"Any electronic system may be attacked"
David González, responsible for the industrial cyber security team of IK4-IKERLAN, analyses for Diario Vasco the threats to which Basque companies are exposed
Companies, institutions and Internet users demand more protection. For these reasons, IK4-IKERLAN has worked over the past years on the development of technologies and products together with its clients.
What is your opinion about cyber security?
Cyber security is a wide concept and implies different things based on the scope in question. At IK4-IKERLAN, we focus on industrial cyber security, and our specialization is in the development of safe electronic product. When generally speaking about cyber security, we think of IT attacks to computers in companies or homes, but any electronic system, if not properly protected, may be subject to local or remote attacks (if connected to the network), and today electronic systems are present in all aspects of our lives.
Our vision of cyber security is helping our clients develop safer products to protect, among other things, the integrity and availability of the information managed by them and of the functions offered to their users.
What makes industrial cyber security different from other areas?
Industrial cyber security is mainly focused on protection of electronic systems embedded in different processes in an industrial plant or sectors closer to all of us, such as transport (vehicles, trains, and elevators) or energy
For example, almost all electronic systems have software, and if persons external to these products can access it, they may have confidential information about its functions (extracting value information about their design) or alter it and make the system function differently from its design, putting users at risk. Do you imagine someone outside our usual shop altering the software of our your car without knowing? Which warranty would we receive? At IK4-IKERLAN we study any possible vulnerabilities an electronic product may have and establish solutions to prevent external persons from accessing and altering it.
What does IK4-IKERLAN specialize in?
Clearly, in the industry and the risks associated to digitalization. In the TEIC (Electronic, Information and Communication Technologies) unit of IK4-IKERLAN we are 150 investigators developing products in all the value chain from the sensor to the cloud, designing for our clients embedded systems, connectivity solutions or digital platforms. And most important, we work the cyber security of all our developments from the design stage.
Our experience of more than 40 years transferring technology to Basque industry supports us as agent in digitalization of our Proof of that is our close collaboration with companies such as Orona and CAF.
Which is the alert level?
The vision we have of security at IK4-IKERLAN goes beyond cyberattacks. In fact, what many companies transmit is that some of the most worrisome risks, in addition to the remote attacks through Internet, are the attacks performed locally, when the attacker has physical access to devices. Luckily, at Euskadi there are technological centres and very competitive companies in the cyber security sector, and we try to complement with other agents. The role of IK4-IKERLAN is vital, since it has a wide experience and great specialization in the development of safe electronic systems, while other centres or companies work on complementary activities such as the detection of threats or the incidence management.
Do you think there is enough awareness among the companies?
In general, I think we still have a long way ahead. The awareness level has grown a lot over the past years, and almost all companies with which we collaborate are working to make their products and services safer. It is also true that the starting point is much different based on the sector, since in some cases cyber security had not been a requirement until recently and, therefore, there is still much to do.
Is there any type of decoy to detect hackers?
No, though it is true that there are companies dedicated to implement this type of strategies, but as mentioned above, at IK4-IKERLAN we focus on developing safe products. What we do is establishing methods that allow us to obtain as much information as possible after an incidence.
Is cyber security more an investment than an expense?
Yes, of course, but we have to successfully determine which investment level is appropriate in each case. The cost of security measures may vary widely, and at IK4-IKERLAN we try to help companies define and make the most appropriate investment to achieve the best effectiveness possible in its products.
How is training focused since it is such a changing area?
I think this is one of the greatest challenges we have. To begin with, the current demand of cyber security is recent and the training offer, although it is significantly strengthened, it is still emerging. Also, we have the difficulty that cyber security has been taught so far in computing grades, and finding engineers who combine electronic and security knowledge is not easy.
The solution we are adopting is to complete at IK4-IKERLAN the training of the students who want to specialize in the field; for example, by means of doctoral thesis with reference universities.