. This forced us to shut down part of our systems.” Stuiver said he had come to gain more insight into cyber risks. He found it funny and enlightening to see how easy it was to hack the laptops of IT professionals. ,,I did not know that it was this easy to gain access to systems and collect data. Now that I know this, I can explain more easily to colleagues and entrepreneurs in our municipality what risks they are exposed to. This is what brings a civil servant to this workshop!’’