Interview 25 September 2020
Cybersecurity: “Hackers Constantly Challenge Us”

Bernd and Marcel Steinkühler from Correct Power Institute, an IT specialist, discuss attacks from the Internet and potential defenses

Should a company simply expect that cyber criminals will attack it?

Bernd Steinkühler: When a location like a computing center goes on line, then hackers attack, statistically speaking, after two minutes at the latest. If the criminals succeed in interrupting the power supply, they can incapacitate the company. However, it often happens, that the hackers call using a disposable cell phone and say “You will pay X amount or you will be finished in five minutes.” As a rule, companies generally pay.

What drives hackers? Does Bank A hire them and pay them to attack Bank B?

Bernd Steinkühler: Most often, Chinese or Russian corporations hire hackers to damage their competitors. This is quite professionally organized, which is why the extorted companies generally pay without thinking too long or too hard. They know that their electricity can actually be cut off after ten minutes.

It is really that simple?

Marcel Steinkühler: It’s even easier: A head manager leaves his mobile phone in a taxi; the driver finds it and sells it to a criminal, who uses it as a gateway past the corporate firewall. This happens faster than you think: The entire company network can be crashed within a few minutes. Mobile phones are currently the main access point. This scam is currently affecting London’s banking sector.

digitalisierung_referenz_antsorg_interviewportait_bernd-steinkuehler_marcel-steinkuehler_x2_2000x2000.jpg

» The greatest threat is casually connecting devices to the Internet. «

Bernd Steinkühler

Correct Power Institute

Do companies handle their data carelessly?

Bernd Steinkühler: They don’t always know what can happen. The greatest threat is casually connecting devices to the Internet. If there is sensitive architecture behind that device, like, for example, a water treatment plant, then this carelessness can have severe consequences. If hackers shut off the pumps, then several thousand people suddenly have no water. This is why penetration tests are important in order to find the gaps in the architecture. Yet until recently, these tests have not always been consistently carried out. Reconsideration of this casual practice is gradually being established at more companies, and IT security is gaining importance. For banks, it has become the most important topic. The entire architecture being developed there is IT-secure. As service providers, we secure the transport paths for the data by rigorously applying encryption. This means there are no attack vectors in the open Internet.

If someone wanted to, could they protect themselves 100% from cyber attacks?

Bernd Steinkühler: We have to be honest here: Hackers challenge us every day, and there is no 100% level of security. Every system has a weakness, regardless of how well it is constructed. However, if a company places emphasizes cybersecurity and employs one hundred people to ensure it, then hackers will only succeed with a great deal of effort. One person, on the other hand, has no chance against them at all. We have incorporated numerous obstacles into our system for monitoring server farms: We rely on encryption and intrusion detection, which means that we also watch the traffic in our protected network. If we detect suspicious patterns, then the data packets are rejected and not transported any farther. This also helps us learn whether there are security gaps and where they are. In addition, our architecture is designed so that only certain servers, not all of them, can access the infrastructure to be monitored. Employees have to log in using two-factor identification, and they only see things virtually. They are never physically in the same room as the computers. This is essential: Everything must be concealed so that it cannot be attacked.

How long does it take to establish a security concept?

Bernd Steinkühler: It took two years for Ernst & Young to certify our architecture, and the optimization process is ongoing. We had 51 findings in the first attack during an Ernst & Young penetration test. Of course, we then attempted to remedy them, but after the 13th finding, there was no solution possible, because there were simply too many gaps and they could not be closed. We had to accept that there were too many systems in use that were not secured against penetration. Therefore, we completely overhauled the architecture; the simple explanation is that we built a high wall around it with encryption and a netscaler that also functions as a firewall and checkpoint: All websites that can link outward are screened again and protected. Our security architecture resembles a fort: Only a few gates lead outward – and those are monitored very carefully.

digitalisierung_referenz_antsorg_interviewportait_bernd-steinkuehler_x4_2000x2000.jpg

» Our security architecture resembles a fort: Only a few gates lead outward. «

Bernd Steinkühler

Correct Power Institute

You have companies from different sectors as customers. Is there one security solution that can be used as a blueprint for everything?

Bernd Steinkühler: It always has to be individually checked. The correct concept is ultimately based on how the data is supposed to emerge from the computing center. The various possibilities must be incorporated together with the customer’s security department. In addition, several standards and norms apply. BSI baseline protection is considered the bible of cybersecurity. When it is taken into consideration, then at least a basic protection level has been achieved. The rest has to be adapted to the individual requirements.

You have companies from different sectors as customers. Is there one security solution that can be used as a blueprint for everything?

Bernd Steinkühler: It always has to be individually checked. The correct concept is ultimately based on how the data is supposed to emerge from the computing center. The various possibilities must be incorporated together with the customer’s security department. In addition, several standards and norms apply. BSI baseline protection is considered the bible of cybersecurity. When it is taken into consideration, then at least a basic protection level has been achieved. The rest has to be adapted to the individual requirements.

digitalisierung_referenz_correct-power_interview_bernd-steinkuehler_marcel-steinkuehler_x1_2000x2000.jpg

» BSI baseline protection is considered the bible of cybersecurity. When it is taken into consideration, then at least a basic protection level has been achieved. «

Bernd Steinkühler

Correct Power Institute

What roles do WAGO controllers play in your security concept?

Bernd Steinkühler: A quite decisive one. PC-based operating systems have to undergo weekly security updates, otherwise they do not offer sufficient cybersecurity. Patches aren’t required for WAGO controllers because they are based on a hardened Linux® operating system – the security is thus virtually built in. In addition, WAGO's controllers have two interfaces, so the application level and the management level can be separated from one another – which is also an important security feature.

Marcel Steinkühler: And you cannot forget that PC-based systems have USB interfaces. These are the worst, from a security point of view. If you insert one infected flash drive, then the virus will immediately propagate on your system. It is hard to believe, but this happens all the time during tours of computing centers: Someone gains access to the servers, the server rack is opened, and it’s all over. The Stuxnet computer worm got into the network via a USB flash drive and manipulated control computers at industrial facilities worldwide. These types of problems can be prevented with the right security features.

And now Industry 4.0 is knocking at the door.

Marcel Steinkühler: The dangers posed by hackers could be immense. If we combine the raw material supply, the factories and the entire manufacturing process (which, of course, is the goal) and do not simultaneously expand cybersecurity, then entire corporations could be brought down. This is the reason why our monitoring applications run in the German cloud. Security is virtually built in by the architecture.

Your contact person at WAGO

Market Management Industry Process

Additional service offerings: