IT security at INSYS icom
The iCS - VPN is a remote access service for simple and secure networking of sites, systems or mobile devices via a VPN network.
The iRM enables rollouts of device firmware, configurations, security certificates and applications including logging.
Here you get access to our Partner Portal – become a part of our network now!
INSYS icom is a digitalisation expert for industrial data communication. With our core competences of remote maintenance, network technology and data transmission, we form the bridge between IT and OT. Our solutions are thus often the central gateway in the communication from closed and secure networks to the outside into the free internet. Especially for critical infrastructure players such as energy suppliers, heating networks, municipal utilities and power generation plants, the potential for damage is enormous. This makes them an attractive target for attackers, which is why the security of our solutions is the top priority.
INSYS icom has received the IT security certificate of the Federal Office for Information Security (BSI) according to the BSZ test procedure for the MRX3 LTE industrial router. The security assessment was carried out by a BSI-recognised test centre and thus certifies a high level of IT security from an independent and official body.
Attacking systems in the first place can have various motives, even if they are not obvious at first glance.
Blackmail: disruption of production processes that is only lifted against payment of money
z. e.g. with the use of ransomware
Industrial espionage: Theft of business-critical information and know-how
Political motivation: attacks on critical infrastructure as part of a “cyber war”
Demonstration of power: inflicting maximum damage without a concrete goal
Demonstration of feasibility: attacks to improve the resilience of systems. Attackers are predominantly friendly and cooperative.
To protect our clients from such attacks, our IT security culture is characterised by the terms “security first”, “security by design” and “update it”:
IT security plays a decisive role in every phase of our activities and in every product stage. The following five points form the cornerstones of our work:
Our products are developed from the very beginning according to the principles of “Security by Design” and “Security by Default”. They are therefore characterised by the following points, among others:
Every product is only as secure as the updates it receives. Therefore, we at INSYS icom attach great importance to regular updates for our products:
Deployment of patches for critical vulnerabilities (CVSS 9.0-10.0) immediately after availability
Patching of less critical vulnerabilities to the next scheduled release
Maintenance of a list of security advisories for CVEs (Security Advisories)
Critical infrastructures (CRITIS) are organisations or facilities with important significance for the state community. The requirements for the security of the products and services used there are naturally particularly high and are under constant observation. Our solutions for industrial data communication are ideally equipped to meet these requirements, which is why we are the market leader in Germany in the renewable energy and water/wastewater sectors.
In March 2023, INSYS icom launched an LTE450 industrial router series. Exclusively critical infrastructure players can access the fail-safe and nationwide mobile network.
Critical infrastructure legislation aims to increase the level of IT security of information technology systems in sectors considered particularly relevant to the maintenance of public order.
The regulation is subject to constant further development. Currently, the IT Security Act 2.0 is in force with the KRITIS Ordinance of 2023.
The BSI-KritisV defines threshold values for operators and systems from which a KRITIS obligation exists. The lists of threshold values for the respective sectors can be found here
If a KRITIS obligation exists, appropriate organisational and technical security measures are required to prevent disruptions to your information technology systems, components and processes.
When implementing the measures, reference is made to the state of the art. For various sectors, there are sector-specific security standards (B3S) that define the state of the art in the respective sector. Further information on the B3S can be found here or from your industry association.
With the IT Security Act 3.0, which is currently in preparation, the requirements of NIS2 will be transferred from EU level to national law. This will probably result in an extension of the CRITIS obligation to further companies in the affected sectors. In its current version, NIS2 defines all companies as having a CRITIS obligation if they employ >50 employees and generate >10 million euros in revenue.
It is likely that the German legislator will not follow this definition in its entirety and will propose a combination that retains the current threshold values for CRITIS systems.
INSYS icom always strives to be up to date with the latest regulations and technology. In our catalogue of measures, we also summarise all technical and organisational measures for our products that support you during auditing. We are always available to answer any questions you may have…
With the following five tips, you can ensure that your plants and machines are securely networked:
Here you will find material to support you in the KRITIS audit. You will also find an overview of penetration tests carried out as well as documentation and instructions for using INSYS icom products securely.
|Products tested||Test body||Period||Status/result|
|icom OS||BSI / OpenSource Security GmbH||Q4 2022||Security certificate issued. No vulnerabilities found.|
|icom Connectivity Service||Customer test from the building services engineering||Q3 2021||Weak points corrected.|
|icom Connectivity Service||Customer test from thebuilding automation||Q2 2021||Weak points corrected.|
|icom OS||OpenSource Security GmbH||Q2 2021||Weak points corrected.|
|icom Connectivity Service||OpenSource Security GmbH||Q2 2021||Weak points corrected.|
|icom Router Management||OpenSource Security GmbH||Q1 2021||Weak points corrected.|
|icom OS||Customer test from the energy sector||Q1 2021||Weak points corrected.|
icom Data Suite
|T-Systems on behalf of a customer||Q4 2019||Weak points corrected.|
|icom Connectivity Service|
|Secunet on behalf of a customer from public transport||Q3 2019||"In conclusion, the system examined can be confirmed as having a generally high level of safety."|
|icom OS||Customer test from plant engineering||Q2 2019||Weak points corrected.|
IT is very fast-moving and it would be hard to find a standard that considers the complexity of all use cases. Depending on the application, specifications would be over-secure or not secure enough. For this reason, IT security is usually defined relatively and not absolutely. Security organisations and industry associations therefore orient themselves to the state of the art, which is interpreted differently depending on the industry, the use case and also the size of the company. The industry-specific security standards (B3S) define for example, the state of the art for certain sectors. Technical guidelines such as BSI TR-02102 outline the state of the art for the use of cryptographic procedures.
The handout on the “state of the art” from TeleTrust (Bundesverband der IT-Sicherheit e.V.) offers recommendations for action and orientation on the “state of the art”.
There are currently no regulations that prescribe or give preference to the use of certified components in critical infrastructures according to the BSI-KritisV. This may change in the future; in principle, CRITIS operators can use any components today, as long as they can prove compliance with the IT security requirements.
IT security can be proven on the one hand by independent penetration tests and on the other hand by state-recognised certificates. If tests and certifications are carried out by an officially recognised testing body, objectivity is guaranteed.