As a result of the ongoing digitalisation of production and logistics, German industry is increasingly exposing itself to security vulnerabilities. Many connected devices, machines and systems acquired as part of Industry 4.0 rely on electronic control systems that hackers can often infiltrate with ease. The main reason is that the software embedded in these components is often outdated, as manufacturers do not consistently provide the updates needed to patch newly discovered vulnerabilities. These are the findings of the "OT+IoT Cybersecurity Report 2024" from the Düsseldorf-based cybersecurity company ONEKEY. The report is based on a survey of 300 industry executives.
"The smart factory is a great concept," said Jan Wendenburg, CEO of ONEKEY, "but the associated cyber risks are still too often neglected." According to the survey, only 29 percent of industrial companies conduct a comprehensive security assessment when procuring connected devices and machines to determine how well new acquisitions are protected against hacking. A further 30 per cent admit to limiting their assessments to superficial tests or spot checks. Uncertainty is high, according to the report, with more than a quarter (26 per cent) of respondents unable to answer the question. "The number of outdated software instances in manufacturing facilities appears to be alarmingly high," added Jan Wendenburg.
More Policies for Industrial Control System Security
According to the survey, only 28 percent of companies have specific compliance policies for the security of industrial control systems or devices for the Industrial Internet of Things. While a good third (34 percent) do not have specific OT or IoT security policies, these are included as part of the company's general cybersecurity guidelines. A further 19 per cent say they have no specific policy in place.
Firmware, the software embedded in digital control systems, connected devices, machines, and plants, is not systematically tested for cyber resilience in the industry, according to ONEKEY’s “OT+IoT Cybersecurity Report 2024”. Less than a third (31 per cent) of organisations regularly test the embedded programs in connected devices to identify and fix vulnerabilities that could be entry points for hackers. Nearly half (47 percent) only test firmware occasionally or not at all. In addition, more than half of the companies surveyed (52 percent) report that they have been attacked by hackers via OT or IoT devices at least once. A quarter of them are aware of three or more instances in which cybercriminals targeted the company via industrial control systems.
Industry Should Demand and Use Up-To-Date Software
“Connected devices sometimes run very outdated software,” said Jan Wendenburg. “Because it has worked perfectly for years, or even decades, no one thinks to update it. However, this can have serious consequences if hackers exploit the outdated software to attack the digital control system.” The ONEKEY CEO gave an example from the manufacturing industry: “Through unprotected firmware, cybercriminals can remotely change the internal configuration of a CNC machine, damaging both the machine and the workpieces. The damage to the machine could be irreparable, and an entire production batch could be rendered useless.” Hackers can also use the firmware to infiltrate the company’s network and launch a ransomware attack, for example: In this type of attack, critical business data is encrypted and only released after a ransom is paid.
Time for action
Jan Wendenburg pointed out that the responsibility for outdated machine software lies equally with both manufacturers and users. He references the EU Cyber Resilience Act (CRA), which will ban the sale of connected devices with known vulnerabilities in the European Union starting in 2026/2027. In addition, the CRA will require manufacturers to monitor all firmware after delivery and provide updated versions immediately when new security vulnerabilities are discovered. However, this is far from the current reality, according to ONEKEY’s “OT+IoT Cybersecurity Report 2024”, which states that only 28 percent of companies currently comply with the directive, which will become mandatory in 2027, and systematically provide updated software for connected devices and machines delivered to customers. Thirty percent carry out occasional updates, while 17 percent do not update at all. “It’s time for manufacturers to align their software development and monitoring with the upcoming legal requirements,” advised Jan Wendenburg.
According to the “OT+IoT Cybersecurity Report 2024” by ONEKEY, only about a quarter (26 percent) of companies assess their operational maturity in product and project development as adequate in terms of cyber resilience. These companies have a defined process for a secure development cycle that is actively pursued. Another 12 percent have established such a security process, but according to their own assessment, it is poorly managed and mainly handled in a reactive manner. In nearly one in ten of the surveyed companies (9 percent), no such process for quality assurance in product and project development exists.