Challenges in safeguarding global production plants

Dr. Thorsten Widmer

Dr. Thorsten Widmer is responsible for the digitization of Bosch plants worldwide. He spoke with Simeon Mussler, COO Bosch CyberCompare, about the weak points and challenges he faces in protecting 250+ Bosch plants and a wide range of development sites.

One major challenge is ensuring that protective measures can be taken at scale yet still be segmented. In this way, a consistent, standard approach can be applied to all the plants and locations around the world, but if an attack takes place only the specific site in question is affected.

It is critical to always take a comprehensive risk-based view of OT security. In many cases, uncomplicated, low-cost actions like simple segmentation, employee training, and virus scanners can help to avert most attacks. In addition to technological solutions, the on-site organization makes a difference. For example, Bosch hires an OT security specialist for every one of its plants.

SMEs should focus on working with relevant initiatives, standards bodies, committees, and platforms. They can benefit greatly from close collaboration with everyone in the OT environment and from sharing information and ideas with their own partner networks.

Below you can find the official interview (option to play subtitles and read 🇬🇧 English translation):

Expert interview with Dr. Thorsten Widmer of Bosch

Welcome. We are very much looking forward to the interview for Bosch CyberCompare.

Today with Thorsten Widmer from Bosch. We would like to get in an open exchange, which is particularly about what today’s challenges are, what problems are, what developments are, especially in the area of ​​OT/IoT, i.e. for industrial cybersecurity, and, to start the conversation, Mr. Widmer, perhaps you would like to briefly describe your role, where you are currently working in the Bosch Group.

Yes, gladly. My name is Thorsten Widmer. At the headquarter, I am responsible for the digitization of our plants on the one hand and the engineering area on the other, i.e. the global network, but of course also the safeguarding of the plants and the development department.

Maybe we’ll just start with challenges that are currently happening in the market and in the field. Mr. Widmer, from your point of view at Bosch, on the Bosch side, but also perhaps on your suppliers’ side, what are the greatest weaknesses, problems?

The major problems that we are currently seeing are, very simply summarized, not the IT solutions themselves, but for us very much the issue of the scalability of IT solutions. At Bosch, we have more than 250 plants, we have a large number of development locations with 70,000 developers, securing them worldwide and bringing them to a uniform level is a major challenge, and accordingly that means we have to design our systems  in such a way that, on the one hand, they provide this protection worldwide, but on the other hand, when an attack has occurred, we can implement a segmentation in such a way that we remain in the segment with the attack and do not jump across the segments. That would be fatal and there are measures that can be implemented. In a word: scaling, scaling, scaling of IT security solutions worldwide is one of our really big issues.

In the OT environment there is still considerable need to improve IT security. We need appropriate field organizations there, i.e. we need IT security, IT security knowledge in every plant. Accordingly, at Bosch, for example, we also have a so-called “Local ITM” in each plant, who is then responsible for IT security in each plant, and it does not always have to be IT solutions that, as I said, are very modern, very advanced there are. A great deal can already be intercepted through segmentation, employee training and simple virus scanners.  Although of course it is also the case that at the end of the day we always have to check that we have modern virus scanners, i.e. virus scanner updates, and that we have patched the systems in such a way that we can record them, and that’s also an issue, which we see today as a vulnerability in one place or another, where we still have unpatched systems,  which are then not subject to any actual monitoring and where attacks then become possible as a result.

Mr. Widmer, building on that: How do you see the difference between technology and organization, right now from the Bosch point of view, but you also have a supplier network throughout the plants. Where do you think the focus is when you look at the vulnerabilities today, especially in the OT/IoT area?

In my point of view, IT security as a whole can only be created holistically. I.e. starting with the people, I have to look at the holistic view via my process architecture, via the data architecture, the application architecture, so basically according to the TOGAF approach (editor’s note: globally recognized and applied framework for enterprise architecture), the holistic view of the IT and of the organizational ecosystem. We need risk-based application, if you look at all these issues from a risk-based perspective, then you will create an IT security system that then also suits the individual companies.

Are there also, perhaps in your point of view, exciting developments, especially in the OT/IoT area, which on the one hand offer opportunities, also offer opportunities for cybersecurity, to briefly stack the two, so to speak?

Of course. In this area, for example […], we have our own system approach and partners with whom we work, appreciate it very much and demand it. We also bring our suppliers exactly onto this system. It is also important for me to say that we always do this together with the corresponding partners and that we give ourselves overarching guidelines. We work closely with the industry, i.e. with the entire OT environment, with the corresponding standards, standardization bodies, but also with partners and industry, because we cannot and do not want to develop everything ourselves, we do not want to develop everything two, three, four or five times, but of course we also want to take advantage of the fact that our partner companies are active in certain areas in fields where we can then learn from and benefit from it, and partner companies also benefit from us if they can rely on what we have already worked out. Not every mistake needs to be repeated dozens of times.

A very important, simple example is the topic of segmentation, micro-segmentation of IT systems, that make it relatively easy, even without a great deal of financial effort, to separate the systems from one another. Then I don’t need a highly equipped IT security system. Rather, everyone can help to significantly increase IT security by using the appropriate segmentation in its plants, simply by, if an outbreak does occur, this outbreak then stays in the segment and then doesn’t just skip the next segment. That’s a priceless advantage, and that’s also a piece of advice that I always give to our partners, our partner companies, that one can, I would say, with fairly simple methods realize great benefits and a great deal of security.

And perhaps a brief outlook towards the market. Well, Mr. Widmer, as I already said, you have to deal with many suppliers. The big ones have always been in focus. How are you currently observing the market? What’s happening right now, what’s going on right now, apart from MS Exchange, which of course currently goes up and down, but what are other issues that are currently in focus, maybe also from smaller machine suppliers?

Working together with companies, but also with the corresponding standardization bodies, going into committee work jointly or such activities, which you are currently doing, having appropriate platforms where the knowledge is then collected at a central point and one can then progress more easily and quickly on the basis of this collected knowledge.

I would like to point out what I consider to be an important element. It’s not just that the number of cyber-attacks is increasing, especially in the OT sector. We are also making great strides in the overall networking system, and through this networking approach, I say, risks and opportunities arise.

Risks in the way that we open up corresponding paths through stronger networking, that if, in the event of a successful attack, new paths are opened via networking. We have to take appropriate measures to ensure security there.

However, there are also considerable opportunities through networking and platform architectures, i.e. if I now look at the Bosch heterogeneity of our plants, then I still have a relatively heterogeneous environment today, even in the MES systems, if we, and we are currently doing this, harmonizing this system landscape significantly via a platform approach. Then, of course, it is much easier for me to implement the appropriate IT security in such a harmonized system. And I believe we urgently need to do this, since we want to move forward in networking. Since we want to do cross-networking.

We are not only talking about networking within Bosch, but also with partners, ultimately with customers, and ultimately, we want all this data, we want to be able to access it. We want to be able to use it. And we can only do that if we can also implement the appropriate IT security on site. And that requires strong standards, if we had to deal with a confusing number of systems and environments there, then I believe, and I am absolutely convinced of that, that we would no longer be able to really provide this IT security guarantee. Therefore, in my view, the reduction to essential standards is a very, very important point.

Exactly, then thank you for the interview. It was a very interesting exchange, also for us, and we wish you a successful day and stay healthy!

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.