Whether IIoT platforms, marketplaces, or smart services: digital ecosystems are all about openness, adaptability, and networking. Find out which nine points companies as ecosystem partners must be aware of in order to maintain control over the security of their IT infrastructure and their data sovereignty.
Digital Ecosystems and Platform Economy: Networked, Data-Driven, Vulnerable
There are good reasons why digital ecosystems are a model for Industry 4.0: due to their potential for innovation they are considered an enabler of competitiveness and future viability. For companies they offer the opportunity to develop new business models beyond their core activities, to exploit cross-industry synergies, and to defend their market position – through to the disruption of entire industries.
But when venturing into digital ecosystems, the stakeholders inevitably have to ask themselves: What do companies have to take into account if they wish to exploit the opportunities of digital ecosystems without losing control over the security of their IT infrastructure and their data sovereignty?
Opening up the OT to other networks, such as Office IT, service providers, or the cloud, makes critical systems accessible from an externally controlled environment. Given the lack of own control, these environments must be assumed to be potentially malicious. This makes it important to reliably and restrictively secure the network and service perimeters as well as communication over unsecured networks.
Steffen Ullrich is an IT security researcher at genua GmbH
Rethinking the Importance of Security
Digital ecosystems thrive on the interaction of their stakeholders via digital platforms. This is the only way to create new value chains in marketing, design, production, logistics, and sales. In Industry 4.0, people, machines, tools, processes as well as IT, OT, IIoT, and cloud infrastructures are connected via interfaces and integrated processes. Data also plays a key role as a basis for digital business models or the central economic asset of the ecosystem.
On the flipside there are risks such as the loss of data sovereignty and increased vulnerability to cyberattacks. The latter affects the digital platforms themselves, their own IT infrastructure and the interaction of all IT systems and organizations involved. So it is without question that security is more complex than ever before, and it must be planned far beyond the limitations of the company's own IT. Digital ecosystems are also a tempting target for cybercriminals.
Considering the above, it is easy to see that the value proposition of cybersecurity for industry is radically changing. It becomes a critical success factor and an investment in the competitiveness and future viability of every industrial company.
Security Risks in Digital Ecosystems
The IT infrastructure in digital ecosystems is marked by complexity and volatility, which increases vulnerability. Here are some particularly problematic aspects:
- High complexity due to heterogeneous IT landscapes
- High speed due to market and competitive pressure
- Many actors with different threat situations, maturity levels, and security and data protection policies
- Different values, interests, and regulatory requirements of the stakeholders
- Loss of control through indirect and direct dependencies (cloud, Xaas, hardware)
- IT-OT-IIoT networking sowie and brownfield digitization
- Limited availability up to complete failure
- Industrial espionage, sabotage, and data loss
- Loss of data sovereignty
- Loss of reputation due to security incidents
How to Successfully Mitigate the Risks of Digital Ecosystems
In order to effectively counteract the risks of digital ecosystems, it is important to take a holistic approach to the planning and implementation of cybersecurity. In terms of security in your own network, the focus should be on the following aspects in particular.
Industrial Security as a Service
Increasing complexity along with a shortage of skilled workers is making reliable operation increasingly difficult, while at the same time increasing demands on availability and security. The partial outsourcing of tasks "as a service" to service providers can help, both for operation and security. But as this primarily concerns the handing over of responsibility and not the inherent risks, it is essential to select a competent and trustworthy service provider.
Defense in Depth
No security component offers complete protection due to architectural limitations as well as bugs or misconfigurations. The combination of various components in several security layers, such as firewalls, network segmentation and access control, allows weaknesses in individual parts to be compensated for by "defense in depth".
Securing of particularly exposed aspects
Opening up the OT to other networks, such as Office IT, service providers, or the cloud, makes critical systems accessible from an externally controlled environment. Given the lack of own control, these environments must be assumed to be potentially malicious. This makes it important to reliably and restrictively secure the network and service perimeters as well as communication over unsecured networks. Data diodes enable controlled unidirectional communication without return channel, for example. Restrictive remote maintenance allows monitored and restrictive access to individual services or systems. And firewalls provide separation at network or application level. Due to their critical position in the network, it is important that these security systems themselves are not vulnerable.
Integrated IT-OT-IoT security
An unsecured network with a highly complex, potentially insecure and externally managed IT can pose a serious threat to production availability, integrity, and security. This is why restrictive, effective, and robust security concepts are necessary. This is the case for current OT systems, but even more so for older systems and infrastructure (brownfield). They were not designed with the focus on connectivity and security required in today's environment. Their potential for attack is correspondingly large.
Security and robustness by design
For maximum protection, security and robustness should be considered from the outset when designing systems. Securing existing systems later often requires compromises and corresponding risks in order to continue to guarantee the required functionality. Even if these high demands cannot be met by existing OT components themselves, the security systems used must at least be designed appropriately so as not to introduce any additional danger. In-depth software design such as privilege separation or sandboxing reduces the attack surface and thus offers robust security. External evaluations and certifications check the design and implementation from an independent point of view and offer additional security.
Zero trust networking
The growing complexity of the systems, the increasing transfer of responsibility to manufacturers and service providers, and greater networking with externally managed systems mean that control over the systems and infrastructures involved in one's own business processes is decreasing. The traditional assumption that a trustworthy private network can be created through sufficient security at the network perimeter is no longer feasible for today's issues. With the control of each individual access, zero trust networking therefore relies on robust protection of individual business processes – which is appropriate for a world with limited trust in users, end devices, networks, and services.
Machine learning-based network security
Preventive IT protection through proactive measures such as the static segmentation and micro-segmentation of networks makes it more difficult for an attacker to get in. But this approach cannot guarantee 100% security. Such proactive measures must therefore be supported with reactive measures for monitoring, analysis, and detection of anomalies as part of a defense-in-depth strategy. Modern artificial intelligence methods help to analyze, systematize, filter, and prioritize the variety of information. This is how they facilitate an understanding of network behavior and react to problems in good time.
Security policy and governance
Security cannot be enforced solely with technical measures such as access controls and communication restrictions. It must be effectively integrated into the organization through structures, processes, and awareness. This forms the basis for solid management of identities, trust, and access rights. Every company should also be secured by professional compliance management that enables objective and independent audits and defines relevant certificates and approvals.
Approvals and certifications
Independent reviews in the form of audits or penetration tests create more certainty about realistic trust in products, manufacturers and service providers, apart from the promised functionality, performance, and quality. This makes them an important foundation for selecting the right service, not only based on the promised scope of services but also taking into account the risks associated with the use. This is why suitable certifications or approvals are often required for compliance reasons or recommended in the context of risk management.
While it is true that the IT Security Act and the General Data Protection Regulation require IT operators to develop IT security and data protection concepts, these cannot be compared to traditional IT landscapes due to the high complexity and volatility of digital ecosystems. So it makes no sense to rely purely on the technical and organizational measures and guidelines of digital ecosystems. IT security concepts must also be interpreted differently depending on the domain, and different regulations may need to be taken into account (for example, web platform providers vs. industry vs. critical infrastructure).
In the end, it is usually the ecosystem participant who is stuck with the risks, since the liability risk of the initiator or service provider is often not in reasonable proportion to the own business risk (e.g., cloud provider vs. system operator) – reputational harm included.
Trust in our many years of expertise in the development of highly secure IT solutions for network security. They enable you to take advantage of the opportunities offered by digital ecosystems for your business success while at the same time protecting your business assets long-term. Our recommendation:
- Highly secure virtual private networks
- Defense in depth and network segmentation solutions
- Machine learning-based internal network security
- Highly secure data dump