IT Security – a new priority: From consulting to operation
Information security services from Bosch
Today’s companies and their buildings need to be protected: and not only from age-old hazards such fire and intrusion, but also from cybercriminals. As the digitalization of business activities progresses, the need for information security is continuing to grow with it. In order to operate and produce more efficiently and flexibly, companies are increasingly networking their machines and processes ― the keyword here is “Industry 4.0”.
Their buildings are also getting smarter: components like heating, ventilation, lighting, doors and gates, windows and elevators are now often integrated in a networked overall system to allow central monitoring and management of energy consumption and security. The number of Internet-capable devices is growing exponentially as a result. What’s more, installed sensors and building systems are generating massive volumes of data that need to be protected ― especially from hackers.
“For many companies, IT security is a key determinant of how far they can advance into the digital future.”
Security also for small and medium-sized enterprises
“Although enterprises with critical infrastructure have to pay particularly great attention to information security, this matter for all companies, including small and medium-sized ones,” stresses André Heuer, responsible for information security at Bosch Energy and Building Solutions.
VdS, Europe’s largest damage prevention and certification institute, has developed the “VdS-certified cybersecurity” guideline (VdS 3473) specifically for the latter. Certified cybersecurity instills trust in customers and suppliers and grants a competitive edge to companies that have it. However, Bosch is convinced that smaller companies also require tailored advice and services.
Cyberattacks on the rise
A study by Bitkom, Germany’s national association for the information economy, telecommunications and new media, found that a whopping 84% of manufacturing companies have experienced more frequent cyberattacks in the last two years, with 37% of them reporting a major increase. The attacks are mostly perpetrated by small-scale cybercriminals, but organized crime and even hackers hired by governments play a role.
According to the German Federal Office for Information Security (BSI), one vulnerability is naive employees who are fooled into revealing confidential information, disarming security mechanisms, or installing malware. Today’s IT security must also appropriately respond to this phenomenon, which experts have dubbed “social engineering”, in addition to fixing weaknesses in computer systems and networks.
Security is a prerequisite for innovation
André Heuer, who is responsible for information security at Bosch Energy and Building Solutions says, “for many companies, IT security is a key determinant of how far they can advance into the digital future.” This statement has been confirmed by a study that Ernst & Young commissioned Bitkom Research to carry out in 2018. Over 600 manufacturing companies in Germany and Switzerland were questioned about the use, potential and limiting factors of Industry 4.0 solutions. 98% of them stated that IT security is very important for their business models, even more so than digital trends like machine-to-machine communication and cloud computing.
Another study released by TCS and Bitkom Research in the same year, titled “Traveling to Digital Worlds – Germany Blasts Off Toward the Technological Future”, concluded that most enterprises attach greater priority to security than to innovation: 62% of the surveyed companies are investing in IT security solutions, 10% more than in data analysis tools.
New Legal Requirements
Legislators are also doing their part to make sure that companies pay attention to IT security. The new German Act to Strengthen the Security of Federal Information Technology (IT Security Act), which has been in force since 2015, addresses an area that no modern society can afford to neglect: so-called critical infrastructure. Enterprises in fields like energy, IT and telecommunications, transportation, healthcare, water, food, insurance, and financial services are obliged to appropriately secure their IT systems and have the implemented safeguards checked every two years.
This year a new, even stricter version of the IT Security Act will strengthen the role of the BSI as the chief watchdog, expand the list of critical infrastructure while defining “core components”, and drastically increase the penalties for violations. Also new is a holistic approach that will extend the security requirements to include companies’ IoT-systems and equipment.
The goals: confidentiality, availability and integrity
Heuer is in charge of all information security activities in his division, which is specialized in building security. Bosch offers companies detection and alarm systems for fires, holdups, burglaries and intrusion, including electroacoustic and video surveillance systems, and systems for time management and access control.
The Information Security Team (InfoSec) is responsible for another important aspect, as is apparent from its name. It works to make sure that data and IT systems remain confidential, available and intact, and helps customers comply with the corresponding standards and laws.
This extends to the entire range of security infrastructure: in today’s state-of-the-art buildings, all security solutions are networked with one another instead of being separate as in the past. This overall system, as well as the individual solutions it comprises, also has to be protected.
Building security and information security: hand in hand
A recent case illustrates what a typical InfoSec project involves: a critical infrastructure company that operates one of Germany’s largest long distance gas networks migrated its entire Building Integration System (BIS) to a new IT landscape. It was essential for the new system to meet all of the requirements listed in the IT security catalog of the German Federal Network Agency.
“This example shows that both competencies―for ensuring building security and information security―have to go hand in hand in this day and age,” says Heuer. “Bosch was hired for this job because we bring together both capabilities under one roof.”
“As an experienced system integrators, we’re able to protect buildings not only from physical threats such as fire and burglars, but also from modern-day intruders who take aim at IT systems and networks and aren’t stopped by locked doors.”
André Heuer, responsible for information security at Bosch Energy and Building Solutions
From consulting to go-live
In projects of this kind, the InfoSec team takes a three-step approach. The consulting phase lays the groundwork for the rest. In it, Bosch ascertains the customer’s requirements, assesses the risks, and draws up an information security concept. In the second phase, the solution is implemented on-site and monitored. At previously defined intervals, Bosch’s experts check whether any new weaknesses have emerged (vulnerability management) and inform the customer about any IT-relevant events such as hacker attacks or computer failures (incident management).
In both cases, Bosch evaluates the risks and proposes countermeasures to get them under control. These can range from installing a firewall across optimizing virus defenses to “system hardening”, which involves disabling all nonessential system services and limiting access authorizations that are not relevant to operation.