When industrial facilities are maintained and repaired remotely, companies can react more flexibly to malfunctions and thus save a lot of time and money. For this reason, remote management solutions are also becoming increasingly popular in the chemical and pharmaceutical industries. The Munich based startup sematicon, which is part of the 5-HT network, however, warns of the dangers to IT security that come with traditional solutions. “Many companies are not aware of the risk they run when they connect their old equipment to the network via VPN,” says CTO Michael Walser. Together with co-founder and COO André Neumann, he explains in an interview with 5-HT how their solution se.MIS™ enables secure and at the same time convenient remote maintenance.
How did sematicon come to be founded?
André Neumann: Michael and I have known each other for many years working within the cyber security environment and have worked together in different areas. When we came into contact with various customers, mainly from the chemical and pharmaceutical industries, we realised that many of these companies were looking for highly secure and at the same time convenient remote management solutions that they could not find on the market at that time. This gave rise to sematicon AG. In cooperation with our development partner CyProtect, we then developed our se.MIS™ solution, a remote management solution that enables secure and fully traceable access to systems.
What is problematic about traditional remote management systems?
Michael Walser: Today, external technicians usually access the industrial facilities they are to maintain or repair remotely via classic VPN connections. However, this VPN access poses considerable security risks. The firewall blocks direct access to other systems, but if the machine in question is internally networked with other machines, access to other systems is possible unhindered via this route. In this way, ransomware can very easily be infiltrated into the network or security holes can be exploited. Another big problem is that the systems to be maintained often still use old operating systems such as Windows XP, for which there are no longer any security updates, making the systems easy to attack. In addition, the company usually has no control over the IT security of the external technician: Which operating system does he use? Does he regularly install security updates? Does he have a firewall? Is his network environment trustworthy or is he just sitting in his home office? Simply installing a virus scanner on the system is not a solution because the systems do not easily allow this or because the real-time capability of the systems is jeopardised. All in all, conventional remote management solutions are highly problematic for IT security in industry. Nevertheless, remote management is of course a great opportunity – we just have to think about how we can control the risks that come with it.
How does sematicon help to increase the security of remote management?
André Neumann: We enable secure remote maintenance by not allowing access via VPN, unlike other solutions, but by completely isolating the machine networks. In doing so, our se.MIS™ manager converts old protocols into current, secure protocols before allowing access from the outside.
Michael Walser: It is important that we do not allow the external technician direct access to the system – without restricting his ability to act. In this way, we manage to maintain complete isolation of the networks. At the same time, all changes that the technician makes to the machine are saved in the underlying digital maintenance book as an audit file. In this way, we achieve complete transparency, which is especially important in the pharmaceutical and chemical industries or in other critical facilities.
What functions does your se.MIS™ solution offer?
Michael Walser: First of all, it is important to understand that se.MIS™ is not a pure remote maintenance software. Besides this functionality, se.MIS™ brings much more to the table. The core of our solution is the digital maintenance log. In many companies, maintenance logs are still kept manually, so that in retrospect it is not always possible to trace what happened on a machine beyond doubt. With se.MIS™, on the other hand, all changes to the machine are automatically logged. In addition, with PLC systems such as SIMATIC S7, for example, the company retains the option of having the changes checked by an internal employee before final programming of the PLC system.
It is important to note that for any conceivable access to a machine, there must always be a maintenance order first, which can either be created by an employee, by the machine itself or by a predictive maintenance system. Furthermore, once a maintenance order exists, the external technician cannot make a direct change to the machine. Instead, all change requests are first stored in the se.MIS™ manager. The responsible employee in the company can then see which change was requested by whom and can decide whether to allow this change or not. In this way, we increase security in remote management by isolating incoming data from outgoing data and give our customers full control over changes to their machines. By automatically logging all changes in the digital maintenance log, we also provide our customers with extensive audit and forensic capabilities. Due to our expertise in cryptography, we can also integrate encrypted connections into se.MIS™.
What are the next goals for sematicon?
André Neumann: Now that the second version of our solution is ready and further installations are pending after the pilot customers, we are on course for growth. On the one hand, we want to expand our team, which currently consists of seven employees at sematicon and at our development partner CyProtect, in the areas of technology, sales and marketing. In addition, we are looking for further sales partners in order to gain new customers. Of course, we are also focusing on the further development and expansion of the se.MIS™ platform. Currently, we are starting with several proof of concepts with companies from the manufacturing industry: with an eyewear manufacturer, a power plant operator and a globally active company in the metal processing industry.
Michael Walser: So far, many of our customers are medium-sized businesses. However, due to our architecture, we are also prepared to scale from one to several hundred thousand endpoints and thus roll out our solution globally in large corporations.
How can 5-HT support you in your further development?
Michael Walser: In discussions with companies, we repeatedly find that many are not even aware of the risk they run when they connect their old plants to the grid. That’s why it’s important for us first and foremost to raise awareness and increase our reach. We do our best to make our know-how in the IT security field available to the industry.
André Neumann: In addition, we welcome support on how to tell our story so that it is also heard by decision-makers who are not tech-savvy. We are also happy to participate in events or give presentations to introduce our solution to the chemical and pharmaceutical companies in the 5-HT network.