Needs analysis of IT security at the German Social Accident Insurance Institutions and insured businesses

Project No. IFA 5152

Status:

completed 12/2020

Aims:

Numerous committees and working groups are currently addressing the topic of IT security. Their aim here is to apply the necessary IT security aspects to specific components or machines. As yet however, no standard suitable for application by manufacturers or operators has been published in full. A number of associations have published position papers setting out their views on the subject. Since the positions on the subject of IT security are numerous and conflicting, many manufacturers and operators are unsure what measures must be implemented.

This project is intended to provide an overview of the current situation among manufacturers and operators and to survey the target group to establish what problems and issues its members face.

Activities/Methods:

For the purpose of obtaining an overview of the current situation among manufacturers and operators, a brief online survey was developed which the target group was able to complete in a web application. Interpretation of the survey results was to reveal a selection of topics relating to IT security from the perspective of occupational safety and health. Attention was to be paid in this outcome to efficacy, suitability for the target group and efficient use of resources.

The survey of manufacturers and operators on the current state of the art of IT security was carried out as online survey, which was created and publicized by means of the LimeSurvey tool. Furthermore, conventional print versions of the questionnaire – suitable for completion by the respondents in personal contact – were used.

The survey was publicized through the following media:

  1. IFA‘s Twitter channel
  2. IFA's website
  3. Mailing lists with a total of over 12,000 subscribers
  4. Lectures and working groups

Following completion, the paper survey forms were transferred manually to the survey tool, marked as transferred and archived. The survey consisted of nine questions relating to three generic topics. The results, which were surprising, will assist us in tailoring our work on industrial security to the current needs of manufacturers and operators.

The generic topics are:

  1. Categorization of the company
  2. Self-assessment of the present risk by means of simple questions that can also be answered by IT lay people
  3. Description of the measures already taken in the area of industrial security

Results:

The LimeSurvey tool proved effective in both approaches referred to above.

The surprising outcome was the high level of industrial networking already in place. 87 of those surveyed responded with YES to the question: "Does your operation employ machines or control systems that are networked with each other or with the Internet?"

The survey posed the question: "Could people be harmed if all functions of the networked devices were controlled remotely and maliciously in an IT attack (without taking into account any protective measures already in place)?". The responses of the 40 participants reflecting their own assessments clearly revealed an urgent need for action: YES: 67%, NO: 30%, NO RESPONSE: 3%

At the majority of company sites (82%), external experts (possibly in addition to in-house personnel) are tasked with ensuring IT security. As a result, the companies themselves lack experience and expertise in this area. This is particularly evident from their assessment of the consequences of a production stoppage. In response to the question: "What loss do you anticipate in the event of a production stoppage (of 9 hours in one year) resulting from an attack?", over 50% of respondents were unable to predict whether the probable loss would be marginal or catastrophic.

Fewer than 10% of respondents have ever conducted a penetration test of their own protective measures. Many survey participants encountered the concept of a penetration test for the first time in the survey, and responded favourably to the idea of verifying the effectiveness of their own protective measures.

The results enable three areas of activity to be identified that can improve workplace safety in the short term:

  1. Raising of awareness (demonstrators, lectures, publications)
  2. Assisting with assessment of own risks (lectures, publications)
  3. Providing expert knowledge with which control systems' vulnerabilities can be reduced to a minimum (research work in the security lab, academic theses, publications, tool for demonstrating programming errors)

Last Update:

27 Sept 2021

Project

Financed by:
  • Deutsche Gesetzliche Unfallversicherung e. V. (DGUV)
Research institution(s):
  • Institut für Arbeitsschutz der Deutschen Gesetzlichen Unfallversicherung (IFA)
Branche(s):

-cross sectoral-

Type of hazard:

questions beyond hazard-related issues

Catchwords:

plant safety, industrial accident, machine safety

Description, key words:

IT security, machine safety, information technology, digitalization, industrial security, information security, survey

Contact