In early 2020, ANDRITZ began seeing a rise in cybersecurity incidents on its IT environment. At the time, the environment was monitored by a managed security services provider (MSSP). But the increase in breaches signaled time for a change. In less than six months after engaging with IBM Security® and deploying an integrated set of IBM® Managed Security Services (MSS)—all done virtually—the company had a new, comprehensive security services solution.
For ANDRITZ, a leading provider of industrial plants, equipment and solutions, keeping up with cyberthreats had become increasingly difficult. One reason was that its IT environment included a variety of systems and security policies that complicated security efforts. But a bigger issue was the vastness of the company’s security perimeter and attack surface area: ANDRITZ boasts over 280 production sites and service/sales organizations worldwide. Roughly 50% of its 27,000 employees travel and use the company’s network and remote connectivity options to automatically access IT resources. A host of third-party contractors and engineers also have access to key IT systems.
Klaus Glatz, ANDRITZ’s Chief Digital Officer, recognized the risks. “We have all these remote connections to our equipment. It’s not just ANDRITZ employees, it’s many outside companies too. That’s why it’s all about transparency, visibility and getting a holistic understanding of what’s going on. You can’t risk a customer’s operation.”
ANDRITZ’ customers operate hydropower stations, pulp and paper mills, chemical plants and metalworking factories that rely on the company’s plants, equipment and systems to function. Potentially, a security breach or vulnerability in IT could provide an avenue to something far more reaching or catastrophic, especially if a threat actor’s intentions go beyond stealing data.
Enhanced visibility
Gained 100% visibility across the network
Huge volumes
The platform processes millions of events per day
Thomas Strieder, VP Group IT Security and Operation Services at ANDRITZ, elaborates: “IT provides basic infrastructure and services and applications to all of our employees, globally. At the same time, our teams are providing OT [operational technology] services to our customers. These two areas are connected and getting much more connected in the future.”
With these risks in mind and recognizing the convergence of IT and OT, ANDRITZ founded its own OT cybersecurity company, OTORIO, in 2018. Today, OTORIO is a crucial pillar in the company’s cyber security strategy. But at the start of 2020, with its OT security measures in place, the company turned its attention to IT.
From the start, ANDRITZ had a clear, well-defined goal that went beyond simply implementing a collection of cybersecurity tools operated by a third party. The company needed a service organization that understood its requirements and could complement the existing team and setup.
In July 2020, after investigating several providers, ANDRITZ replaced its former MSSP with MSS. IBM designed and deployed a comprehensive solution in a less than six months, including integrating the software, implementing the security services and completing a worldwide rollout to demonstrate the benefits of the software as a service (SaaS) model. Because the COVID-19 pandemic didn’t allow the global teams to meet in person, all of the work was done remotely and through virtual meetings. This required even more professionalism and trust of both parties.
“Our first thought was IBM was too huge a company, too bureaucratic and probably not a good fit for us,” admits Strieder. “But after working together, we had to readjust our thoughts. IBM did exactly what we were expecting. They were super flexible. They listened to our demands. And they came up with the right solutions.”
For security information and event management (SIEM), ANDRITZ chose IBM Security QRadar® on Cloud technology deployed as SaaS. The platform helps ANDRITZ’s Poland-based security operations center (SOC) focus on detecting and remediating threats while IBM Security professionals provide around-the-clock management of the infrastructure. The SIEM ingests data and log events from multiple sources across the network. By applying advanced analytics and correlations across data types—network, endpoint, asset, vulnerability, threat data and more—the SOC gains a holistic view of security.
When the system detects suspicious activity or patterns, such as multiple failed login attempts, it triggers an automated alert. Depending on the level of severity, the IBM Security team creates a ticket or works directly with the SOC to provide response recommendations. ANDRITZ can also call on the IBM Incident Response Services team to carry out a direct investigation.
“The solution makes sure we are properly protected,” says Glatz. “We have a lot more information and transparency. Typically, we have millions of events a day, so it’s important that our people understand and select the 25 or 30 most critical events that could be of high risk to the environment.”
The SIEM service is complemented by two additional services: IBM X-Force® Red Vulnerability Management Services plus ranking and remediation support, and IBM Managed Detection and Response Services, which is integrated with CrowdStrike Falcon Prevent antivirus technology to speed threat detection and remediation.
X-Force Red Vulnerability Management Services scans ANDRITZ’s systems and assesses security vulnerabilities. Each scan produces a report that that rates the vulnerabilities by severity using the common vulnerability scoring system (CVSS). This helps ANDRITZ prioritize incident response.
“For us, the proactive component here is the vulnerability management,” explains Strieder. “With vulnerability management you can do a lot of things wrong. We needed someone who would work with us through these vulnerabilities and prioritize what we need to take care of first. It’s a joint effort.”
Managed Detection and Response Services calls out alerts that are picked up by the SIEM service. It uses machine learning and AI to assess activities happening on employee’s laptops, mobile phones and other interfaces. If it detects anomalous behavior, it can lock down systems, giving ANDRITZ time to investigate.
To augment the capabilities of its SIEM and security program, ANDRITZ takes advantage of IBM Security X-Force Threat Management Services, a comprehensive offering that integrates threat insight, protection, detection, response and recovery capabilities.
With IBM Security services and technology, ANDRITZ can proactively detect and understand the severity, scope and root cause of threats before they impact the business. A single, centralized dashboard provides unprecedented visibility and insights from across the network.
“We’ve been able to minimize the impact of attacks because we created a lot of locked sources,” says Glatz. “We analyze our network on a continuous basis. IBM Security offers a solid base where we have 100% visibility and transparency, which helps us solve threats in a very short timeframe.”
With Managed Detection and Response Services, ANDRITZ can more easily detect behaviors that could potentially infect end user systems. For Strieder, this was especially important during the pandemic. “The biggest payoff is we are better secured and we are much better prepared in case something happens,” he says. “Our 27,000 users were able to work from home and we were able to secure them—while we were working with the implementation with IBM.”
To help ANDRITZ understand and combat emerging threats, IBM conducts a two-hour continuous improvement and innovation session with the company each quarter. For Glatz, getting glimpses into the future threat landscape is key. “In security, you need to understand what might happen next month or next year,” he says. “With IBM we’ve partnered with a company that has the power and potential to anticipate what might happen six months from now.”
Moving forward, ANDRITZ is looking to integrate its OT information and OTORIO’s cyber threat intelligence with its SOC to gain an even broader view of the security environment. “ANDRITZ is transforming into a digital service provider,” concludes Strieder.
“With everything we provide today—our paper mills, hydropower installations, metals and so on—we need to pay even more attention to IT and OT cybersecurity. It’s an ongoing journey that will never stop.”
Headquartered in Graz, Austria, ANDRITZ (link resides outside of ibm.com) is an international supplier of plants, equipment and services for hydropower stations and for the pulp and paper and metalworking industries. It also offers solutions for solid/liquid separation in the municipal and industrial sectors. ANDRITZ was founded 1852 and today employs over 27,000 people in more than 40 countries.
OTORIO (link resides outside of ibm.com) designs and markets the next generation of OT security and digital risk management solutions. Headquartered in Tel Aviv, Israel, with offices in Austria and the US, OTORIO is an integrated part of ANDRITZ’s holistic cybersecurity strategy. Its core management team consists of former Israel Defense Forces (IDF) personnel who built and maintained its cyber defense unit.
Legal
© Copyright IBM Corporation 2022. IBM Corporation, IBM Security, New Orchard Road, Armonk, NY 10504
Produced in the United States of America, March 2022.
IBM, the IBM logo, ibm.com, IBM Security, QRadar, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copyright-trademark.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.