Why TÜV SÜD Says It Is an Industrial Cybersecurity Leader
MUNICH—Some 67 percent of all companies are affected by security incidents each year, said Andy Schweiger, the managing director of cybersecurity services at TÜV SÜD, the international testing, certification and training organization. And the “era of script kiddies is gone,” Schweiger said, referring to the aspiring hacker wannabes who rely on online resources to launch cyberattacks. “[The script kiddies who] were making headlines 10 to 15 years ago are now grown up,” he added. As a result, current cyberattacks tend to be more damaging. State actors have assumed a greater role in launching attacks and developing malware, which occasionally leak as in the case of the EternalBlue exploit, giving underworld hackers the ability to launch exceptionally damaging attacks. And some attackers are leveraging machine learning for subterfuge and identifying vulnerable targets.
To deal with the challenge, TÜV SÜD, like UL in the United States, is increasingly positioning itself as an authority in industrial cybersecurity. There are five reasons TÜV SÜD is up for that task, said Schweiger in a presentation as part of a Siemens cybersecurity press junket here. First, it is knowledgeable about the evolving regulatory requirements, such as GDPR, that relate to cyber. (On a related point, manufacturers mass-producing IoT-connected gadgets find themselves potentially liable for the damages caused by wide-scale cyber-exploits to their products). Second, the organization keeps a close eye on the current threat landscape. Third, it has built up a solid team of cyber experts. Fourth, it is neutral and objective. And finally, it claims to be a proverbial “one-stop shop” for cybersecurity.
The organization’s English tagline is: “Add value. Inspire trust.”
TÜV SÜD has worked to quickly build up a team of some 30 plus cyber experts in a six-month time frame. If there is a central goal to its cyber approach, it is to enshrine cyber strategy over tactics. “There are thousands of brands,” said Schweiger, speaking of the cyber vendor landscape. “The promise is: You buy the next appliance, and you will be more secure,” he said. “But that is not necessarily true.”
In fact, an organization that buys dozens of security appliances and has a cybersecurity team of roughly a dozen could find itself less secure. Instead of having a comprehensive cybersecurity strategy, it would likely have a patchwork defense that leaves them vulnerable.
Schweiger said that TÜV SÜD’s status as a provider of cybersecurity services rather than products makes it more nimble than product providers. If a new vulnerability emerges, the company can swiftly adapt to develop strategies to address it.
Its core cybersecurity services fall under four domains, data protection (such as data protection consulting and data destruction), commercial transaction security, industrial cybersecurity (such as AI-based security testing and network anomaly detection) and expert services (such as attack service detection, risk exposure assessment and penetration testing).
In the industrial realm, the company works to help organizations’ OT and IT departments converge rather than flatly declare that each is simply different from the other. “If you attach an OT to IT system, all of the challenges of the IT system come over to the OT system,” Schweiger said. The organization also says it helps to optimize OT and IT efficiency and reuse customer internal processes with shared best practices.
Risk is an equation comprised of an asset, a vulnerability and a threat, said Stefan Laudat, information security manager at TÜV SÜD Sec-IT GmbH. But unlike in traditional IT security, industrial cybersecurity cannot just put data, productivity and system availability at risk but can potentially threaten human lives or cause injuries. An industrial environment that includes potentially vulnerable critical infrastructure can impact surrounding communities. And prominent aerospace companies, for instance, are testing exoskeletons to allow their workers to lift heavy objects. If one of these devices were breached or maliciously configured, it could pose a grave threat to its wearer.
The current cyberthreat level in the industrial space is moderate to high, Laudat said. While current actors are more or less dormant, they are investing substantial money in researching industrial-focused attacks while the cost of launching such exploits is steadily falling. Sites like Shodan make it simple for attackers to do reconnaissance on potential industrial targets.
The scope of vulnerabilities in industrial environments can also be considerable in industrial environments, given typically weak access control systems, the preponderance of proprietary protocols, a limited regulatory framework, complex supplier networks and generally low IT security awareness. In addition, the widely used IoT protocol MQTT is lightweight, resilient and insecure, Laudat said. And the long lifespan of many connected industrial devices can expose them to substantial vulnerabilities over time.
In some cases, the organization advises its industrial clients to avoid digitization and stick with analog technologies when the potential cyber threat is unacceptable.
TÜV SÜD’s cyber approach does not rely on conventional audits, where one or two experts will travel to a company and perform interviews. “The answers come out of the interviews. In the best case, they are biased. In the worst case, they just tell you what they want,” Schweiger said. But the organization’s cyber approach relies on automation to gauge its clients’ cyber risk. “The system doesn’t lie to us,” he added.