Cyber security for component manufacturers SECURE BY ANY STANDARDS

AT A GLANCE:

Cloud connection and networking via the Internet of Things (IoT) are creating new opportunities for your OT products – but also new risks.

In 2022 alone, ransomware attacks on OT in production and infrastructure increased by 87%.

Protect your products from the start using secure software – and accommodate increasing regulatory requirements, like the forthcoming EU Cyber Resilience Act.

Your motivation:

Your OT products have long had more than just their defined control, sensor, or actuator function: They also communicate in production, infrastructure, and rail networks, and that’s why they must be protected against unauthorized access. The plant operator’s security measures, such as Defense in Depth or Zero Trust, are one thing. But as the manufacturer, you also have an obligation to put specific security measures in place in accordance with Germany’s IT Security Act 2.0, the forthcoming EU Cyber Resilience Act, and the new EU Machinery Regulation 2023/1230. Standards IEEE 62443 and TS 50701 are also relevant in this connection. But how can you identify and counter vulnerabilities and risks in your OT components and systems?

Cyber security for your OT products –
ask us!

Want to make your product cyber-secure? Get advice from our experts: Send an email with your request or call us. Protect your OT against the dangerous consequences of software errors and vulnerabilities!

What creates added value for you:

Codewerk helps you make the embedded software in your OT products cyber-secure – in two key areas:

  • First, by eliminating vulnerabilities right at the product development stage.
    That offers the best guarantee of minimizing security incidents in the field and thus requiring fewer security updates and patches. That’s a key factor in keeping operations moving, especially in areas such as rail-based transport.
  • Equally important is the need to monitor software products for vulnerabilities throughout the product lifecycle. Continuous security vulnerability monitoring makes that possible. It comprises not only monitoring but also evaluation of vulnerabilities, and the recommendations for action on that basis.

Codewerk services for secure software:

Development phase:
Secure coding and code review

Test phase:
Penetration testing and fuzzing

Operational phase:
Vulnerability management

What we do differently:

Codewerk is a partner, for example, to major industrial and rail vehicle equipment and component manufacturers, and is also active in R&D projects in the rail transport sector. Based on our understanding of complex systems and our own roots in software engineering, we can specifically target typical risks. Here are just three of many examples:

  • Insecure standard configuration: A quick and easy target for hackers, but still a widespread one. This is where our Fuzzing comes in – a deliberate attempt to crash the system with randomly generated input data. Based on the insights obtained, we then apply our software expertise to optimize the source code.
  • Code vulnerabilities: Most software is sourced externally – and is therefore beyond the control of the product manufacturer. Our continuous vulnerability monitoring and management reveals security loopholes – in libraries or frameworks, for example – and assesses their potential repercussions.
  • Insecure data validation and input checking: If inputs are not properly validated, hackers can inject malicious code (e.g. SQL injection or cross-site scripting) into the system and execute it. Using Security by Design, we counter this risk right at the development and testing phase.

The product is ready – how about a little security on top? Why Security by Design in accordance with IEEE 62443 pays off

In many cases, cyber security is still considered a product feature, and treated as such: Once the basic functions have been defined and programmed, security is added on top as a compulsory component.

It’s time this way of thinking was turned around: How must a function be implemented to make it secure? Errors in system design in particular – such as insecure fallback mechanisms or errors in key management – can be avoided only using Security by Design. Error correction right at the development stage not only makes this approach more secure but also much more cost-effective.

Which Fuzzing solution is recommended? Points in favor of security testing

We’re basically flexible. We believe there are clear practical benefits in using a fuzzer to continuously test the source code for security vulnerabilities right from the start of development. The fuzzing tests are easy to integrate into a CI/CD pipeline. Apart from that, fuzzing improves code quality substantially. We’ve had very good experience with libFuzzer, and also AFL++.

Which security monitoring solution must I use? Points in favor of efficient vulnerability management

Our vulnerability management includes:

  • Tracking third-party software and the software versions used
  • Continuous monitoring to determine whether new vulnerabilities exist for the software you’ve found
  • Assessment of detected vulnerabilities and testing whether they can be exploited.

We’ll also perform a comprehensive assessment of your own or proprietary software.

To sum up, we monitor your product for vulnerabilities throughout its lifecycle and provide you with recommendations for your specific application.

See also:

“Head in the sand” no longer applies

How companies should respond to the EU’s Cyber Resilience Act

Standards-compliant cyber security for your OT –
ask us!

Want to make your product cyber-secure? Get advice from our experts: Send an email with your request or call us. Your first step toward effective cyber security!

THE CODE TO YOUR SUCCESS Codewerk

At Codewerk, we want to help improve protection for the world of OT. So cyber security is more than just another area of growth to us. We’re driving advances in this field out of a genuine passion for and identification with our customers’ world. As a long-standing software development partner to the process industry, manufacturing industry, and rail-based transport, we know how complex systems are – and how long a journey it is in order to achieve the same level of security as in IT. But there’s no time to slowly build up a culture of cyber security. The time to act is now.

  • A decade of experience as an independent software developer and service provider
  • Four locations in Germany
  • Partner in national and international R&D projects and in the open Siemens Xcelerator ecosystem
  • Certification to ISO Standard 27001 since 2020

Model-based software engineering for the vehicle control unit

GETTING THERE FASTER

We speed up the development and validation of vehicle control software using model-based software engineering.

DEVELOPMENT OF IOT AND EDGE APPLICATIONS

FOR SMART RAIL OPERATIONS

By monitoring “health states,” identifying optimization potentials in the network, and enabling predictive maintenance, our application development transforms your data into knowledge.

Subsystem integration for the vehicle control unit and operator network

SO IT ALL WORKS TOGETHER

When subsystem integration is performed for the vehicle control unit and operator network, we take full responsibility for combining multivendor architectures to form a functioning whole.

Innovations

WE’RE SHAPING THE FUTURE

We play an active role in both national and international research projects that are working to prepare rail vehicle technology for the challenges of future decades.

Development of a basic system

BASIS FOR THE FUTURE

By participating in international standardization projects, we’re contributing to the creation of a highly expandable and modular basic system of the future.

Device integration for SIMATIC PCS 7 / SIMATIC PCS neo

YOUR COMPONENTS IN A LEADING POSITION

Siemens’ SIMATIC PCS 7 and SIMATIC PCS neo control systems are leaders in the process industry. We take responsibility for a seamless, system-compliant integration of your products or third-party components.

PROFINET Stack Integration

WE HELP YOU MAKE IT TO THE BIG LEAGUES

You want to integrate PROFINET into your chips or devices – we handle the modification of the relevant stacks as part of a carefree package for you – right up to certification.

System integration for industrial communication

SO THAT NO DATA-POINT IS LOST

Whether it’s PROFINET, OPC UA, MQTT, or applications based on them, we take on the complete integration of products for industrial communication into your system environment.

Development of IoT and edge applications

DATA BECOMES THE BASIS FOR DECISION-MAKING

You want to turn big data into smart data. We’ll build your application – from data acquisition (connectivity) and data transmission to data evaluation and utilization.

MINDSPHERE® EFFICIENCY SUITE

Would you like to move your entire production plant to the IoT cloud? Our specially developed MindSphere® Efficiency Suite can help. We use it to model and structure your plant in the cloud – efficiently, securely, and with much less effort than you’d expect.

IO-LINK LIBRARY FOR SIMATIC PCS 7/SIMATIC PCS NEO

Secure point-to-point connections in industry are relatively easy to implement with the right IO-Links. We offer you the right driver so that integration is in full compliance with the system.

TURCK Remote IO FOR SIMATIC PCS 7

The system-compliant connection of TURCK systems to the SIMATIC PCS 7 process control system doesn’t have to be time-consuming. Our function block library ensures maximum convenience at the user end.

Cyber security for component manufacturers

SECURE FROM THE START

How we help you eliminate potential vulnerabilities in your products – from product development throughout the entire lifecycle.

Cyber security for plant operators:

MORE PROTECTION FOR YOUR ASSETS

How we can help you monitor and mitigate risks during operation – supported by our combination of system, software, and security expertise.