Mini-symposium review: put cyber security higher on the agenda

Ddos attacks, ransomware, espionage: criminal hackers have many means and reasons to attack a target. That is why members of the Building Automation sector cannot avoid putting cybersecurity high on the agenda. And there is a lot to do, as became clear during the recently held mini-symposium on this theme.

By: Dimitri Reijerman

During the afternoon session at FHI in Leusden, Peter Dijkstra, treasurer of the Building Automation sector, gave a brief introduction.

Rik Boelee of Tucana gave the first lecture on DDoS attacks. He explained that a distributed denial-of-service attack focuses on paralyzing websites and servers. DDoS attacks have been carried out for years, but according to Boelee, a trend has recently become visible: criminals work closely together and opt for a combination of data theft, encryption (ransomware) and DDoS attacks. The goal is to make money.

Much of that money is used to develop new attack techniques. There are also different types of DDoS attacks: volumetric attacks, TCP state-exhausting (attacks on load balancers, for example) and application layer attacks that cause a high load on applications. Nowadays, they are often combined. Boelee emphasized the importance of regular mitigation testing, both in lab testing and in a production environment. He also indicated that end users need to be made more mature about this issue, because there is still little attention for it in tenders.

IT and OT

Johan de Wit from Siemens – FHI spoke to him already in the run-up to this meeting – spoke in his contribution about the security of OT systems. Operational technology (OT) is now inextricably linked to the IT systems of companies. Security is an additional component compared to IT. Think of a refinery, for example: all installations and software must be tested 100 percent there. The difference with OT systems is mainly in lifespan – a potential risk for cyber security. Many security standards are also still in full development, as is awareness among (end) users. De Wit also indicated that Siemens actively communicates security problems in its products, precisely to reduce security risks as much as possible.

Tom van Boheemen (Applied Risk) was the closing speaker on human behavior in relation to cyber security. In his speech he stated the 'security in depth' principle and that many risks can be traced back to unclear processes within the organization. Management within companies should also think more actively about this subject. Van Boheemen also indicated that training is important. He gave the example of having employees actively hack PLCs themselves so that they gain insight into the weak points of these controllers.

At the end of the session, there was still discussion about the theme. Many attendees indicated that they wanted to put cyber security higher on the agenda. Therefore, this topic will probably be discussed several more times during meetings of the Building Automation sector.