DeepSec 2022 Talk: Industrial-Security vs. IT-Security – What Can We Learn From Each Other? – Michael Walser
In the age of digitalisation, classic IT and industry are moving ever closer together. Devices are being networked and more and more smart devices are flooding the production hall. However, IT security is often disregarded in the process. Every device in the network can be compromised and requires an adapted strategy. Experience from 30 years of IT security gives the industry an orientation – but does not solve its problems. The challenges are often completely different, and the situation often requires completely different approaches. We try an approach and show experiences from the work with our customers and partners and give food for thought on what an IT security strategy for industry can look like and what both worlds can learn from each other.
We asked Michael Walser a few more questions about his talk.
Please tell us the top 5 facts about your talk.
Industrial Control Systems are not that different from classic IT-Systems but the ways they are handled are very different because of very different use cases. With securing those networks and devices, the industry can benefit a lot from the cyber security knowledge of the IT-departments. But for both worlds, it is important to understand each other. In this talk, we care about the basics and want to build bridges between these two converging worlds.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
The industrial applications and systems are black boxes for IT and the other way around the industry doesn’t understand why IT is always nagging them with their security measures because you find them annoying and impractical.
So, I was asked so many times to talk about this topic, that I created this talk to share our experience with real-world projects over the past years. Of course, we can only scratch the surface, but this talk should become a good starting point.
Why do you think this is an important topic?
When planning an OT security strategy, it is important to understand both worlds to find the adequate security level, measurements, and tools. There are a lot of excuses used to keep things simpler and the marketing of many of the companies gives the impression of an egg-sleeper pillow – but very often you can reach a much better protection level by just addressing the low hanging fruits – as long as you can identify them.
Is there something you want everybody to know – some good advice for our readers maybe?
This talk should transport the basics. So, if you have an IT-Background and if you are responsible for securing your production plant or if you think about starting OT-Security, it is a good starting point. No background know-how is needed. We start from the beginning.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
The OT-Security journey has just started. I think the mindset of operators and vendors needs to change. It is not the question of how large the probability of being hacked is–it is important to understand that the factor of being vulnerable is enough to start the journey as soon as possible.
Michael Walser is a board member and CTO of the Munich-based security company sematicon AG. In this role, he is responsible for the company’s technical strategy and advises customers on the secure implementation of the digital transformation. After graduating in electrical engineering, he worked for many years as a consultant and advisor on successful IT security projects with a focus on cryptography and identity and access management worldwide and was responsible for implementation.