Making diagnostics easy for valuable assets

Hello, Alexander, hello Stefan. Great to have you with us today. Welcome to the IoT Use Case Podcast. Alexander, how are you? Where are you right now?

Alexander

First of all, thank you for the invitation and for the opportunity to talk about our project here. I’m doing well at the moment. I’m in our Berlin office today and have just moved into a small meeting box so that we can talk to each other here undisturbed.

Perfect for the podcast, very nice. Stefan, do you also have a meeting box or where are you right now?

Stefan

Hey Madeleine, thanks for the invitation from me too. I don’t have a meeting box. Today I decided to stay in mobile working so that we can record our podcast here undisturbed and I am at home near Bruchsal, where our main location is.

SEW, you are in Bruchsal. Aren’t there also John Deere and Sulzer? There are still quite a few companies from the region, aren’t there?

Stefan

That’s right, Sulzer is right across the street from our head office.

Sulzer has also been a guest on the podcast before, sending greetings at this point. Of course, I’m particularly pleased that you’re here today representing SEW-EURODRIVE. I think a colleague of yours was in episode 22 and that’s almost a historic first episode. Glad to have you with us today.

About you, ITK Engineering: You are active in the IT services and consulting sector, have around 1,300 employees and offer cross-industry and customer-specific solutions, particularly in the area of system and software development, and are active in various areas. You also have your own product – I would like to refer to episode 111, which is about your Transparency Toolkit. Today we are focusing on your joint project and above all on the services in the area of cyber security. Is what I said correct? Could you describe in more detail which customers you work with?

Alexander

Exactly, I don’t really have much more to add, because that was already very accurate. We are an engineering service provider and offer services that we develop individually in cooperation with the customer, resulting in tailored solutions. The sectors in which we are primarily, but not exclusively, active include Mobility – i.e. Automotive, Agriculture, Railway – as well as Industry and Healthcare. The white box development approach is particularly important to us. Everything we develop is a product for our customers. The customer receives all development artifacts and these constitute their intellectual property. We also offer security services for all these sectors and have a security team of around 50 people.

How did it actually come about? How did both of you meet and also the companies? There’s probably a history behind it, right? How did it happen?

Alexander

Exactly, there were already projects between ITK and SEW, but Stefan and I personally met during a project. As far as I can tell, everything was pretty typical. This was preceded by a consulting project in which the system was tested. As a result of this review, it turned out that it is also security-relevant. We then carried out a lightweight gap analysis to determine the needs and then customized a project to meet SEW’s requirements. We are now supporting the security process accordingly.

You have already mentioned the system, and today we would like to find out more about what kind of system it is and how you, as security experts, carry out the analysis. To categorize the project: In the podcast, we talk about various practical use cases. Now I understand that it’s all about security. Could you give us a brief introduction to what your project is about?

Alexander

We support our customers throughout the entire security engineering process. This includes risk analysis, the development of security concepts, implementation support and testing, including penetration testing. We also provide consultation on new standards or regulations. In this case, it was about industry standards that must be complied with, as well as regulations such as the Cyber Resilience Act, which is becoming increasingly important. We also evaluate what this means for our customers’ products and processes.

Perhaps we should start by introducing SEW-EURODRIVE. When you think of SEW-EURODRIVE, you think primarily of electric motors, but Stefan, you offer much more. You also have various software solutions, for example in the area of IoT with DriveRadar®, as well as various services. Could you tell us a bit about what is included in your portfolio today?

Stefan

I’m glad you mentioned it. In fact, our core business lies in drives and automation technology. We are known here as one of the global market leaders and are present in almost all sectors. I am currently part of the MAXOLUTION – system solutions brand. In this area, we focus primarily on applications in the automotive industry and logistics and naturally also use modules from our core business modular system to offer our customers innovative complete solutions for factory automation.

I did some research online in advance and compiled the latest key figures from you. You are an enormously large company with 21,000 employees, over 17 production plants and various, I think you call them Drive Technology Centers, of which you have around 80 to 90 in 54 countries with corresponding growth. It is therefore a very large organization. MAXOLUTION® is now such a system area. Could you perhaps take a step back and explain something about your vision for IoT and data-driven analysis for your customers? What’s going on in your market?

Stefan

I always describe MAXOLUTION® with a few topics that are of particular relevance to me personally. On the one hand, we offer complete solutions in the field of mobile systems, including mobile transportation and assistance systems as well as electric monorail and push skid systems. We are a partner to 60 car manufacturers in 160 plants. If you like, MAXOLUTION® is not only an innovative part of SEW-EURODRIVE, but we are also one of the customers, because we naturally cover this entire system business with our standard portfolio and can therefore always fall back on our decades of expertise in service electronics.

Many people are probably familiar with mobile transport systems. Electric monorail systems come to mind, from which body parts are usually suspended – to stay with the example of the automotive industry. These systems probably consist of frequency converters and, how shall I put it, aluminum beams? How would you describe an electrified monorail system?

Stefan

Yes, I would describe them all as rail-guided systems. We have these overhead conveyor belts that follow a rail, usually via positioning using a QR code or a QR band. Depending on the application, we even integrate hoists. And, of course, each system has its own functional safety concept.

[07:57] Challenges, potentials and status quo – This is what the use case looks like in practice

Many companies may use your hardware or systems, but now they also use the corresponding software. Can we perhaps talk about your clients’ business case or your own? What exactly is it about? You manufacture these high-quality systems. To put it bluntly, what does the customer lose in terms of time and money without you?

Stefan

However, we have noticed with our customers that there are many different solutions for localized systems within a production line or final assembly in the automotive sector due to the large number of suppliers and different service providers, which leads to many different standards and interfaces. Often, it’s classic PLCs that are connected to the fieldbuses and sometimes also intervene in a controlling manner in the production process. This means that the logic of a complete system is usually very decentralized and in the event of a fault it is very difficult to diagnose. Our aim is to start here with our system and improve diagnostics, collect, transfer and correlate data from production and create a comprehensive factory overview and a history of the factory’s condition.

At the end, we want to analyze the collected data. Today, it’s all about security and, as Alexander mentioned, risk analysis. Why is this important? We are talking about different risk scenarios. Alexander, could you elaborate on this? What risk scenarios are there?

Alexander

Basically, as Stefan already mentioned, the increasing digitalization and networking in the industry brings with it new challenges for cyber security. We continue to see a high prevalence of ransomware, which is mainly used for blackmail. But not only that. One motivation is extortion for financial gain, while another is the potential for attacks to occur via factory networks to carry out manipulations for sabotage purposes. Ultimately, the aim is to carry out denial-of-service attacks that lead to production being shut down or to production simply running inefficiently. Another important aspect is industrial espionage, which involves the theft of data or intellectual property. In the project with SEW, we discovered that SEW’s IP itself is also exposed to risks.

Stefan, what does that look like for you in practice? Could you perhaps explain this point a little more? I now understand that it is about preventive measures against industrial espionage and sabotage, among other things. Are there any additions from your point of view?

Stefan

Yes, of course, Alexander has already explained it well. These are the kind of overlapping things, use cases or questions that you have to ask yourself. From the point where we decide to leave the shop floor area with its closed and self-consistent systems, often secured by special keys for control cabinets, we enter a new level. We want to transfer data to IT. This means that we have many software products and communicate in different networks using different protocols. The risk and the attack surface where data is exposed to uncertainties increases enormously. A potential scenario involves an attack on systems used for plant display, diagnosis, or monitoring, which could result in a plant shutdown. In the automotive sector in particular, this can result in high losses within a very short time.

Are there also use cases for your customers when it comes to topics such as diagnosability, for example in the event of damage or documentation? I mean, having this data also offers an enormous advantage for your customers in various areas, doesn’t it? Do you see any other possible applications?

Stefan

When a plant shutdown occurs, the plant operator is naturally concerned with identifying the cause and the responsible party. For us, it is also a safeguard against competitors or other suppliers and service providers who are involved in the plant. And the same applies to our OEMs. The people who buy our system and install it at the customer’s premises – mostly our own EURODRIVEs worldwide – also have a degree of security.

One more question about the data: You mentioned the PLC, i.e. data is recorded both at field level and in various IT systems. Could you give a few examples of the type of data or data types? Perhaps also an example of the overhead monorail system, so that you can imagine it better.

Stefan

In the case of the monorail, we collect data on speed, positioning or even emergency stops – how often and at what point they were pressed. Then there is also data from peripheral devices, and by that I mean all devices that do not come directly from us. In an assembly line, for example, these would be torque wrenches or pull cords. All of this data is collected using edge devices, i.e. edge computing. In other cases, we have to connect to a system PLC.

Alexander, you are analyzing the data in particular. Could you explain in more detail how you look at this data, especially the examples Stefan gave? Can you elaborate on that a bit?

Alexander

Yes, of course, with pleasure. We look at what kind of data is involved and what data types are available. That’s where you have to differentiate. We also look at the data flow, that is, the communication pathways through which this data is distributed, and where data is persisted, meaning where it is stored and saved. We also have to look, we have to differentiate, we have to determine these data as valuable assets. We differentiate between non-sensitive or less sensitive data, which only needs to be protected against manipulation, and sensitive data, which needs to be protected against unauthorized access by third parties.

In other words, you cluster this data into different types and perhaps also use cases?

Alexander

Yes, definitely. We also make this distinction not only in terms of data. We also define other valuable assets such as hardware, software, source code or configurations. In doing so, we focus on what is really worth protecting. Does integrity need to be protected? Does availability need to be ensured for systems or hardware to function? Or is it about confidentiality, i.e. does data have to be stored in encrypted form to prevent third parties from viewing it?

Assuming there was external manipulation, how would you notice it? Stefan, could you go into this again? You mentioned peripheral devices, such as a torque wrench. How would one recognize such manipulation in the data?

Stefan

A quality alarm would normally be triggered first. Assuming someone had changed the specified torque for a wrench, this would not be noticeable at first, as the associated alarm would not be activated. However, our system would track which torques were actually applied and whether an error occurred. We could determine this retrospectively with our system, as we also carry out data collection. The recorded data is not lost. With our system, we are able to view a replay of the recorded data from the past. This is done with our digital twin, a detailed 3D factory in which we can analyze the recorded data in replay and understand how the system has behaved.

We had talked about root cause analyses, i.e. about proving resilience and investigating cases of damage. These analyses can of course be carried out excellently on the basis of the data in the data recording.

[17:02] Solutions, offerings and services – A look at the technologies used

Many of our listeners are familiar with similar scenarios. Maybe it’s not a torque wrench, but a different device. Alexander, could you explain exactly what your solution can do?

Alexander

In principle, we work independently of tools and methods. We can therefore also use the methods and tools specified by the customer for risk analysis. This was not the case in this project, so we were able to apply our own methodology. In the methodology, we use attack trees that replicate the path of the attacker in the system. We like to use the CycurRISK tool from ETAS, partly because we helped develop it. We have incorporated a lot of features that exactly replicate our methodology. This tool enables us to take a simple, methodical and systematic approach and creates a structure. The result is a guideline that makes it clear not only to us but also to the customer how we carried out the analysis.

You talked about the attack tree, which means that in the case discussed, we would look at the data recording or the persistent data and recognize exactly whether, for example, a quality use case has occurred, as Stefan explained, where the target and actual values of a particular wrench differ. You could then retrace this using the data and could open it up as a use case and also analyze it at that point?

Alexander

Exactly, first we would have to determine what the valuable asset is. In this case, it would be the persistent data, as this is used to configure the screwdriver, for example. Then we identify a potential hazard – for example, manipulation of the torque. We are investigating where this data is located and how an attacker could trigger this risk. This could be done remotely via the Internet if the system is connected to the network, or via the factory network, i.e. WLAN, or by an attacker on site. We look at these different paths, identify vulnerabilities that an attacker could exploit and assess them to map the risk. Using this tree, which displays different paths, we can then understand which path an attacker would likely choose, as we assume that an attacker always chooses the path of least resistance. We do not leave any path out of consideration and present all options comprehensively.

You really look at the individual assets worth protecting. Can you explain a little about how exactly this data processing works, especially the analysis of the data and also the prioritization to a certain extent?

Alexander

Yes, very much so. I have already talked about identifying the assets that are worth protecting. We do this together with the customer. The customer of course knows best about their system. If we have these goods worth protecting, also known as assets, then we identify damage scenarios. These are concrete damage scenarios that can occur for their system. What we also always do together with the customer is an individual assessment of the type and amount of damage. We differentiate between operational damage, for example if production stops or equipment breaks down. But we also look at financial damage. The customer must then tell us what they consider to be a minor financial loss and what constitutes a major financial loss. Personal injury is also included in the analysis.

Do you look at scenarios like the one with the torque and then write down this risk scenario specifically for such cases, for example?

Alexander

Exactly. At the same time, we develop an expert assessment of these attacks, as already mentioned, using the attack trees and also evaluate the probability of occurrence. This results in a risk for every hazard. This results from the combination of the probability of occurrence and the amount of loss incurred by the customer. In simple terms, this means that if an attack is very easy to carry out and the probability is very high, but the potential damage remains very low, this may still represent a low risk because the level of damage is not very high. However, if the probability of occurrence is medium and the damage is high, this would also mean that the risk is high. Such possibilities or such a visualization indeed enable the customer to explore attack potentials that may have been unforeseen before.

Depending on the case, you carry out comprehensive damage scenario analyses together with your customers and partners. Stefan, you use the assessments from Alexander and his team as a result to process them further.

Stefan

Exactly, we receive a report from ITK, especially from Alexander and his team, about the complete attack trees and the assets we have, as well as the assets worth protecting. With this information, we can understand which parts of our product are particularly at risk, where interfaces may need to be better protected and where we should strengthen authentication. Such reports make gaps visible to us and are the result of the first step in our cooperation.

Why is it so important for you to know these valuable assets, especially with regard to their classification as sensitive or non-sensitive?

Stefan

Of course, the first priority is to minimize damage. As I said, we are working in running production facilities. What we also do with our system is to enable the visualization of the plants directly on display panels in production. This means that if, for example, we would not report defects in terms of quality and the like because someone has made corresponding adjustments in the system and error reporting is missing, the plants would not even recognize that a quality problem exists. Production would continue as usual, propagating the error across many vehicles, which would inevitably result in significant damage. On the other hand, we are of course also obliged to comply with the relevant security standards when publishing a software product.

Exactly, you are now obliged to regularly comply with certain standards for your products, for example through the TISAX® regulation. This includes a review of information and cyber security, which I believe is specified by the German Association of the Automotive Industry (VDA). At the same time, the EU’s Cyber Resilience Act, which aims to strengthen products that contain digital elements, is also a driving factor. This framework should really encourage companies to build appropriate security features into their products and ensure that they are secure…

Alexander

Exactly – I can add to the Cyber Resilience Act that it will be particularly relevant in future for all manufacturers who offer products on the European market. There will be mandatory cybersecurity regulations that will have to be implemented soon, as there is not much time left. It is important to deal with this at an early stage and, if necessary, to take protective measures in good time.

Yes, that is also a driver that is mandated by law. It therefore makes sense to involve experts like you at an early stage in order to identify risks in good time and prevent damage. Do you also have requirements to continue using and expanding this system yourself in the future? I think you also have a great interest in continuing to use a wide variety of things and rolling them out in your teams. What are the requirements there, also looking towards the future?

Stefan

Yes, of course, after we have tested the software in the first release and identified and addressed all gaps and relevant attack trees, we will certainly continue to work on the product and expand its range of functions. Future architectural or hardware changes to our overall system will require a new cyber security review. This means that it is a continuous process in which every modification has to be reviewed for security risks. We must therefore continue to have these reviews carried out in the future or even use the tooling ourselves.

Yes, and Alexander, this is exactly where the circle closes, as you mentioned at the beginning. Many partners and customers work with the system, use it internally and then expand it with your help. They start with your support and then develop it further with their own skills, processes and experts.

Alexander

Exactly, so the tool is available under license, it can be purchased and used for your own purposes. Customers can process the results of the risk analysis directly themselves. We not only create a report, as Stefan already mentioned, but also provide the data that the customer can then further process with the tool. We also support our customers in acquiring the knowledge they need to use the tool. We offer trainings and are happy to help.

Given the time and the many other questions that are now arising, I would like to point out that interested parties who have similar issues and would like to discuss them have the opportunity to contact you. I would simply link your LinkedIn contacts in the show notes. There, you can also feel free to connect with them directly. Where are your visions heading and what can we expect in the future? Alexander, can you say something about the functions, features and services you offer?

Alexander

I mentioned at the beginning that we support the security engineering process. This means that once a risk analysis has been carried out, the process is not yet complete; we do not yet have a secure system. This is currently being addressed in a follow-up project with SEW, in which we are developing the security concept. This is then used to define specific measures that result in requirements for the system that need to be implemented. In addition, a residual risk analysis is required after defining measures to safeguard the system. This can be easily carried out using the attack tree approach of our methodology. We integrate these measures into the existing attack trees, which results in a reassessment of all risks with active measures. The result shows the effects of the measures and whether they reduce the risk sufficiently. The residual risk analysis then serves as a good basis for our customers to repeat the analysis in the event of system changes. When new elements or functions are added, the impact on the risk of the system can be identified immediately.

Stefan, how is it for you? How do you want to use the system? What might be added in the future?

Stefan

Alexander has already mentioned that we, specifically myself together with our lead architect and security champion, are actively working with ITK on a security concept to close gaps that have already been identified. We will continue to follow this approach in the future. This will be particularly important if we actually expand this support for digital transformation in factories even further with our product. Among other things, this also means offering retrofits for our customers and thus having to further expand our portfolio in the direction of edge devices/edge computing and, as part of many projects, constantly questioning our architecture and expanding it where necessary. It is therefore important for us to utilize the results that we have already achieved thanks to ITK and to start new analyses based on them in order to meet all cyber security requirements with the further development of our product.

Very nice, maybe even worth an update in a year to see the developments and how you are driving and expanding the analytics to cover the security risks for your customers and partners. Thank you very much for this episode. It was very easy to understand, not only from a technological point of view, how it works, especially with the reports and data recording. We talked about various vulnerabilities and your joint project, as well as the benefits of risk analysis and prevention. Diagnostic capability offers major advantages for addressing issues such as industrial espionage, sabotage and proof of damage. Many thanks for being here. The last word goes to you. Thank you very much and have a nice rest of the week.

Alexander

Thank you for this opportunity here in the podcast. I would also like to thank our customer, Stefan. We had a lot of fun working together on the project. Also in terms of the product, a very nice variation. Thank you again for your professional cooperation.

Stefan

Yes, I agree with you. Thank you, Madeleine, for letting us be part of this. A special thank you to Alexander, who invited us as a partner. The cooperation with ITK was not only very cooperative and constructive, but also opened up new perspectives for us. As a traditional company that is very much involved in plant automation and mechanical engineering and has less experience with pure software products, we are constantly learning. This partnership is extremely valuable and I hope that it will continue in the future.

That was a nice closing word for today. So thank you very much and have a great week. Take care.