Möchtest du unsere Inhalte auf Deutsch sehen?

x
x

Securing and Efficiently Managing IoT Devices – Avoid Costly Errors and Security Risks

““

You are currently viewing a placeholder content from Spotify Player. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information
Listen to the IoT Use Case Podcast on Spotify.
Listen to the IoT Use Case Podcast on Spotify.
Listen to the IoT Use Case Podcast on other platforms.

IoT Use Case Podcast #147 - ECOS Technology + conplement

In this episode, you’ll learn how companies can protect their IIoT devices from cyberattacks and avoid costly manual processes through efficient device management and security certificates. Gerald Richter (ECOS Technology) and Sebastian Fischer (conplement AG) share practical solutions to minimize security risks and increase the efficiency of connected industrial devices.

Podcast episode summary

In this episode, the challenges and solutions for device management and security in IIoT devices are discussed. Gerald Richter, CEO of ECOS Technology, and Sebastian Fischer, Device Management Product Manager at conplement AG, explain how companies can efficiently manage and secure their IoT devices. The experts share insights from various projects, demonstrating how security certificates, automated updates, and secure device management help mitigate risks such as cyberattacks and tampering.

The episode presents use cases that illustrate how companies save time and costs by avoiding manual processes while ensuring the security of their connected devices. A central theme is the challenge of updating devices throughout their entire lifecycle and meeting compliance requirements, which is especially critical for regulated industries like medical technology.

Finally, the guests discuss specific technologies used in these contexts and provide insights into successful projects as well as upcoming developments in IIoT and security solutions.

Podcast interview

Did you know that manipulated data can enter your production workflows and lead to wrong decisions? Or how much time and resources you lose through manual updates of your devices, such as via USB sticks? In this episode, you’ll learn how to avoid these issues by managing your IoT devices and machines efficiently and securely. The use case here: device management, focusing on security and certificates.

For this, I’ve invited two experts: Gerald Richter, CEO of ECOS Technology, a German software manufacturer specializing in IT security products, and Sebastian Fischer, Product Manager at conplement AG, an IT service provider offering, among other things, device management solutions. You can find all the details, as always, in the show notes or at www.iotusecase.com. Enjoy the episode! Enjoy this episode!

Welcome to the IoT Use Case Podcast. Gerald and Sebastian, great to have you here today.
Gerald, how are you, and where are you right now?

Gerald

I’m doing well, I’m in the office.

Nice. Where exactly is your office located?

Gerald

Our company is in Oppenheim, on the Rhine, right in the middle of a wine-growing region. When I look out the window, I see a lot of vineyards. Even though the sun isn’t shining right now, it’s beautiful here when it does.

Fantastic, greetings to Rhineland-Palatinate! And Sebastian, where are you? Also in the region?

Sebastian

I’m a bit further south and today I’m working from my cozy home office in the Nuremberg metropolitan area. conplement AG is based in Nuremberg.

Great, I’ll wave over to you!
I live in Erlangen, near Nuremberg, so we’re not too far apart. Gerald, you’re the CEO – tell us a bit more about your background and your role at ECOS.

Gerald

My background is in technology. I started programming very early, about 45 years ago now. Over that time, I’ve seen many programming languages come and go and have written a lot of code myself. About 20 years ago, I had the idea to start a company with a friend – that’s ECOS, where I’m still the CEO today. Back when we were smaller, I was very hands-on with the technical side, but now as CEO, I cover all areas – from sales to marketing to business management. However, I’m still deeply involved in the technical side because that’s my roots.

Fascinating background and obviously very successful. We’ll hear more about it today. Sebastian, what do you do, and what’s your background?

Sebastian

I also started as a software developer, but in the medical technology field – a completely different world. At some point, I transitioned from Product Owner to Product Manager, most recently focusing heavily on the industrial sector. I am currently working at conplement AG as a Product Manager in the Device Management field.

Great, you’re familiar with many of your customers’ use cases. We’ll get to that in a moment. But first, how did you both come to be here today? How do your companies know each other, and how did this discussion come about? Gerald, would you like to start from ECOS’ perspective?

Gerald

We actually met at an event organized by the Open Industry 4.0 Alliance. It’s a consortium of companies, mostly from German-speaking countries, but increasingly international as well. The alliance brings together companies from the industrial sector to work on joint solutions for the challenges of Industry 4.0. It’s not about theoretical concepts that ultimately don’t work but practical solutions. Practitioners collaborate here to develop interoperable solutions before entering competitive situations, which is the core of Industry 4.0. At one of these events, Sebastian and I realized that our solutions complement each other very well.

Awesome. For those unfamiliar with the Open Industry 4.0 Alliance, check out the show notes where I’ve included a link. Also, greetings to the board! Hans-Jürgen Huber has been on this podcast before, as has Christian Liedtke. So, a big hello to everyone! Since today we’re not focusing on the Alliance but rather on your joint projects, let’s take a look at the use cases and what you’re accomplishing together.

Perhaps a question to start: Which of you is closer to the customers’ business use cases?

Do you have an example? Sebastian, you mentioned that you’re pretty close to your customers’ projects, right?

Sebastian

Exactly, at conplement, we see ourselves as Digital Enablers. That means that close collaboration with our customers is central to us. We always look at the issues our customers face and place great importance on building everything securely. Security is becoming increasingly important in software development, especially with embedded devices. One key topic is certificate management, which ensures secure solutions on devices, encrypted connections, and more. That’s why the connection with ECOS is so important – it’s always good to have a local partner. There are, of course, global companies, but in German industry, there is often a need for specialized solutions. It’s helpful to have a direct contact who can quickly respond to specific requirements. With ECOS, we have a partner just a phone call away, and together we can develop tailored solutions for our customers.

When you say for the customer – can you narrow that down a bit? What’s your target group or customer base? Are you mainly working with SMEs? And who are you usually talking to in order to better understand their needs?

Sebastian

Exactly, we see ourselves as Digital Enablers for SMEs, as this is where we see the greatest need for catching up. The omnect Secure OS can be adapted to almost any device, allowing us to support both small, smart IoT devices and edge gateways on machines.

Sometimes these are industrial devices that only become digitally enabled through such gateways.

Gerald

Regarding SMEs: Traditionally, SMEs are defined as relatively small companies, but I think – and I believe this also applies to conplement – that our target group isn’t limited to companies with up to 500 employees. Our audience also includes larger companies with 1,000 to 10,000 or more employees, often internationally active but with headquarters in Germany. The key point is that these companies often value having a local contact person, as Sebastian already mentioned. They appreciate short communication lines and a level playing field in discussions, and I think this is a major advantage for both of our companies.

Today’s focus is on the general use case of device management.

There’s much more to it. Can you give us an overview of which companies are involved and which devices play a role? The term “embedded software” on the devices was just mentioned. Are these existing or new devices? What are the specific device management concerns of your customers?

Sebastian

There’s a wide variety of devices in the market. One example would be power distribution stations or wind turbines in energy management that need to be equipped with smart sensors. At the same time, we have large production halls in the manufacturing industry where companies want to digitize their operations without replacing their existing machinery. This is where gateways often come into play, and they can come from various manufacturers, including many excellent German providers we collaborate with. The goal is to find the right solution to achieve desired outcomes, such as data collection or AI use cases. There are virtually no limits.

Your companies have been in the market for a long time, but IoT and connectivity are now playing an increasingly important role. Could you share with me and the listeners your vision for digitalization with IoT and live data for your customers?

Where are you headed, and what’s your vision for the future of your customers?

Gerald

In the industrial sector, particularly in manufacturing, we’ve often had isolated stand-alone solutions. A factory hall might have its own bus system, completely isolated. But with digitalization, this is changing. We’re familiar with the classic automation pyramid: the shop floor at the bottom, with various systems above it up to SAP, with each level only communicating with the one directly above it. This structure is now dissolving, especially with Industry 4.0, where the vision is: everything communicates with everything – suppliers, customers. The first steps towards this began about ten years ago, but in practice, it has only been implemented in a few places so far. There are now new initiatives, including those from the federal government and the Ministry of Economic Affairs, such as Factory-X, to further advance this vision.
At the same time, digital twins and artificial intelligence are gaining importance. However, these technologies require the collection and analysis of large amounts of data – and traditional methods are no longer sufficient. Everything is becoming increasingly connected, which offers many advantages. However, it also introduces new risks because, where everything communicates, attack vectors are created. In the past, IT security was hardly a concern in production environments because the demands simply weren’t there.

Today, that’s no longer the case. This applies not only to production but also to the products themselves – nowadays, even household devices like vacuum cleaners, dishwashers, and toothbrushes are connected. My toothbrush could also communicate with the internet if I allowed it. Why it should do that, I still don’t quite understand – but that’s another topic. In any case, with this increasing connectivity comes a whole new attack vector, and we need to get a handle on it. This requires appropriate security measures.

[12:12] Challenges, potentials and status quo – This is what the use case looks like in practice

Let’s talk about the business case and the “why” behind it. You already mentioned security, but it’s also about breaking down the automation pyramid. Devices may need to be kept up to date across multiple locations and throughout their entire lifecycle. What is the business case behind it? Why should companies engage with this? What do they lose in time and money if they don’t?

Gerald

I’ve been in the security business for 25 years, and it’s always a challenge to sell security because many CEOs initially think it’s just a cost with no direct benefit. However, we now know that security is extremely important – even on a societal level. Particularly in view of the current political situation, the EU has passed several laws and regulations, such as NIS2, which requires production to be secured, and the Cyber Resilience Act, which is intended to secure digital products. These regulations force companies to deal with IT security because the economic motivation alone is often not enough. While this can be unpleasant for individual companies as it incurs costs, I see it as a very sensible measure. Ultimately, security is like insurance.
Of course, I could say I’ll skip the insurance because no one is going to break into my place, but we know that break-ins can happen anywhere. That’s why we have insurance, and it’s similar with IT security. You invest money to avoid huge costs later on due to an IT security incident. Ransomware and similar attacks cost a lot of money, and awareness of this is growing.

You just mentioned the Cyber Resilience Act and the NIS2 directive. For those interested in diving deeper into these topics, I’ll link the sources in the show notes. Also, in episode 137 of the IoT Use Case Podcast, we discussed Factory X – make sure to check that out.

But maybe we can get a bit more practical: Security risks like cyberattacks or data manipulation can have very tangible consequences. Can we talk about what the worst-case scenario might look like in practice? I’m thinking about unauthorized devices infiltrating a network and potentially bringing down entire production lines, or devices providing incorrect data, leading to faulty decisions. What are some real-life examples from your customers where incidents like this have led to losses in time and money because unauthorized devices suddenly appeared on the network or disrupted production?

Sebastian

Exactly, all the points you mentioned are critical when it comes to security. A good example is when an unauthorized device logs onto the network or when a device is compromised and needs to be quickly removed from the network. A centralized solution is especially advantageous in this case. If implemented with the highest security standards, such as certificate-based security, not only can you remove the device from the network, but you can also ensure it cannot register elsewhere. If an attacker tries to reconnect the compromised device, this can be prevented by revoking the certificate.
From a device management perspective, it’s becoming increasingly important as we have more and more locations and devices that need to be managed.

At the same time, we’re facing a skills shortage and don’t have enough personnel to handle all these tasks. This is where a centralized, cloud-based solution offers a significant advantage. It allows us to monitor and manage devices across multiple locations through a single dashboard.

You’re right, the intrusion of unauthorized devices into the network poses a huge security risk and can disrupt production or provide incorrect data. What you’ve just mentioned is also part of the device management use case.

Many of your customers have thousands of devices that need to be maintained and updated. Can you tell us more about what it means to handle these processes manually? In the past, updates might have been done via USB sticks. What does this time loss mean for companies?

Sebastian

Yes, exactly. In device management, security is only one side of the coin.

For example, if you have a Linux operating system, you want to make sure that it is regularly updated, possibly with vulnerability tracking and the Software Bill of Materials, SBOM, so that you can react quickly in the event of problems. On the other side, there are devices in the field that may require a bug fix or new features. Just like our iPhones, which regularly receive new iOS versions and features, this can also happen in the industrial environment – although it’s not as common there yet, it’s becoming more important.
It’s also worth considering the added value you can offer customers afterward, such as additional services that provide new features or updates. This is easy to implement when you can update thousands of devices with a click or allow customers to decide when to update their devices. A good example is AVM’s FRITZ!Box, where the user can choose when to install the update, but it’s available immediately – and that’s precisely what’s important in industry as well.

Gerald

I’d like to elaborate on the threat scenarios and give a few examples. If we look at digital twins, which enable predictive maintenance – this means trying to predict when a machine might fail. One example is if a sensor provides incorrect data, you might replace a machine that’s actually still in good condition. Even worse, if you don’t replace it when you should have, it could lead to production downtime.
In energy supply, there’s also a good example described in a novel, unfortunately, I can’t recall the title at the moment. In this case, the turbine speed in a hydroelectric plant’s SCADA system is manipulated to show a higher speed than it actually has. This leads to the plant being automatically shut down to prevent damage to the turbine. If this happens in multiple plants simultaneously, you suddenly have no electricity, which could have catastrophic consequences. Small manipulations can have huge impacts. The same could happen in a private heating system: if all smart homes fail at the same time and people are left in the cold, it would be bad not only for the manufacturers but also for the public. This could even trigger political unrest. These are just a few examples, but there are many other similar scenarios.

Yes, it’s great that you’ve emphasized that again. If you remember the title of the book, I’ll gladly add it to the show notes afterward. I always find it fascinating when technology is featured in novels.
So, we’ve discussed several aspects: classic security risks like cyberattacks, regulatory and compliance requirements from the EU, reduced operational time, and costly manual processes due to the need to keep thousands of devices up to date. On top of that, there’s the risk of manipulation, meaning incorrect data could lead to inefficient or even wrong decisions.

One topic we haven’t touched on much yet is the shortage of skilled workers. What’s your take on that? Many companies have centralized IT departments, but not all. How relevant is this issue, and what are the biggest challenges related to it?

Gerald

Yes, there is usually a central IT department, but it’s often distinctly separate from OT.

These are two completely different worlds. In IT, things like certificates and IT security have been established for a long time because they were necessary. In manufacturing, however, as mentioned earlier, such security wasn’t needed due to the isolated systems. OT usually manages its own systems, as they function very differently from traditional office systems. The IT departments often don’t want to deal with OT because they know that a mistake there could shut down production, causing massive costs – unlike in IT, where the worst-case scenario might just be that someone can’t send emails for half an hour.
The requirements for availability and security are very different in OT. That’s why these systems are typically separated in most companies. This has led to the fact that the IT experience, which has been common in office IT for a long time, isn’t as widespread in OT. Here, you have more traditional engineers who build fantastic machines and have a deep understanding of safety. They know exactly how to design a machine so that it can be safely stopped in an emergency, ensuring no one gets hurt. That’s safety. But there hasn’t been much need for IT security, and that’s only now beginning to develop. However, with the new regulations, it’s increasingly being demanded as it’s recognized that without IT security, we could face major problems.

Yes, before we get into avoidance strategies and your solutions, I have one more question. You’ve already mentioned the topic of digital certificates. This requires technical know-how, right? Can we briefly break that down and explain it? I’m familiar with the buzzwords, of course, but technically, it may not be immediately clear to everyone. Can we start with the concept of a certificate? As I understand it, you need a digital certificate to authenticate and secure devices and machines. This certificate essentially gives the device an identity, correct? It’s basically like a document or a stamp that tells the device: This is you. Is that technically correct?

Gerald

Yes, that’s basically correct.

Maybe we can fine-tune it a bit. In classical IT security, there are three fundamental security objectives: integrity, authenticity, and confidentiality. Integrity means that the data hasn’t been tampered with, so that sensor data arrives exactly as it was sent. Authenticity means you know where the data comes from – in this case, from a trusted sensor and not an attacker. Confidentiality means that the data is transmitted in an encrypted form so that no one intercepting it can read it, which could give them valuable information for an attack.
To achieve these three security objectives, cryptography is used, based on digital keys. There are symmetric and asymmetric keys. Symmetric keys mean that both sides must have the same key to securely communicate or ensure integrity. The challenge is securely exchanging that key. Asymmetric keys solve this problem because there is a public and a private key. The public key can be shared easily. Certificates add extra information to these asymmetric key pairs and are signed by a certificate authority, or CA, to confirm their authenticity. This allows certificates to be distributed over insecure channels, and the central authority, which is trusted, confirms their validity. This builds a trust foundation necessary to achieve the three security objectives.

I see. Now we’re getting into the topic of PKI – Public Key Infrastructure – which is the technical infrastructure to manage and administer these certificates. That’s the other part, right?

Gerald

Exactly, PKI is the infrastructure that ensures there’s a central authority you trust, which issues certificates that can then be verified.

For example, a control device might have a certificate from a specific production system, and this certificate can then be passed along. That would be an example of a certificate bound to a device.

Gerald

The PKI issues the certificate, and all devices trust the CA, the certification authority, which is part of the PKI. Every certificate issued by this PKI can then be checked to verify whether it’s genuine or not. If two devices check each other’s certificates, they can communicate securely, encrypt data, authenticate each other, and ensure data integrity.

So, as you described earlier with the example of the hydroelectric plant, a digital certificate could authenticate the control system of a facility. The certificate confirms the facility’s identity, and it is then used for further communication, correct?

Gerald

In the case of the hydroelectric plant in the novel, it’s a bit different. There, the software on the SCADA controllers is manipulated to provide false readings. This can be addressed by signing the software with a certificate. The device receiving the update must be able to verify if it’s the correct software. The trust anchor here is the CA’s public key. With this key, the device can verify the software’s signature. If the software is properly signed, an attacker cannot install fake software because they can’t sign it. Additionally, the device receives a certificate that allows it to sign the data it sends to the next controller. This way, the recipient can check that the data hasn’t been tampered with and that it came from the correct device. The data can also be encrypted.

Okay, perfect, that helps clarify things. If I understood correctly, the PKI is the technical infrastructure that enables the secure use of certificates. A certificate ensures integrity, authenticity, and confidentiality to guarantee the security of devices and machines in IoT use cases, correct?

Gerald

We also have various white papers and blog posts on our website about this. I can send you some links if you’d like.

Great, I’ll gladly include those in the show notes. I didn’t want to dive too deeply into the technical side, but it’s important to make it understandable with an example.

Especially in the IoT context, it’s about securing data, whether it’s environmental data, sensor data, or protocols like OPC-UA or MQTT, right?

Gerald

Exactly, that’s the use case where ECOS and conplement work together. At ECOS, we specialize in equipping IoT and OT devices with certificates. This means we handle the secure provisioning of certificates onto devices. Here, conplement provides the solution: we supply the certificates, and conplement ensures they are securely deployed to the devices and regularly renewed. This way, the devices can communicate securely, transfer data safely, and verify updates – all the things we discussed earlier.

[30:29] Solutions, offerings and services – A look at the technologies used

Sebastian, could you elaborate on that a bit more from your perspective?
How does conplement ensure that the certificates are deployed to the devices and managed there? What does your solution look like?

Sebastian

The core of our omnect Device Management is omnect Secure OS, a Yocto-based Linux system. When a customer produces a new device or creates an image for it, we obtain the appropriate certificate from ECOS or another PKI and inject it onto the device. This prepares the device for secure onboarding and enables it to be securely integrated into the network, while addressing the three key factors.

Okay, so omnect Secure OS is responsible for device management, right?

Sebastian

That’s the operating system on the device, and it includes several services that ensure connectivity, including for the update infrastructure and especially for secure updates. This means you have a certificate or a signed update, as Gerald mentioned earlier, to ensure that the update is legitimate. This prevents anyone from installing an unwanted update that could cause the system to malfunction. Additionally, certificates must be renewed regularly, and the connection to the PKI infrastructure must be maintained to check if there are any devices with certificates that can no longer be trusted. If any issues have arisen or a key has been compromised, those certificates can be placed on a revocation list for those no longer considered trustworthy. If a request comes from such a certificate or an OPC-UA server appears, the connection won’t be established to ensure security. Only trusted certificates are accepted.

Gerald, from your side, you provide the entire infrastructure behind this, allowing you to create, deploy, encrypt certificates, and manage the entire key lifecycle. You also have the issuing authority that creates the keys. TrustManagementAppliance is a certified term in this context and describes the part that you provide.

Gerald

Yes, exactly, that’s the part we provide. The TrustManagementAppliance is our specific product that handles the complete certificate and key management.

It ensures that the keys are generated securely. While it’s possible to create certificates and keys using tools like OpenSSL, that’s not secure enough for professional applications. We make sure that the key material is securely generated and managed, and that the certificates are then distributed to conplement’s device management system. Additionally, there are regular reports so that you always know when certificates are expiring and where they are being used. Our solution is tailored to industrial operations, meaning it also works offline if there’s no stable internet connection in production facilities. This ensures that production runs 24/7 and that key and certificate management functions smoothly.

Okay, so together as partners, you’ve created a comprehensive IoT security solution that directly addresses the customer’s business case. You enable automated updates, remote management, and reduce downtime while replacing error-prone processes. With your solution, secure IoT devices can be deployed, protected from cyberattacks through the integration of digital certificates. This creates secure connections, and the transmitted and received data remains authentic and unaltered – just like we discussed regarding data integrity and manipulation. So, it’s a complete solution to solve the business case for your customers.

Gerald

Yes, that sums it up well.

Sebastian

Exactly.

Perfect! I have many more questions, but for anyone who wants to dive deeper, I’ll link your contact details in the show notes. If this sounds interesting and you have a similar or even different use case you’d like to discuss, feel free to reach out to Gerald or Sebastian. Also, leave a comment about what you thought. Maybe you have other use cases and are wondering if this solution fits. Let us know, and I’ll cover it in one of the next episodes.

Gerald

We’ve only scratched the surface today. There’s a lot more that can be done with these two solutions working together. Asking questions is always a good idea.

Yes, I think so too. Thank you both! I believe that through these concrete use cases, it’s clear how much time and money can be lost if these topics aren’t addressed and why it’s so important to do so – also from a regulatory standpoint. By investing in cybersecurity and IoT management, you can not only avoid production losses and cyberattacks but also legal consequences and potential reputational damage. Everyone has their own use case, but this is definitely the right path. From my side, thank you, Gerald and Sebastian, for your time and the valuable insights. The final word is yours!

Gerald

A big thank you from my side as well for listening! Feel free to get in touch with us, visit us at the SPS where we’ll be present, or through the IoT Open Industry 4.0 Alliance. We look forward to hearing about your use cases.

Sebastian

I couldn’t agree more. I’m looking forward to exciting contacts and interesting use cases!

Thanks again, and have a great week! Take care, bye.

Sebastian

Thank you, bye.

Gerald

Bye!

Please do not hesitate to contact me if you have any questions.

Questions? Contact Madeleine Mickeleit

Ing. Madeleine Mickeleit

Host & General Manager
IoT Use Case Podcast