"What was especially interesting for Arla Foods was that the Norman Network Protection system could be implemented without requiring major changes to the existing equipment." Jens Roed Andersen, Chief Information Security Officer at Arla Arla protects its production from network threats "Børsen", by NIELS BARFOD PHOTO: STEVENACHIAM  New challenges in security work - especially in SMEs - as hackers stake out new territory and are able to impact the very core of business activities. IT security As major manufacturing companies' ERP systems are increasingly integrated into production networks, there is more risk of companies suffering from production stoppages, simply because production, which previously took place completely beyond the reach of the Internet and was totally isolated from the outside world, is now in direct physical contact with the network, which is far from a safe place to be. In addition to this, it has become technologically possible to replace proprietary fieldbus technologies with standardised and hence much cheaper IP technology in production networks, and this also increases vulnerability. This poses completely new challenges for enterprises, especially the SMEs, in terms of protecting production against viruses and the numerous other difficulties and vulnerabilities that the Internet brings with it. Inviting target For a hacker, it may be especially inviting to abandon the relatively petty harassments of denial of service attacks and the operation of phishing sites, in favour of threatening a production site directly or trying to blackmail a company by threatening to sabotage production digitally. Such attacks are typically directed at pure Internet companies, such as poker and other gambling websites, but IT security experts fully expect that in time they will also be aimed at manufacturing companies. This is just what Arla is currently attempting to nip in the bud. Arla Foods, with IT-security expenditure this year in the hundreds of thousands of Euros, is in the process implementing a brand new system, called Norman Network Protection, which is specially designed for protecting production networks. The problem arose in connection with Microsoft terminating support for Windows NT, making the operating system a risk factor for Arla Foods. Norman Network Protection uses a different paradigm than conventional anti-virus systems, while performing the same fundamental task of identifying and blocking malicious code. Of particular interest to Arla Foods was that the system can be implemented without requiring major changes to existing equipment, some of which dates back a number of years. The system ensures that traffic at each individual dairy is scanned and "filtered" between the independent production networks and the administration network where the ERP system is in control. Combined with other new security measures, the system makes it possible to isolate the individual production systems should anything go wrong. Arla is also now working to protect itself against another source of infection, namely external IT consultants servicing the production equipment on site. Experience shows that their PCs are infected with viruses and worms which simply physically bypass the current IT security systems. This will reduce the risk of loss. Arla Foods has also requested that Norman Network Protection should be supplied as a service, instead of as a traditional solution with own investment in hardware and software, and this will be undertaken by the system integrator Nworks. They therefore monitor the system 24 hours a day and are able to implement necessary measures if anything should slip past the external security systems. Arla Foods uses the SAP ERP system which increasingly interacts with the Internet; this is desirable from a business point of view, but, in IT-security terms, poses certain risks to production, which Arla is now seeking to protect itself against. Arla Foods’ Chief Information Security Officer, Jens Roed Andersen, is nonetheless seeking to ensure that the company can remain in production if the network connection is completely broken, even if this entails greater use of manual routines and consequently increased costs. This is being done by having the business units carry out risk and consequence analyses for downtime, loss of data integrity and loss of confidentiality. The security provisions will be set up in the critical systems on the basis of these analyses. Major losses Food production in particular is highly sensitive to operational stoppages, where even the slightest interruptions may cause substantial material losses. At the same time, highly automated production requires control data from the production network on a second-by-second basis. There is accordingly no point in using ordinary anti-virus software, which just creates a bottleneck, simply because these applications run too slowly. Arla Foods is also now starting to work on its IT security culture, since there is a recognition that, in the last resort, the best and cheapest solution is staff training. The increasing dependence on IT systems and the fact that nearly everything now happens in real-time means that staff at all levels in the business must be prepared to deal with the threats that IT systems will always be subject to. Major undertaking This is a major undertaking since the "security culture" in the business has always been based on trust between people who know each other - a situation familiar from the countryside, where people feel safe and so do not feel obliged to lock up when they leave their homes. "You can't depend exclusively on this trust when you are connected to the Internet, given how massive it is. We are therefore starting up a campaign to train staff over the intranet and spotlight the problem, since, in the last analysis, it's about training staff to use their judgement," explains Jens Roed Andersen.  Arla foods case study (PDF file) (810 kB)