By Gregory Hale
In the wake of the targeted malware attack discovered before it could cause severe damage against a Schneider Electric Triconex safety system in the Middle East, there has been a movement to get a better understanding and a joint effort to create a more cyber secure industry.
Along those lines, Siemens and eight industry partners Friday signed a joint charter for cybersecurity at the Munich Security Conference. Initiated by Siemens, the Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization.
In addition to Siemens and the Munich Security Conference (MSC), the companies Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom signed the charter.
Canadian foreign minister and G7 representative Chrystia Freeland also recognized the initiative as well as Elżbieta Bieńkowska, the EU Commissioner for Internal Market, Industry, Entrepreneurship and Small and Medium-sized Enterprises.
This move comes in the wake of a targeted attack on a Triconex safety system that occurred last August but was just revealed in December. Discovery of the attack, which took control of a specific Triconex system and also compromised a distributed control system (DCS) at the facility, has sent a shock wave throughout the industry.
System Failed Safe
In that August attack, a Middle East critical infrastructure user suffered a shutdown of its facility and the controllers of a targeted safety system failed safe.
During an initial investigation security professionals noticed there were some suspicious things going on and that is when they found the malware. The safety instrumented system (SIS) engineering workstation was compromised and had the Triton (also called Trisis and HatMan) malware deployed on it. The DCS was also compromised. It is possible to envision an attack where the bad guy had the ability to manipulate the DCS while reprogramming the SIS controllers.
“Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Siemens President and Chief Executive Joe Kaeser. “That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted – not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.”
The Charter has 10 action areas that call for cybersecurity responsibility to be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a chief information security officer at companies.
The pact also calls for companies to establish mandatory, independent third-party certification for critical infrastructure and solutions – above all, where dangerous situations can arise, such as with autonomous vehicles or the robots of tomorrow, which will interact directly with humans during production processes. In the future, the goal is for security and data protection functions to be preconfigured as a part of technologies, and cybersecurity regulations are to be incorporated into free trade agreements. The Charter’s also calls for greater efforts to foster an understanding of cybersecurity through training and continuing education as well as international initiatives.
According to the European Union Agency for Network and Information Security (ENISA) Threat Landscape Report, cybersecurity attacks caused damage totaling more than $696.5 billion (€560 billion) worldwide in 2016 alone. For some European countries, the damage was equivalent to 1.6 percent of the gross domestic product. And in a digitalized world, the threats to cybersecurity are steadily growing: 8.4 billion networked devices were in use in 2017 – a 31-percent increase over 2016, according to Gartner. By 2020, the figure is expected to reach 20.4 billion.
Schneider Electric, which is not a part of this charter group but was one of the companies affected in the assault in the Middle East, is also looking for a stronger industrywide effort toward cybersecurity.
“At Schneider Electric, we heartily encourage all collaborative efforts to strengthen cybersecurity,” said Peter Martin, vice president of business innovation and marketing, Schneider Electric. “The growing problem of cybersecurity is not specific to any single company, institution or country. Rather, it’s a threat to business and public safety that can only be addressed and resolved when suppliers, customers, integrators, developers, standards bodies and government agencies work together. This collaboration starts with common standards, agreed-upon rules, appropriate funding and active cooperation. It extends beyond national borders and transcends competitive interests.”
“We commend the signatories to the Charter of Trust,” Martin said. “It’s another important step toward ensuring that the promise of digital transformation and automation will prevail over the threat of cyberterrorism.”