How HUBTEX makes its special vehicles safe for KRITIS use

Nowadays, the maintenance of important boards, controllers and other components of transport and forklift vehicles is usually made digitally. But that makes them vulnerable to cyber attacks. A scenario that must be avoided! So FB Pro helped with customized system hardening.

About HUBTEX

HUBTEX develops and produces sideloaders, industrial trucks and special vehicles. The company from Fulda (Germany) stands for low-maintenance technology, durability and high quality standards.

The starting position

HUBTEX vehicles are used all over the world. Among the customers are also companies that are active in the field of KRITIS (= “kritische Infrastruktur”, german for “critical infrastructure”). For an important and time urgent project HUBTEX delivered adapted vehicles for use in a special environment.

The service device relevant for these vehicles, a notebook with Windows 10, was also part of the order. This service device had to be secured accordingly.

Securing the service and maintenance infrastructure is important because the forklift and special-purpose vehicles can be serviced by technicians via network connection and USB stick, for example. In these situations, the aspects of information security and data protection must always be guaranteed.

The goal of HUBTEX was to minimize the attack vectors as much as possible initially and also during operation. And this under the premise that simple, digital maintenance of the vehicles remains possible.

The solution

What is the ideal solution for HUBTEX’s requirements? A system hardening! To be able to carry this out to the highest standard and fully automated, the Enforce TAP is used.

In several discussions with HUBTEX and the end customer, it was agreed to implement the hardening according to generally accepted hardening recommendations.

In addition, various technical solutions had to be worked out on the basis of known use cases, coordinated with the contacts involved and technically tested.

Implementation and challenges

It soon became apparent that the hardening standards had to be adapted for the intended use. Among other things, the SiSyPHuS recommendations of the German Federal Office for Information Security (BSI)  for Windows 10 were used for this.

In addition, the end customer required strict enforcement of the “clean source principle”. This means that the service and maintenance infrastructure was installed in a sealed-off environment without Internet access. Only verified installation files (for example, via malware scans and hash value checks) were permitted. This required meticulous preparation, as a software download from the Internet “just quickly” is not possible in such a critical environment.

In addition, we provided the evidence that was important for an external auditor via the AuditTAP. In this way, we were able to transparently show where the BSI recommendations were complied with. For the deviations, the Enforce Administrator helped us. It generated the exception documentation quickly and automatically.

Audit TAP SQL (Bild: FB Pro / Mockdrop.io)

In addition to the special requirements of the end customer, the tight time frame of the project also played an important role. Only about two weeks passed from contacting the customer, initial arrangements, followed by design and testing, to preparation and implementation of the installation, including final system hardening.

The result

The Enforce TAP now provides continuous hardening of the service infrastructure. This means it can be used on the HUBTEX customer’s critical infrastructure. And the technicians continue to be able to service the vehicles as usual.

Information security at the highest level, “just in time” and with the best practicability: This is how the result of the project can be summarized.

About the Enforce Suite

Enforce TAP and Enforce Administrator are components of the Enforce Suite. This enables companies to secure their IT systems through the technical measure of “system hardening”, based on legal requirements.

FB Pro has been successfully using Enforce TAP and Enforce Administrator for years to harden complex system landscapes. Both implementation and permanent support can be provided as part of a managed service.

What does the Enforce Administrator Managed Service offer?

With the Managed Service, the experts at FB Pro GmbH look after the operation of the Enforce Administrator and the compliance of the IT systems in your company. This also includes the activation of your IT system when defined events occur.

Our service for you in detail looks like this:

  • Updating of the Enforce Administrator

  • Back-up / restore service

  • Processing of change requests for hardening requests

  • Testing of new configurations

  • Inclusion of new systems in the hardening process

  • Rollback of incorrect configurations

  • Consulting for desired changes to configurations

Your Managed Service benefits:

  • Installation and setup

  • Performance of compliance checks and audits

  • Analysis of reporting

  • Triggering of incidents

  • Operation of the system

  • Scalable costs with transparent billing

  • Collaboration according to clearly defined SLA

  • Alleviation of the shortage of skilled workers.

What is the contract model?

When you order Enforce Administrator from us, you get the desired number of licenses for the agreed period. After that, the contract expires and you can renew it if you wish.

Once you have purchased the licenses, your IT staff will have to install, set up and maintain the Enforce Administrator. You can reduce the effort by adding our Managed Service.

What does the Enforce Administrator cost?

The recommended retail price for license costs are:

  • 6€ per system/month or 72€ per system/year.

  • From 1,000 hardened systems, our discount scales take effect.

  • We are happy to assist with installation, setup, hardening definitions, etc.

What are the benefits of using the Enforce Administrator?

These are the biggest plus points:

  • Reduction of testing effort through successfully tested configuration packages - including for GDPR compliance, workstation hardening, and Windows server configurations.

  • Enterprise-wide distribution of hardening and data protection settings as well as other configurations

  • Time-controlled processing of jobs including transparent management view

  • Easy integration and automation via REST APIs

  • Automatic preparation of new IT systems for integration, for example firewall and authorization checks, certificate creation, technical configuration, and more

  • Integration in system environments by using various standards (including OAuth2.0, Kerberos)

  • Secure identity management, encrypted storage of credentials, fully encrypted based on current algorithms.

Is there an audit and reporting function for legal compliance?

Yes, the Enforce Administrator offers an integrated audit function. Changes and improvements can also be logged in order to fulfill the legal obligations to provide evidence - for example, within the framework of the General Data Protection Regulation (GDPR).

Need support?

Do you need professional advice or support for system hardening measures? No problem: Our experts are here for you! Get in touch for a no-obligation discussion.

Contact us!

Leave a Reply