Industry 4.0 – Digitalization and Security. IT meets OT.
If you want change, regarding digitization or in the security environment, the most important thing is management commitment.
In our 3rd episode, consistec CEO Thomas Sinnwell talks to Michael Krammel from K4 Digital. Michael is a pioneer on the topic of industrial security and will give us exciting insights into his world. We want to know what Industrie 4.0 means for organizations, what does it mean for people and where are the challenges? Exciting questions. Have fun listening!
Thomas Sinnwell: Today I have Michael Krammel as our guest and we are talking about „Automation 4.0“ or „Industry 4.0“, subtitled "OT meets IT". Nice to have you here, Michael.
Michael Krammel: Hello Thomas! I was very pleased to receive the invitation and I look forward to our discussion.
Thomas Sinnwell: I've already told you roughly what it's about. We want to look at questions like: What does Automation 4.0 or Industry 4.0 really mean for organisations? What does it mean for people? And what are the challenges? And I hope that within the next half hour we will manage to work out a few answers so that we can give our listeners something on their way.
Michael Krammel: Of course.
Thomas Sinnwell: Alright. I would like to start with a short introduction. If I remember correctly, you were born in 89, in the last century....
Michael Krammel: Exactly.
Thomas Sinnwell: Oh God, that sounds weird.
Michael Krammel: Yes, but it's true. You have to stand by it.
Thomas Sinnwell: ... in the corporate environment you were active in the areas of automation and process control technology.
Michael Krammel: Exactly.
Thomas Sinnwell: Then you came to KORAMIS. There you dealt with topics like digital factory, industrial software development, industrial security, and developed new business areas. And I think you became managing director in 2008.
Michael Krammel: Exactly.
Thomas Sinnwell: And most recently you founded K4 Digital.
Michael Krammel: Yes, exactly. I left KORAMIS and now I'm taking on some new challenges.
Thomas Sinnwell: Very nice, very exciting. So I think we'll hear a bit more about that at the end. What does Industry 4.0 mean now, especially for industrial companies?
Michael Krammel: I always have a bit of a problem with buzzwords, because it's a bit difficult to put the buzzword into the right context. Industry 4.0 is usually taken into context when you talk about changing business processes or business models. That means everything from business processes to infrastructure processes have to be changed or automated. And that is actually the focus of Industry 4.0.
Thomas Sinnwell: So if you look at the big picture that means increasing efficiency in processes, improving creation value.
Michael Krammel: Exactly. And above all, of course, saving costs. You don't do it for the sake of doing it. At the end of the day it's about being competitive, in the context of international digitalisation.
Thomas Sinnwell: It's certainly the case that large companies find it much easier to get involved than small and medium-sized enterprises. What is your view on that? What are your experiences?
Michael Krammel: I wouldn't necessarily say that it's much easier for them, because the challenges posed by the organisation to set up these new processes, to change them, are sometimes much greater than when you do it in medium-sized or smaller companies. The important thing is that there are really changes throughout the entire organisation, and of course they have to be carried out with a strong commitment from management.
Thomas Sinnwell: I know from other areas, that as soon as fundamental changes are made, there is resistance.
Michael Krammel: Yes.
Thomas Sinnwell: How is that expressed in the industrial sector? You have been active there for a long time.
Michael Krammel: Yes, of course, it's clear that there are well established processes and of course people say: we've been doing it this way for many years, why should we change it? And above all, it breaks down the boundaries between things to a certain extent. It's no longer just about production, it's also about IT, it's about business processes. So we have to take a completely different approach, a more interdisciplinary and more integrated one. And as you mentioned, there is of course a lot of resistance.
Thomas Sinnwell: But we will talk about how you will position yourselves in the future. I can imagine that this is a very glaring issue if you want to take an integrated approach to counselling.
Michael Krammel: Yes, I think that the challenge is to really implement the topic together. That you no longer have individual pillars that take care of their own issues, but that you actually have to break these things down and work together and co-creatively on these development issues. And that, of course, poses many challenges at this point.
Thomas Sinnwell: Before we go into detail, I have another question: Do you notice any differences in different sectors or is it the same issue everywhere?
Michael Krammel: Yes, I think there are slight differences. I think that in the manufacturing sector it is currently a bit easier to deal with the topic of digitalisation, while in, let's say, standard sectors like energy. Of course there is a kind of digitalisation there as well, but it is a bit different. I think every sector has its own specialities when it comes to digitalisation, but we also deal with a other topics. If we look at the security aspect at this point ...
Thomas Sinnwell: Yes, that's what I wanted to talk about. I think this is certainly a topic that unites everyone. It's a topic that everyone is struggling with.
Michael Krammel: Exactly. And it has to be said that of course the sectors have different standards in the security environment, but if you really look at it in detail, you can see that they all have pretty much the same challenges and that general standards are somewhat similar at this point.
Thomas Sinnwell: What are the special challenges in the field of OT?
Michael Krammel: Well the security environment or the security topic itself is probably still, how shall I say, not necessarily a topic that has been actively discussed in a very long time. I mean, there are great people working there, from engineers and technicians of all kinds to experts who do a great job. But historically, the topic of security has never necessarily been a big issue here. You also have to say that in the past you had the feeling that you were on an island and there were no bridges. Of course, a lot has happened in recent years. And today, infrastructures are connected, today there are classic IT infrastructures in the production environment as well as in the IT environment. And with that, of course, the risks increase due to networking in the area of security. And one lies....
Thomas Sinnwell: So does that mean that IT and OT are beginning to merge? Or actually, that's already the case.
Michael Krammel: Yes, exactly. IT and OT were sometimes even coupled together, sometimes there wasn't even a separation. Of course, people are much more sensitive to this. I mean, the topic of the IT Security Act has of course done a lot of good, when you look the attacks that happen everywhere. So these things are being confronted today, but the greater challenge is actually what measures can I use to operate security in the OT environment? They are not identical.
Thomas Sinnwell: Exactly. One could naively come up with the idea that if things are growing together anyway, then I can simply impose the concepts that have proven themselves in IT on OT and everything will be fine, but that doesn't work. What are the reasons?
Michael Krammel: I mean, if you really look at it, IT equipment has a lifespan of three, four, maybe five years at the most, then the equipment is replaced because the operating systems are basically discontinued. Of course, that doesn't work in OT. If you imagine a production line in the automotive industry and if every computer were replaced every three years, cars would be even more expensive.
Thomas Sinnwell: And the software would have a few more bugs.
Michael Krammel: Very true. The classic measures are not as easy to implement. If one were „to patch“ in the classical sense, i.e. put virus scanners on the machines, it would works less because of the legacy systems. I can't just boot up a machine in production when I have 24x7 availability. And so there are a whole lot of things that simply have to be taken into account. That's why you need other concepts and other measures.
Thomas Sinnwell: I would like to add another point: virus protection. This is very common in IT, unproblematic to implement, but very difficult or nearly impossible in OT. There is the issue of physical security as well. In IT, there's the server room with limited access possibilities, in large industrial plants and complex sites. I already have the chance to cheat my way in before the plant security discovers me. Of course, I have completely different attack surfaces.
Michael Krammel: Yes and I believe that the possibilities you have to detect problems in OT are not used to their full potential yet. For example by monitoring, you can really detect things. This can be seen again and again in malware that has been operating in the market for four or five years before it is even discovered and no one knew that such malware existed at that point. And I believe that it is important to introduce suitable measures in the future, especially for detection in monitoring.
Thomas Sinnwell: Yes. I absolutely agree. And for us, two aspects are very important, on the one hand the topic of transparency, because I can only protect what I know. And in the case of these very complex industrial plants, documentation can be very difficult. You have to start making a record to know what your current status is. That‘s the first aspect of transparency. Then the second one, from my point of view is to detect when my status is changing and why.
Michael Krammel: Exactly. When we do gap analyses or risk analyses in the OT environment, we experience again and again, that the greatest challenge for companies is to have up-to-date documentation, network plans or to know where all the devices are and whether all the devices have been recorded. Because this is an area that has exponentially grown. And in the past, documentation was simply put in archives somewhere, copies on paper, and whether it was always documented further or not has been falling behind a bit in recent years. In terms of costs in projects as well. It is better to save on documentation, than to really save on functionality. And of course, at some point, that comes back to haunt you.
Thomas Sinnwell: We brought up the topic of monitoring. From your point of view, what is important for such systems in this industrial environment?
Michael Krammel: Yes, well, I think it's important to know a) what equipment do I have? Ideally, that should be included in a monitoring approach. The difficulty we still have today is that even in the industrial environment, with these classic systems of the past, we can do a scan through the plant and know what is there afterwards. That works in It. It gets more difficult than that when it comes to OT. In recent years, however, the systems have of course developed further. And then, if a certain anomaly is detected, even the industrial protocols today are based on Ethernet, you at least get some information. And I still remember working with topics in 2005/2006 where you had to enter all the rules yourself, that is, you had to tune them yourself. So there, too, we need a natural algorithm that does it automatically. In my view, we still have far too much manual work in security. In the future, security must become more and more automated so that it becomes manageable. And I believe that systems like this can also be a good help.
Thomas Sinnwell: Good. If you automate this extensively or recognise anomalies, then you quickly get to the topic of AI or machine learning. And there are also very different approaches. I can imagine, and this is also our credo, that it is crucial in this industrial sector that these systems are also controllable. That means that the employees in the control room also have a chance to get meaningful information. It should be possible as seamlessly as possible so that a cyber security expert can also look at this event in order to evaluate what is being done with it. Or ideally, you can perhaps already see what is actually happening.
Michael Krammel: Yes, I think that was also the challenge in the earlier systems, that you get an infinite amount of information or messages. What could have been difficult, especially in the system? Exactly this interpretation, to present it in such a way that people who are not only the great experts can also make use of it. And I think that will be exactly this difficult balancing act. In addition, of course, and I believe this must be pursued more strongly today, engineering, the people who work in the automation environment, must of course also be supported and assisted so that they can also develop further with these topics. This has simply not penetrated traditional education, especially with regard to IT and security. It is important to introduce these topics to these professional groups at an early stage. That's why know-how transfer and qualification is a very important topic here.
Thomas Sinnwell: Yes, absolutely. And what is your view of the topic now? What is a good introduction to the topic of cyber security for industrial companies, whether they are large or small? What could be a good entry point? How can you approach the topic?
Michael Krammel: I think a good basis is to first know where you stand in the situation. That is, to really do an analysis, if necessary with automated support from one's monitoring systems, recording systems, in order to know what assets are there. But in general, to check where I really stand in the context of security, in order to then approach the next steps honestly and authentically from this situation. Because this, I always like to call it, sticking plaster strategy, I quickly put up a firewall here and then I have a problem there, often leads to the overall picture not being clearly presented. And so you are always panting after the next incident or problem. I think it is very important to get an overall picture of where we stand and then, of course, to develop a strategy for taking the next steps. And there is no blueprint for this, but you simply have to see: What can a company do? How can they deal with the issue? And I am also a friend of so-called quick wins, so in principle you try to implement quick solutions that don't cost much, that don't require much effort. And there is usually always a lot that the companies can do themselves.
Thomas Sinnwell: Good. In the IT sector, it is also a tried and tested approach to say what accounts for 80% of the potential damage? What are these classic attacks or attack vectors that exist? Because if I already take care of those, the probability that it will reach me in the last 20% is rather low, because attackers usually also proceed economically.
Michael Krammel: Exactly. And it's also the case that you shouldn't underestimate the fact that the biggest problems don't always come from the outside, but are often caused internally by ignorance and a lack of awareness. A USB stick, for example, is quickly plugged in somewhere. If you don't have a virus scanner, heterogeneous systems, legacy systems, especially in the OT environment, such a stick can have extreme effects if something is on it. This is discussed again and again. In the past, IT said they would protect themselves from OT, today OT says we have to protect ourselves from IT. This is a chicken-and-egg problem at this point, but it will also be exacerbated in the case where, of course, the infrastructure is now being expanded again in the course of digitalisation or Industry 4.0. And the OT and the production environment are of course also being used in cloud infrastructures, and this simply requires more and more interdisciplinary, comprehensive, holistic security concepts.
Thomas Sinnwell: What are the trend topics that are currently being tackled in order to achieve this goal?
Michael Krammel: As always, security is not necessarily the top priority, but today the mega-topic is digitalisation and, of course, that digitalisation works. That means developing new ideas, linking production data via edge computing, then bringing them to the appropriate platform in cloud infrastructures and then perhaps already having added value in many places. And the security issue, if you think about it right from the start, is of course a good story. For many, the priority is perhaps to do the other things first. I myself am active in the Industry 4.0 platform in various working groups. But I would say that the topic of security is the enabler for the topic of digitalisation. Without security, there will be no digitisation. At least no successful digitalisation for a while. And that's why it will become increasingly important to take these things into consideration from the very beginning.
Thomas Sinnwell: Michael, we talked about the lifespan of industrial plants, which is considerably longer than in the IT sector. That means that I usually have a lot of old technology in the companies.
Michael Krammel: Absolutely. Yes.
Thomas Sinnwell: And segmentation is an effective tool. To make it a bit more manageable, you can of course also couple it with edge boxes, which typically contain a small industrial firewall. If you make it a bit better, I also have a tap point for monitoring systems to dock onto, to serve the topic you raised, that I also have to recognise when something changes.
Michael Krammel: Exactly. That's because people can't see inside the cable. And I would say that they won't necessarily always read out every log from every firewall. That's why I mentioned earlier that we need to automate security more in order to make it more manageable. And that will develop in such a situation in the future. There will no longer be these rigid networks that have existed for many years; instead, due to digitalisation, access and communication connections will probably become more and more flexible. This means that we will have to think about structural concepts here as well.
Thomas Sinnwell: And how to follow up the monitoring at that point.
Michael Krammel: Exactly. How can you follow up on the monitoring? But I don't think these are the biggest challenges from a technological point of view. I think there are already good approaches to solving them. I always like to say that we don't fail technologically, but that the human factor and organisation play a very important role. Because of course you also have to deal with operational concepts. When I install solutions or products, I have to consider right from the start who will deal with them. Because even with a monitoring system, I have to have someone who supports me, and I have to be aware that either I train my people myself or I might even have to hire a service.
Thomas Sinnwell: Which is difficult enough, because there really aren't that many security experts.
Michael Krammel: They are very much in demand at the moment.
Thomas Sinnwell: Also those who are knowledgeable in the industrial sector and are familiar with the special protocols. That makes the field even thinner. That's a thick board that you have to drill through in order to build up resources.
Michael Krammel: Yes, but I am personally of the opinion that if we invest more in knowledge transfer and training, including the companies, then there will also be people in companies who would like to deal with these topics. We have great skilled personnel when it comes to automation. It might not be that far away to simply further develop and build up this knowledge. And then also, let's say, enable companies to ...
Thomas Sinnwell: and develop concepts, ...
Michael Krammel: ... to do things themselves.
Thomas Sinnwell: ... in order to then bring this into the company on a broad basis, in order to involve all the professional groups concerned and to impart the necessary knowledge.
Michael Krammel: Exactly. And I do believe that if you go down this path, there will also be what I always like to call a workforce transformation. This is also a topic that we want to focus on, that we all share and exchange knowledge more. As a result, we can better implement projects in these areas from all sides. From the service provider side as well as from the operator side and the manufacturer side. At this point, we have to pay a big compliment. Many manufacturers are now really getting into the processes, such as secure software development, secure products. If there are problems with products, they are reported proactively. In the past, people tended to put a blanket over it, because they didn't want anyone to know that I might have a vulnerability in my product. No, today there are CERTs, like VDE CERTs, although it is precisely these product manufacturers who actually report their corresponding vulnerabilities and then make patches available again. So you can see that there is a different cultural drive coming in.
Thomas Sinnwell: Which is really necessary.
Michael Krammel: Absolutely.
Thomas Sinnwell: I mean, you can approach the topic in different ways. One is the subject of fear, the book "Blackout" comes to mind. That's not to say that it's completely unrealistic.
Michael Krammel: No.
Thomas Sinnwell: And when you read it, you can get a bit scared. What is the way forward for you in the future? How are you now approaching this topic in K4 Digital?
Michael Krammel: The experience of the years now, in this context especially OT security and security does not stop with IT. The topics are becoming more and more holistic and we have had very good experience in approaching the matter holistically. In principle, we have developed a tetrahedron approach: the topics of organisation, processes, technology and the human factor must be treated equally, because no matter what I do in terms of security, I must also look at the other topics. And with this holistic approach, you also get a view of the big picture and then, from our experience, you can make security very manageable. Of course, it has a certain complexity, but it is better to have the systemic knowledge of how my system works, where I have to serve the topic everywhere, in order to then set priorities. Because no one can implement the whole thing from start to finish in one year, and it is not a project, security is a process.
Thomas Sinnwell: Exactly. And in this respect it is important to know where you stand. It's important to know what you can still do and then, of course, prioritise it sensibly over time.
Michael Krammel: Exactly.
Thomas Sinnwell: Then I would like to draw a conclusion and ask you to help me. Then perhaps we can come up with the top 5 points for the OT area, for the topic of automation or 4.0 or Industry 4.0.
Michael Krammel: I think the first point is a recommendation that I have taken with me from the last few years: It is very important to have management commitment if you want to move something forward, be it in digitalisation or in the security environment. I cannot successfully steer an organisation from the middle if the management is not behind it. And that is why management is very important in any case. It is important to deal with these issues and to develop them further within the organisation.
Thomas Sinnwell: Then, as point 2, I would include the topic of awareness, the people, all the professional groups concerned and, in particular, impart the necessary know-how.
Michael Krammel: And then not be afraid of change. I think that is also the case. And the one who gives also gets something. And that's why I think it's also such a cultural process that has to evolve so that you can face the new challenges. Whether it's digitalisation or security, we'll have to break down the silos a bit, we'll have to work together more and, above all, we'll have to try to be more interdisciplinary. And then I think we'll be able to do these things well.
Thomas Sinnwell: Then the next thing that comes to mind is: hardening structures. And if I can't touch old technology, it's just about segmentation. Then finally implement the measure and then, from my point of view, very, very important: create opportunities to see what actually happens in these very complex networks. In a form that can be interpreted by the staff.
Michael Krammel: And I think what we can perhaps add is that we should really look for ways to further automate security. Don't just install ten technologies that don't harmonise with each other, but try to focus more on multidisciplinary solutions. And for that, you ultimately have to get everyone involved at the table again, because otherwise IT does this and OT does that, and digitalisation then does something else, and usually the pieces of the puzzle don't necessarily fit together.
Thomas Sinnwell: Michael, thank you very much for the interview, it was a lot of fun. And I am so looking forward to our further points of contact. We have a lot of plans for that.
Michael Krammel: Yes, exactly. And I also enjoyed it. Let's look at digitalisation and try to master it well at this point.
ThomasSinnwell: Exactly. Thank you very much!
Michael Krammel: Thank you, you too. Ciao!
Thomas Sinnwell: Ciao!
That's it for today's topic. As always, we hope we were able to entertain you a little and that you were able to take something away with you. As always, you can find further links in the show notes. And if you enjoyed the podcast, we would be happy if you followed us. The next episode is already in the starting blocks and will be released on 3 December, as always on the first Thursday of every month. Tune in and make a note of it now. It's worth it.