By Gregory Hale
Cyber attacks are growing in sophistication, and when an end user adds in an expanding digital footprint which increases connectivity, it is a wonder if OT security professionals get any sleep at all.
Siemens understands the pain end users are going through and appears ready to ratchet up its cybersecurity platform to the next level to counteract the heightened sophistication and growing digital footprint.
ROK: Security’s ‘Tower of Babel’
ROK: Security Underlying Factor in Connected Manufacturing
Dust Explosions Spark Safety Alert
USB Drives Loaded with ICS-Based Malware
Russia Behind Triton Attack: Report
“There are opportunities and rewards with digitalization, but there are also issues to deal with like cybersecurity where the attack surface continues to grow with more connectivity,” said Eva Schulz-Kamm, global head of government affairs and leading the Charter of Trust initiative at Siemens during a Monday talk at Siemens in Munich, Germany. “By 2020 there will be over 50 billion devices connected to the Internet.”
While Siemens has been talking about the digital platform for a few years, the company understands end users need a secure environment to ensure a productive manufacturing enterprise. Something they say is two sides of the same coin. One can’t operate without the other.
“Users will say, ‘I like what you are proposing, but can I trust your solution? Do I want to open up my factory? I have been running a factory and making money for years, why do I need to do all this?’ They are right to question that,” Schulz-Kamm said.
“The darkside of the coin is where solutions were attacked when Stuxnet hit in 2010. We created a new approach to cybersecurity. We had to rethink it. Everybody today talks about smart. There is no smart without cybersecurity.”
While Siemens says it has been working in security since 1986, the automation giant was pulled into the new age of cybersecurity kicking and screaming with the 2010 Stuxnet attack.
Stuxnet was a joint attack discovered in August 2010 by the United States and Israel against a nuclear enrichment facility in Natanz, Iran. The two nation states were able to get into the network of an air-gapped nuclear facility and manipulate a Siemens system to have the centrifuges run wildly out of control leaving the country’s nuclear program in disarray. The goal of the attack was to hurt the country’s nuclear program and that particular facility happened to be running a Siemens system.
While the Stuxnet attack did not injure anyone at the nuclear facility, Schulz-Kamm knows safety and security are linked. She likened security to safety in that they both deal with managing risk.
“Cyber has to be more than a seatbelt or an airbag,” she said. “It is a crucial factor in the success of the digital economy.”
She then added there are three key parts of security:
1. Protect society of cyber threats and risks
2. Increase trust in digital solutions and provide competitive advantages
3. Accelerate customers digital transformation and boost digital business
Part of growing into the digital economy was the creation of the Charter of Trust, which is a Siemens initiative that has now grown to 16 companies that follow 10 principles to ensure a trusted and secure environment.
“The Charter of Trust is something everybody needs to follow,” Schulz-Kamm said. “We see trust as an investment into the future.”
The ten principles at the core of the Charter include:
1. Ownership of cyber at IT security
2. Responsibility through the digital supply chain where there is identity and access management, encryption, and continuous protection
3. Security by default
5. Innovation and co-creation
7. Certification for critical infrastructure and solutions
8. Transparency and response
9. Regulatory framework
10. Joint initiatives
The ten principles should be a basic way of operating for companies.
As Siemens continues is push forward, they are creating a more holistic approach to security, said Rainer Zahner, global head of cybersecurity for governance at Siemens, during the Munich meeting.
New Work Environment
More and more companies are connected where they are generating data and consuming data. How much risk can they take? How can we protect an environment?
That is where standards and working with IT security folks comes into play Zahner said.
There needs to be an understanding of how to protect the “golden nugget” and understand the internal IT/OT infrastructure.
“We are coming up with baseline requirements for our suppliers along the supply chain,” he said.
Those baseline requirements are what the Charter of Trust are all about.
“All over the globe, this is a top, top issue,” Schulz-Kamm said. “From Washington to Beijing to Berlin, we have a mess here. We are excellent in many parts, but I am thinking, wait a minute, what does that mean? We have trustworthy products, but as we come into data and digital, it is completely different. Is it sufficient if Siemens has security, but what about all the other companies? Can we solve that alone? No, we cannot.”