Obtaining a cloud security certification requires a lot of preparation time, which mainly involves manual processes that are prone to error. In other words, several employees cannot perform their usual duties during an audit preparation. Our Clouditor tool aims to improve this process by making audit preparations more systematic and automatable. This makes it possible to continuously monitor cloud services and check their compliance with a cloud security catalog such as BSI C5, EUCS, or the CCM.
Industrial systems are becoming increasingly interconnected, automated and specialized for complex tasks. In the industrial environment, many plants and their components are insufficiently protected against cyberattacks due to their long life cycles. Once an attacker managed to gain access to one part of the system, taking over, spying on or manipulating other parts of the system is almost childsplay. For plant manufacturers as well as operators, a successful attack can result in loss of reputation, financial damage and danger to life and limb of staff.
The IT security of industrial plants is one of the research areas of the scientists at Fraunhofer AISEC. The topic Industrial Security provides information about their work and concrete research results on securing industrial systems.
gallia is an extendable pentesting framework with the focus on the automotive domain, developed by Fraunhofer AISEC under the Apache 2.0 license. The scope of the toolchain is conducting penetration tests from a single ECU up to whole cars. Currently, the main focus lies on the UDS interface but is not limited to it. Acting as a generic interface, the logging functionality implements reproducible tests and enables post-processing tasks.
The following blog post introduces gallia’s architecture, its plugin interface, and its intended use case. The post covers the interaction between its components and shows how gallia can be extended for other use cases.
A digital twin is a virtual representation of a real system or device. It accompanies its physical counterpart during its entire life cycle. Tests, optimization procedures and bug hunting can be carried out on the twin first without involving the real device (that may not even exist at that moment). In this article, I want to give you some recommendations on how to harness that potential for improving upon the state of OT security (Operational Technology Security), e.g., within manufacturing or building automation.