1211, 2024

DeepSec 2024 Talk: Why NIS2 Implementation often fails in Industrial Areas – Michael Walser

Sanna/ November 12, 2024/ Conference/ 0 comments

Why do most projects preparing for NIS2 fail in practice? Many affected companies complain about the requirements of EU Directive 2022/2555, which are too unspecific and technically difficult to implement. Excessive demands are spreading. Companies affected are uncertain because of the evaluation of the actual implementation, unlike ISO security certification (e.g. ISO27001/ISO62443). The results are often unsatisfactory despite the sometimes massive investment in costs and personnel resources. An Excel spreadsheet or a Visio drawing itself does nothing to change the resilience of KRITIS or industrial facilities against cyber-attacks in practice. We focus on industrial customers and their OT infrastructure, using anonymized, real-world examples to show the challenges in practice and offer examples of solutions to prevent repeating past mistakes. The first steps do not have to cost a lot of money or tie up

Read More

1211, 2024

DeepSec 2024 Talk: Industrial plants: IP Protection in an increasingly (de)globalized economic System – Josef Rametsteiner

Sanna/ November 12, 2024/ Conference/ 0 comments

Customs duties and trade restrictions are increasingly presenting companies with logistical challenges. The trend is to move production capacities to the relevant countries to be close to the customer. But how can a company safely move to an industrial plant abroad without risking the loss of its own IP (intellectual property)? By using a practical example, we show how to enable a commercially available Simatic S7 1500 PLC to keep control over the PLC program stored in the controller and its parameters. To achieve this, we implement strong cryptography within the device. The challenge here is that the device does not have the necessary functionality “out of the box”. How can we make sure that production does not take on a life of its own (secure manufacturing)? Regardless of the PLC used, industry has

Read More

1111, 2024

DeepSec 2024 Talk: “EU Cyber Resilience Act” – Maintain control and not just liability for your products – Michael Walser

Sanna/ November 11, 2024/ Conference/ 0 comments

The new EU Directive EU 2019/1020, also known as the “Cyber Resilience Act” or “CRA” for short, defines new rules for manufacturers of hardware and software with “digital elements”. For device manufacturers in the medical, industrial and entertainment sectors, the time to act is now. Security updates, vulnerabilities and an extended duty of care for the life cycle are now enforced by law. However, hardware production, such as IoT devices, poses new challenges. What many do not know: Many vulnerabilities are because of physics and are not “bugs” in the conventional sense. As part of the “DeepSec Secure Coding” series, we put the spotlight on the challenges of developing secure hardware and show the vulnerabilities using the example implementation of a bootloader for embedded systems. How to keep control over updates? What is “Secure

Read More