Cyber security for component manufacturers SECURE BY ANY STANDARDS

AT A GLANCE:

Cloud connection and networking via the Internet of Things (IoT) are creating new opportunities for your OT products – but also new risks.

In 2022 alone, ransomware attacks on OT in production and infrastructure increased by 87%.

Protect your products from the start using secure software – and accommodate increasing regulatory requirements, like the forthcoming EU Cyber Resilience Act.

Your motivation:

Your OT products have long had more than just their defined control, sensor, or actuator function: They also communicate in production, infrastructure, and rail networks, and that’s why they must be protected against unauthorized access. The plant operator’s security measures, such as Defense in Depth or Zero Trust, are one thing. But as the manufacturer, you also have an obligation to put specific security measures in place in accordance with Germany’s IT Security Act 2.0, the forthcoming EU Cyber Resilience Act, and the new EU Machinery Regulation 2023/1230. Standards IEEE 62443 and TS 50701 are also relevant in this connection. But how can you identify and counter vulnerabilities and risks in your OT components and systems?

Cyber security for your OT products –
ask us!

Want to make your product cyber-secure? Get advice from our experts: Send an email with your request or call us. Protect your OT against the dangerous consequences of software errors and vulnerabilities!

call us
+49 721 9841 4678

Email
sales@codewerk.de

What creates added value for you:

Codewerk helps you make the embedded software in your OT products cyber-secure – in two key areas:

First, by eliminating vulnerabilities right at the product development stage.
That offers the best guarantee of minimizing security incidents in the field and thus requiring fewer security updates and patches. That’s a key factor in keeping operations moving, especially in areas such as rail-based transport.
Equally important is the need to monitor software products for vulnerabilities throughout the product lifecycle. Continuous security vulnerability monitoring makes that possible. It comprises not only monitoring but also evaluation of vulnerabilities, and the recommendations for action on that basis.

Codewerk services for secure software:

Development phase:
Secure coding and code review

Test phase:
Penetration testing and fuzzing

Operational phase:
Vulnerability management

What we do differently:

Codewerk is a partner, for example, to major industrial and rail vehicle equipment and component manufacturers, and is also active in R&D projects in the rail transport sector. Based on our understanding of complex systems and our own roots in software engineering, we can specifically target typical risks. Here are just three of many examples:

Insecure standard configuration: A quick and easy target for hackers, but still a widespread one. This is where our Fuzzing comes in – a deliberate attempt to crash the system with randomly generated input data. Based on the insights obtained, we then apply our software expertise to optimize the source code.
Code vulnerabilities: Most software is sourced externally – and is therefore beyond the control of the product manufacturer. Our continuous vulnerability monitoring and management reveals security loopholes – in libraries or frameworks, for example – and assesses their potential repercussions.
Insecure data validation and input checking: If inputs are not properly validated, hackers can inject malicious code (e.g. SQL injection or cross-site scripting) into the system and execute it. Using Security by Design, we counter this risk right at the development and testing phase.

System-, Software- and Security-Know-how

To embed security comprehensively, you need to understand complex systems like process control technology or train control systems in detail.

Timon Esslinger, Cyber security expert at Codewerk

The product is ready – how about a little security on top? Why Security by Design in accordance with IEEE 62443 pays off

In many cases, cyber security is still considered a product feature, and treated as such: Once the basic functions have been defined and programmed, security is added on top as a compulsory component.

It’s time this way of thinking was turned around: How must a function be implemented to make it secure? Errors in system design in particular – such as insecure fallback mechanisms or errors in key management – can be avoided only using Security by Design. Error correction right at the development stage not only makes this approach more secure but also much more cost-effective.

Which Fuzzing solution is recommended? Points in favor of security testing

We’re basically flexible. We believe there are clear practical benefits in using a fuzzer to continuously test the source code for security vulnerabilities right from the start of development. The fuzzing tests are easy to integrate into a CI/CD pipeline. Apart from that, fuzzing improves code quality substantially. We’ve had very good experience with libFuzzer, and also AFL++.

Which security monitoring solution must I use? Points in favor of efficient vulnerability management

Our vulnerability management includes:

Tracking third-party software and the software versions used
Continuous monitoring to determine whether new vulnerabilities exist for the software you’ve found
Assessment of detected vulnerabilities and testing whether they can be exploited.

We’ll also perform a comprehensive assessment of your own or proprietary software.

To sum up, we monitor your product for vulnerabilities throughout its lifecycle and provide you with recommendations for your specific application.

THE CODE TO YOUR SUCCESS Codewerk

At Codewerk, we want to help improve protection for the world of OT. So cyber security is more than just another area of growth to us. We’re driving advances in this field out of a genuine passion for and identification with our customers’ world. As a long-standing software development partner to the process industry, manufacturing industry, and rail-based transport, we know how complex systems are – and how long a journey it is in order to achieve the same level of security as in IT. But there’s no time to slowly build up a culture of cyber security. The time to act is now.

A decade of experience as an independent software developer and service provider
Four locations in Germany
Partner in national and international R&D projects and in the open Siemens Xcelerator ecosystem
Certification to ISO Standard 27001 since 2020

Modellbasiertes Software-Engineering für die Fahrzeugsteuerung

SCHNELLER ANS ZIEL

Die Entwicklung und Validierung von Fahrzeugsteuerungssoftware beschleunigen wir auf Grundlage des modellbasierten Software-Engineerings.

IoT- und Edge-Applikationsentwicklung

FÜR SMARTEN BAHNBETRIEB

Gesundheitszustände monitoren, Optimierungsmöglichkeiten im Netz erkennen, vorausschauende Wartung ermöglichen – unsere Applikationsentwicklung macht Wissen aus Ihren Daten.

Subsystem-Integration für Fahrzeugsteuerung und Betreibernetz

DAMIT DAS GANZE FUNKTIONIERT

Multi-Vendor-Architekturen zu einem funktionierenden Ganzen zusammenzufügen – dafür übernehmen wir die volle Verantwortung bei der Subsystem-Integration für Fahrzeugsteuerung und Betreibernetz.

Innovationen

ZUKUNFT GESTALTEN

Um Schienenfahrzeugtechnik an den Herausforderungen der zukünftigen Jahrzehnte auszurichten, arbeiten wir intensiv an internationalen Forschungsprojekten mit.

Basissystem-Entwicklung

BASIS FÜR DIE ZUKUNFT

Leistungsfähig und modular erweiterbar – wir leisten in internationalen Standardisierungsprojekten unseren Beitrag zu einem künftigen Basissystem.

Geräteintegration für SIMATIC PCS 7 / SIMATIC PCS neo

IHRE KOMPONENTEN IN LEITENDER POSITION

Die Leitsysteme von Siemens SIMATIC PCS 7 und SIMATIC PCS neo sind führend in der Prozessindustrie. Wir übernehmen für Sie die reibungslose, systemkonforme Integration Ihrer eigenen Produkte oder Third-Party-Komponenten.

PROFINET Stack Integration

WIR SPRECHEN FÜR SIE PROFINET

Sie wollen PROFINET in Ihre Chips oder Geräte integrieren. Wir übernehmen die Adaption des geeigneten Stacks als Sorglos-Paket für Sie – bis hin zur Zertifizierung.

Systemintegration für industrielle Kommunikation

DAMIT KEIN DATENPUNKT VERLORENGEHT

Ob PROFINET, OPC UA oder MQTT und darauf basierende Anwendungen – wir übernehmen für Sie die komplette Integration von Produkten in Ihre Systemlandschaft der industriellen Kommunikation.

IoT- und Edge-Applikationsentwicklung

AUS DATEN WERDEN ENTSCHEIDUNGSGRUNDLAGEN

Sie wollen aus Big Data Smart Data machen – wir bauen Ihre Anwendung: von der Datenerfassung (Konnektivität) über die Datenübertragung bis zur Datenevaluierung und -nutzung.

MINDSPHERE^® EFFICIENCY SUITE

Sie wollen Ihre komplette Produktionsanlage in die IoT-Cloud bringen? Dann bringt Sie unsere eigens entwickelte MindSphere^® Efficiency Suite weiter. Mit ihr modellieren und strukturieren wir Ihre Anlage in der Cloud – effizient, sicher und mit viel weniger Aufwand, als Sie denken.

IO-LINK-BIBLIOTHEK FÜR SIMATIC PCS 7 / SIMATIC PCS NEO

Sichere Punkt-zu-Punkt-Verbindungen in der Industrie lassen sich relativ einfach mit den entsprechenden IO-Links realisieren. Damit die Integration systemkonform läuft, bieten wir Ihnen die passenden Treiber.

TURCK Remote IO FÜR SIMATIC PCS 7

Die systemkonforme Anbindung von TURCK-Systemen an das Prozessleitsystem SIMATIC PCS 7 muss kein Zeitfresser sein. Unsere Baustein-Bibliothek sorgt für maximalen Komfort auf der Anwenderseite.

Cyber Security für Komponentenhersteller:

VON ANFANG AN SICHER

Wie wir Ihnen helfen, mögliche Schwachstellen in Ihren Produkten zu eliminieren – von der Produktentwicklung über den gesamten Lebenszyklus hinweg.

Cyber Security für Anlagenbetreiber:

MEHR SCHUTZ FÜR IHRE WERTE

Wie Sie mit uns Risiken im Betrieb monitoren und mitigieren können – unterstützt durch unsere Kombination aus System-, Software- und Security-Know-how.