SMEs should prioritise cyber security

In today's digital world, cyber security is an essential topic for operators of systems requiring monitoring, which is of central importance from both an economic self-interest and a security perspective: the increasing number of cyber attacks is presenting companies with major challenges. On the other hand, there is a growing complexity of regulatory requirements due to numerous ordinances and regulations. From TÜV NORD's point of view, companies must address the question of how they can effectively protect their technical systems and data without losing track of the regulations. For small and medium-sized enterprises (SMEs) in particular, implementing the requirements is usually a huge hurdle.

According to the Federal Criminal Police Office's Cybercrime Report, 80 per cent of attacks are carried out using ransomware. These malicious programmes are designed to encrypt computer systems and steal data in order to extort a ransom. Networked production facilities are particularly susceptible to such attacks, as it is precisely this networking that can also be a gateway for attackers. Phishing and deepfake calls are also common methods of cybercrime. These attacks not only jeopardise the protection of sensitive information, but also continuous and secure production, which entails considerable economic and security risks.

Regulatory challenges and practical solutions

Boris Göppert, Head of Portfolio Management Process Technology at TÜV NORD, emphasises the need for an all-encompassing approach: "A comprehensive cyber security process that integrates all relevant protection goals and regulatory requirements can create significant synergies." This means that through thorough preparation and the inclusion of all relevant regulations in a carefully coordinated process, operators only have to go through the key steps of cyber security - from risk analysis to implementation and testing - once. The recommendation is therefore not to work through the regulatory areas individually, but to consider requirements and measures for the same and similar protection goals in a bundled manner. Depending on the plant, the most common rules and regulations include the Technical Rules for Operational Safety (TRBS) 1115 Part 1 (safety-relevant measuring and control equipment), the NIS2 Directive (cyber resilience of critical equipment), the Major Accidents Ordinance (prevention of serious accidents caused by hazardous substances) and the occupational health and safety regulations (health and safety in the plant).

Examples of systems requiring monitoring in SMEs

Installations requiring monitoring that are frequently found in SMEs include, for example, lifts, pressurised systems and networked control systems. These systems are often equipped with temporary or full network connections, which can represent potential avenues of attack. Attackers want to sabotage, steal or encrypt data with their direct attacks via the Internet in order to extort ransom money.  Boris Göppert also warns of another route: "Indirect attack paths via maintenance computers, data carriers connected via USB interface or temporary connections are often underestimated." For example, the use of an unknowingly infected data carrier can cause major damage even in a system that is not connected to the internet.

Practical approaches for more cyber security

To support SMEs in implementing cybersecurity measures, TRBS 1115 Part 1 offers a new annex that describes practical cybersecurity measures. An increase in IT security can be achieved through many individual measures. These include removing unnecessary services and software, customising security settings, regularly updating software and operating systems, segmenting networks, using VPN connections for remote access to systems, access controls and setting up monitoring and logging systems. According to Boris Göppert, even the consistent avoidance of basic security flaws would mean significant progress. This includes a comprehensive inventory of all potentially vulnerable systems, access protection and conscious decisions on networking.

Coordinated approach for responsibility and efficiency

A coordinated approach is the basic prerequisite for cyber security. Authorised inspection bodies (ZÜS) such as TÜV NORD play a decisive role by supporting operators with unbureaucratic documentation, mediating between state authorities and operators and pointing out country-specific requirements. Boris Göppert emphasises: "Coordinated, cross-sector cyber regulation would not only further improve security, but also minimise costs and reduce bureaucracy." This includes the harmonisation of regulations, coordination between regulatory authorities and the promotion of best practices and technologies.

Conclusion

It is crucial for SMEs to establish a holistic approach to cyber security at an early stage that takes all relevant protection goals into account. The support of approved monitoring bodies and the use of practical guidelines such as TRBS 1115 Part 1 can help to master the challenges of cyber security efficiently and economically, both technically and organisationally, with the aim of providing industrial plants with the best possible protection against cybercrime. Göppert: "In order to master this task in the best possible way and to meet the individual requirements of the plant types, we at TÜV NORD are on hand with help and advice."