SME Support: Help with the transformation

Industrial companies are in the midst of the digital transformation. It’s a major transition that presents many opportunities for both large companies and small and medium-sized enterprises (SMEs) if they deploy technology such as artificial intelligence (AI). For example, machine learning (ML) can teach a system to detect an impending failure before it brings an entire array of production machines to a halt. AI systems can also help identify defects during quality control and thereby reduce production waste.

The digital transformation also has its drawbacks, however. After all, everything that is digitalized and networked is also a potential target for cybercriminals. This is making the issue of security even more important – especially when production facilities in a smart factory are connected to the company network.

Organizations of all sizes are at risk. According to a study on security in medium-sized companies by the consulting firm Deloitte, however, SMEs tend to feel quite safe overall because very few cyberattacks on such firms have been publicized so far. That feeling is deceptive, though. The report finds that cyberattacks on medium-sized and family-owned companies have increased considerably, especially since 2019. The most recent example involves the machine manufacturer Mahr, whose operational processes were disrupted at the end of last year after the company’s IT infrastructure suffered an online attack.

Service providers handling security tasks for SMEs

When it comes to security, awareness often isn’t the only thing lacking; there’s also the matter of corresponding expertise. Online attacks are becoming increasingly sophisticated and complex. According to Max Weidele, founder of the knowledge platform Sichere Industrie, a variety of security measures are required to protect the new, more flexible network architectures of a digitalized industrial sector. “It starts with safeguarding terminal devices and extends all the way to network access solutions and tools that regularly check the firmware of controllers,” Weidele explains. The first solutions are already available, with a number of providers offering services designed specifically to handle security tasks for small and medium-sized enterprises.

SMEs can rely on managed services to monitor network security or back up data, for example. Providers of such services also offer their own failsafe networks to which Internet traffic can be redirected after an attack on a company’s website. Managed services are available from major players such as Cisco or IBM, as well as from small regional system vendors. The main advantage of the latter is that they can meet with their medium-sized customers on more of an equal footing. Meanwhile, IT isn’t the only point of view from which security demands present a challenge for SMEs. They can also cause headaches for those responsible for safety – that is, safeguarding automation technology on a production line. Risk analysis and corresponding certification must be carried out for each application where a robot is used. The aim is to ensure that the robot does not endanger human employees during its work. And with every new application, the security concept also needs to be adapted. This can be a big hurdle for smaller companies.

Luckily, there are already approaches that make it a bit easier to clear. Providers seeking to bring automation to SMEs are taking safety requirements into account. Epson has developed low-cost robots to serve as an entry point into the technology. When combined with a special safety package, such entry-level models can also work without a protective fence. By carrying out risk assessments in advance, Epson aims to make integrating the robots into a plant as simple as possible. Safety specialist Pilz has put together an all-inclusive package for introducing automated transport systems – mobile robots, in other words. Among other things, companies receive support in validating their specific application, including in testing the automated system and defining protection fields. When requested, Pilz can guide companies all the way to an international conformity assessment. Startups like Wandelbots or ArtiMinds facilitate the process of getting robots up and running by greatly simplifying their programming. This also helps when it comes to safety aspects by making it easier to integrate the sensors required for safe operation, for instance. The same applies to special peripheral devices such as rounded grippers.

The European project COVR also aims to reduce the challenges at hand, especially for smaller companies. It focuses on robot safety in collaborative applications – that is, when they work almost hand-in-hand with humans. Among other things, the project provides specific application examples, as well as relevant standards and guidelines on its website. There are also step-by-step instructions that enable companies to conduct their own validation measurements of their applications. In addition, anyone who needs support in the field of robot safety can contact the German Robotics Association, which aims to promote robotics among small and medium-sized companies in particular. This overlaps with another area in which some SMEs exhibit a lack of knowledge and skilled workers. “The lack of expertise in AI and digitalization is a major obstacle for SMEs right now,” says Martin Lundborg, who heads the accompanying research of Mittelstand-Digital – a funding priority of the German Federal Ministry for Economic Affairs and Climate Action. He reports that medium-sized companies most often face the problem that their digital maturity level is not sufficient to implement AI applications.

Providers such as Google, Microsoft or Amazon Web Services offer ways to get started in using artificial intelligence. Their pre-configured and trained AI services require little specialized knowledge on the part of end users and thus simplify the use of features such as voice or image recognition. Low-code approaches like AutoML also play a role here by making it significantly easier to program applications. Lundborg considers these tools well-suited to enabling people to use such technologies even if they have little expertise in the field of AI. “For SMEs, low-code ML solutions are a catalyst for digital innovation thanks to their simplicity,” he says. Medium-sized enterprises can also obtain the expertise they lack through training courses or qualification measures. The Mittelstand-Digital initiative, for example, provides instructors on the topic of AI. “They inform people about AI through workshops, company visits, lectures, roadshows and numerous other offerings,” explains Lundborg’s colleague Christian Märkel. The instructors also help companies implement specific application scenarios.

One example of this is the geothermal plant in Traunreut, which supplies the region northeast of Lake Chiemsee (Bavaria) with district heating and electricity. All the pumps and heat exchangers are equipped with sensors to ensure efficient operation. However, the multitude of recorded values makes for an amount of data that is too large for a human to effectively analyze. Enter the AI instructors, who supported the plant with a crash course in machine learning. They also demonstrated new ways to make intelligent use of all that information, reports managing director Sebastian Schultz. As a result, the geothermal plant can now detect imminent disruptions and failures at an early stage with the help of AI.

CERT@VDE helps search through the haystack

To keep up with the latest cyberthreats, a CERT (Computer Emergency Response Team) is particularly suitable for medium-sized companies. This is a group of IT experts who help companies with security incidents. One example is CERT@VDE. Through this platform, machine engineers, technicians, service providers and plant operators can share information about cybersecurity issues and potential vulnerabilities. Security flaws in the products of cooperating partners are published according to strict quality rules in professional vulnerability reports (“advisories”), which also describe corresponding solutions. “As a user and operator of industrial automation, you have to know and evaluate the risks in your environment on a daily basis. Here, it’s essential to know whether a product that a given operator uses is vulnerable. The reliable information CERT@VDE provides to its target group makes it possible to find this out,” says Andreas Harner, head of CERT@VDE. Among other assistance, CERT experts also help develop joint solutions to deal with vulnerabilities in supplier components made by the platform’s partners. “When attackers are increasingly working together and the potential victims are practically on their own, it’s a fundamental problem,” Harner continues. “With the CERT, we’re playing defense together and establishing something like a level playing field.” Since SMEs in particular often lack the relevant knowledge and specialist staff, it’s important to “have a trusting community in which companies can also learn from one another.” Weidele considers a CERT like the one offered by VDE to be a good point of contact for small and medium-sized companies. Among other things, communicating with other CERT member companies helps them establish a certain routine in their own security measures. “It’s often a matter of very basic questions like ‘who do I turn to when an attack happens?‘ or ‘which reaction chains need to be established?’”

Even the best AI won’t work without sufficient data

SMEs need to lay the foundations for progress themselves. For the use of AI, this means examining internal processes and the information they contain – as recommended in a white paper from Mittelstand-Digital. Companies then need to merge data from their different areas. After all, even the best AI will not work without sufficient foundational data. According to Weidele, the basic prerequisite for a security concept in industrial companies is to have the same overview of the OT (operational technology) as of the IT in use. In a smart factory, both areas are ultimately linked. Organizations that want to protect themselves first need to know what hardware and software is available to monitor and control their production facilities. Many SMEs have not yet met this requirement, Weidele says. “That means companies have some homework to do first.”

CERT@VDE provides help on cybersecurity issues:

https://cert.vde.com/en/