By Gregory Hale
Security in the manufacturing automation environment is getting more intense as the sophistication levels of attacks continues to escalate so that is one reason why Siemens invested in a new cyber defense center in Milford, OH.
To show how serious it is focusing on security, Siemens brought out some security heavy hitters Monday to help launch the new center.
“We should feel a strong sense of urgency when it comes to security, especially in manufacturing,” said Lorie Wigle, vice president of security solutions at Intel Corporation. “We can’t do Patch Tuesday and Reboot Wednesday on the factory floor. High availability is very important in manufacturing. It is very important we act today. There are a lot of benefits with today’s technology, so we don’t want to back away.”
At the center, Siemens will provide continuous monitoring and analysis of security and system status based on real-time global intelligence. The center offers proactive threat notification, reduces the risk of production loss and equipment damage, as well as protecting intellectual property, company reputation and brand image.
There are really two aspects to the center, one is the cyber defense center (CDC) which is more internal to Siemens, while the Cyber Security Operation Center (CSOC) focuses externally.
The CSOC deals with managed and continuous cyber security services and advanced-level support services. Cyber security services include: Asset inventory management, patch management, host-based security control management, network security monitoring and platform management, perimeter protection management and incident response.
“There are billions of events every day,” said Nick Ritter, chief information security officer (CISO), global technology and cyber defense at Siemens. “We need to build threat intelligence and analytics. That allows us to address the threat levels.”
In addition, the new security center fits into the long range security plan at Siemens.
“We have been talking about cyber for a while and we see it as a great growth opportunity,” said Eric Spiegel, president and chief executive at Siemens USA. “I was at a meeting at the White House and critical infrastructure was one of the main areas talked about that needs work. The world is changing very quickly and dramatically. Everything we do is changing dramatically, which creates more exposure.”
The idea of exposure is now coming to the forefront as more manufacturers are finally becoming aware of the issues behind not having a security program.
“A good attacker will always get through a firewall,” said Mike McConnell senior executive advisor, Booz Allen Hamilton, former vice admiral in the United States Navy and former director of the National Security Agency from 1992 to 1996. “There are two companies out there: One company that is aware they have been penetrated and the other that is not aware they have been penetrated.”
But not to sound all gloom and doom, McConnell said there are other aspects to the security question.
“We are now at a tipping point,” he said. “IT changed our lives. It gave us great benefits, but introduced vulnerabilities. It also introduced opportunities like Big Data where you can analyze the data and get to the point of predictive behavior and predictive analytics, which will be the next great frontier in the industry.
Brett Wahlin, vice president and global CISO at Hewlett-Packard, agrees.
“We have been looking for predictive analytics for a long time. It is the Holy Grail. We now have the capability to start understanding how Big Data can start allowing us to predict. The end goal is to learn what questions to ask and then understand where attacks could happen. How do we take the next step to help protect our companies.”
Analytics is where the future lies for security and automaton, but Jagannath Rao is also living in today’s real-world environment.
“There is no shortage of security news,” said Rao, president of customer services division at Siemens Industry in the U.S. “There are three types of users. One that knows there is a problem and does something about it. Another one that knows there is a problem but doesn’t know what to do and a third set that doesn’t even think there is a problem.”
The goal is not to give a fix, Rao said, but to roll out a holistic security program.
He gave the plant manager as a case in point.
“The plant manager is having a problem. He is stuck in this dilemma in determining his priorities. If you look at his budget, there is no line item about security. He just wants to keep the plant running.”
Rao also mentioned the idea of security being a big safety issue where “if there is an incident, there could be a loss of life.”
In the end, if you have zero percent security today, it is better to have 40 percent security tomorrow, he said. “That means users have to start with an assessment to understand just what they have and what they need to protect. Once you have done an assessment, you can build a security roadmap.
You need to implement the technology, but you also have to include the two other legs of the three-legged security stool of people and process. Technology alone cannot solve a security issue, he said.
Once you get that done, the next step is to continue shining the light for the user to see their way through the continuous security lifecycle.
“Most of the companies are doing their business in a dark cave,” Ritter said. “We need to illuminate the cave. We need to create the threat intelligence to understand what is in the cave.”
“We can’t protect and environment 100 percent, but we can understand what is critical in our environment and our customers’ environment,” Ritter said. “We need to win every attack that matters.”