- The digitalisation of manufacturing and logistics introduces unknown software vulnerabilities that hackers can exploit.
- ONEKEY’s “OT+IoT Cybersecurity Report” reveals: Smart factories are often insufficiently protected.
DUESSELDORF – German industry is increasingly exposing itself to security vulnerabilities due to the ongoing digitalisation of production and logistics. Many connected devices, machines, and systems acquired as part of Industry 4.0 rely on electronic control systems that hackers can often infiltrate with ease. The main reason is that the software embedded in these components is often outdated, as manufacturers do not consistently provide the updates needed to patch newly discovered vulnerabilities. These are the findings of the “OT+IoT Cybersecurity Report 2024” by the Duesseldorf-based cybersecurity company ONEKEY. The report is based on a survey of 300 industry executives.
“Smart Factory is a great concept,” said Jan Wendenburg, CEO of ONEKEY, “but the associated cyber risks are still too often neglected.” According to the survey, only 29 percent of industrial companies conduct a comprehensive security assessment when procuring connected devices and machines to determine how well new acquisitions are protected against hacker attacks. A further 30 percent admit to limiting their assessments to superficial tests or spot checks. Uncertainty is high, according to the report, with more than a quarter (26 percent) of respondents unable to answer the question. “The number of outdated software instances in manufacturing facilities appears to be alarmingly high,” added Jan Wendenburg.
More Policies for Industrial Control System Security
According to the survey, only 28 percent of companies have specific compliance policies for the security of industrial control systems or devices for the Industrial Internet of Things. While a good third (34 percent) do not have specific OT or IoT security policies, these are included as part of the company’s general cybersecurity guidelines. A further 19 per cent say they have no specific policy in place.
Firmware, the software embedded in digital control systems, connected devices, machines, and plants, is not systematically tested for cyber resilience in the industry, according to ONEKEY’s “OT+IoT Cybersecurity Report 2024”. Less than a third (31 per cent) of organisations regularly test the embedded programs in connected devices to identify and fix vulnerabilities that could be entry points for hackers. Nearly half (47 percent) only test firmware occasionally or not at all. In addition, more than half of the companies surveyed (52 percent) report that they have been attacked by hackers via OT or IoT devices at least once. A quarter of them are aware of three or more instances in which cybercriminals targeted the company via industrial control systems.
Industry Should Demand and Use Up-To-Date Software
“Connected devices sometimes run very outdated software,” said Jan Wendenburg. “Because it has worked perfectly for years, or even decades, no one thinks to update it. However, this can have serious consequences if hackers exploit the outdated software to attack the digital control system.” The ONEKEY CEO gave an example from the manufacturing industry: “Through unprotected firmware, cybercriminals can remotely change the internal configuration of a CNC machine, damaging both the machine and the workpieces. The damage to the machine could be irreparable, and an entire production batch could be rendered useless.” Hackers can also use the firmware to infiltrate the company’s network and launch a ransomware attack, for example: In this type of attack, critical business data is encrypted and only released after a ransom is paid.
Jan Wendenburg pointed out that the responsibility for outdated machine software lies equally with both manufacturers and users. He references the EU Cyber Resilience Act (CRA), which will ban the sale of connected devices with known vulnerabilities in the European Union starting in 2026/2027. In addition, the CRA will require manufacturers to monitor all firmware after delivery and provide updated versions immediately when new security vulnerabilities are discovered. However, this is far from the current reality, according to ONEKEY’s “OT+IoT Cybersecurity Report 2024”, which states that only 28 percent of companies currently comply with the directive, which will become mandatory in 2027, and systematically provide updated software for connected devices and machines delivered to customers. Thirty percent carry out occasional updates, while 17 percent do not update at all. “It’s time for manufacturers to align their software development and monitoring with the upcoming legal requirements,” advised Jan Wendenburg.
According to the “OT+IoT Cybersecurity Report 2024” by ONEKEY, only about a quarter (26 percent) of companies assess their operational maturity in product and project development as adequate in terms of cyber resilience. These companies have a defined process for a secure development cycle that is actively pursued. Another 12 percent have established such a security process, but according to their own assessment, it is poorly managed and mainly handled in a reactive manner. In nearly one in ten of the surveyed companies (9 percent), no such process for quality assurance in product and project development exists.
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated Software Bill Of Materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH,
Kaiserswerther Str. 45, 40477 Duesseldorf, Germany,
Sara Fortmann, e-mail: sara.fortmann@onekey.com,
website: https://onekey.com