Strategy
An interview about future trends with Lothar Hänsler, IT Security Officer at Rolls- Royce Power Systems AG

“Disruptive technologies and IT security: How can you protect company data if you don’t know for sure where they are?”

Disruptive technologies and IT security
Bringing together the broad, strategic thinking with the small, technical details: this is the speciality of Lothar Hänsler. An impression he conveys when you talk with him about IT security trends. A leading thinker with expert know-how and thus a highly interesting discussion partner to consider the answer to the issue of golden eras. Lothar Hänsler is the IT Security Officer at Rolls- Royce Power Systems AG, the specialist for large engines, propulsion systems and decentralised energy systems. Based in Friedrichshafen, Germany, the company employs over 10,000 people worldwide and is a division of Rolls-Royce plc.

Mr Hänsler, what role does IT play today in engine construction?

At Rolls Royce Power Systems/MTU, the level of IT penetration is very high, covering all areas of the business. Integrated ERP solutions cut through Purchasing, Production, Sales and Accounting all the way to HR, Legal and Compliance. I can’t speak for the industry as a whole, but I assume it is a similar situation for other companies.

IT solutions are reaching an even higher degree of penetration in the course of digitalisation: Industry 4.0, IoT, Cloud Computing, Mobility, Analytics, AI etc. Keywords that echo throughout the media and are well-known.

What are the major issues relating to IT security that you focus on particularly?

I focus particularly on what are known as disruptive technologies. These include Mobile Computing, Cloud Computing, IoT, IIoT (Industrial Internet of Things) and Industry 4.0. Why? Because components are used in these areas that are not based on “security by design” per se, but are used on the front line. People also speak of a fluid perimeter here. This means that it is no longer easy to see where the boundaries of a company’s network are any more. Using IoT devices, cloud solutions, etc. also means that there is a greater challenge to keep sight of the overall picture and to continue protecting the data of a networked company to an appropriate extent.

Technologies that are used in production companies today come from different manufacturers with a level of IT security that we as customers must assess. This is no easy task. On the one hand, this is because they are complex and varied solutions. On the other, it is because the lack of experts in the field of IT security becomes even more tangible when it comes to know-how regarding new technologies.

For example: Introducing agile methods can pose particular Vereinfachallenges to IT security. Pressure to meet deadlines and flexible approach models lead to the risk that, in its haste, a manufacturer may not be able to proceed with a sufficient degree of care. Combined with disruptive technologies, this can quickly result in a dangerous combination.

Another keyword here: cloud. Manufacturer change cycles are currently so fast that it is scarcely possible to conduct a systematic and in-depth inspection of security mechanisms. The German Federal Office for Information Security (BSI) has introduced the C5 certification concept in this area. This is definitely a step in the right direction. This gives cloud-using companies confirmation of the IT security status of a cloud provider. Nevertheless, this reduces IT security to an “audit on paper”.

In the area of mobile applications, there is a trend towards these software systems being reduced to “apps”. It is suggested that developing such applications is simple and can be acquired by virtually anyone. This means, however, that best practices such as a secure software development process, security by design, privacy by design might fall by the wayside.

We take these and other challenges to keep our own IT security standards at a high level.

What other strategic challenges do you see being faced by companies in your industry in terms of IT security in the future?

There are many keywords here from a whole host of different areas. Here are a few important ones:

Growing standardisation efforts at a global level do not only lead to simplifications in the area of IT security. Public-sector customers are increasingly publishing their own standards and requiring their suppliers to comply with them. This poses internationally active companies with particular challenges, as it is then not enough to comply with one standard to satisfy different customers. It would be simpler if these standards, which are basically required, are compiled in a “manageable” catalogue of requirements.

On top of this come international, ever-changing regulatory frameworks regarding topics concerning IT security, such as encryption or export and import restrictions for hardware and software.

On the other hand, there is a high degree of dependency on the supply chain, i.e. supplying the company with vendor services. This means that supply chain security is becoming increasingly important from a strategic standpoint. As we know, a chain is only as strong as its weakest link. It is not enough for companies to believe they are secure because their own technology is state-of-the-art. Taking a holistic view also means assessing the IT security of service providers, remote maintenance companies, consultancies, law firms, and many more.

With this in mind – but also generally speaking – the trend towards cloud computing is causing a headache for many security officers. “Commit in haste, repent at leisure”: The risk of vendor lock-in, i.e. the inability to change cloud provider once you have stored your data in the cloud, is one of the greatest risks.

Political developments in recent times represent a very different kind of challenge: import duties and protectionist measures do not just affect the global economy. They also force companies to have to be flexible in the field of security and to get used to the idea that it may not be possible to obtain security technologies from known sources for an indefinite period of time. Changes in the political landscape may quickly result in individual countries being viewed as (potential) attackers.

Politically motivated cyber attacks are already commonplace today. They show what attackers are already capable of today and what companies need to be prepared for in the future. In this regards, security officers need to think outside the box and look beyond internal security technologies.

As a result of increasingly porous perimeter caused by IoT, cloud systems, etc., mentioned at the beginning, it is important to have transparency regarding where the company’s data are stored and who has access to them. This issue was addressed under the heading “data mapping” in the course of introducing the EU GDPR. The importance of such transparency cannot be stressed enough: How can you protect company data if you don’t know for sure where they are?”

Artificial intelligence is also a buzzword that we are currently seeing a lot of in the media. There is definitely a lot of potential hidden in this approach. However, security officers are deeply concerned here: When we will see the first attacks using AI that completely eclipse all known defence mechanisms because the attacking software is able to learn, during the attack, how to paralyse these defences?

In addition, progress in the area of quantum computing suggests that, in the foreseeable future, we will need alternatives to the encryption technologies currently available. This also begs the question of who will win this game of cat-and-mouse: the attackers or the defenders?

Mr Hänsler, are we currently in a “golden age” for hackers?

Absolutely. The explosive growth of the interconnectedness of rather insecure components in the IoT environment combined with increasingly rapid development cycles and extremely fast changes of cloud infrastructure present an ever-growing target. The developments in the area of A.I. will be exploited by cyberattackers as well. Sophisticated attacking tools encounter more and more vulnerable platforms, this happens in an internationally networked space where criminal prosecution fails due to national borders. If these are not golden times?