EDITOR’S NOTE: Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens, sat down with ISSSource Editor/Founder Gregory Hale at the Future of Cybersecurity event sponsored by Siemens which was a part of National Infrastructure Week hosted by Bloomberg in Washington. Simonovich talked about a wide range of cybersecurity topics including the Charter of Trust.
Simonovich: The Charter of Trust overcomes the divide between the asset owners, the technology companies, the industrial providers like us and it creates a ecosystem chain, our CEO called it a learning community. It looks across the value chain that needs to be secured with some foundational principles. We are very proud Total, one of the largest oil and gas companies in the world, has joined us as an operator. But also Cisco, which is one of the leading technology companies, and Dell and TUV SUD, which thinks about how to bring a common set of rules or standards that we can all norm around, call it a north star. We need that north star, a set of blueprints to drive and raise the level of maturity of the industrial critical infrastructure environment.
ISSSource: Loooking at the Charter of Trust, it appears to be an IT-centric. Is that part of the goal to bring IT along as part of the value chain?
Simonovich: I am not sure I agree. I would say there is a convergence between the IT and OT between the physical worlds and the digital worlds. You can’t separate the two and that is why we as a community need to come together. If you look at folks like Daimler, Enel, AEC, they, at the core, are critical infrastructure providers. They either provide power, energy, or they manufacture goods that are part of our daily lives. To do so, they are increasingly using digital technology and intelligence that needs to be secured. Cyber attacks erode that trust. To overcome that erosion and to overcome that barrier to adoption of digitalization, we need to come together. In a world where digital and physical are increasingly two sides of the same coin, the way to do that it is important to have the technologists, critical infrastructure asset owners and us leading the way. It is also a complicated problem that needs to be solved. It needs to be solved at different layers of the technology stack. The only way to do that is by leveling the playing field.
ISSSource: What about some of your competitors coming in and joining the charter of trust?
Simonovich: We believe in inclusion. We believe it takes a village to do this. What is important for us is to look at not just one vertical, or one part of the stack, it is really to come together around this. But also to solve concrete problems. The idea is not to do a lot of talking; the idea is to get a lot of action. When you look at the Charter of Trust and its 10 principles, there are some things I think are foundational like ownership of cybersecurity, especially on the operational technology side. Responsibility for the digital value chain like creating some common set of certifications and standards. Security by default, which I think is a new concept in the U.S. We talked about security by design, but security by default says you need to aspire to the highest level of security in balancing business priorities using security priorities, so the mouse doesn’t lead the elephant.
ISSSource: Someone at the event was saying you want to keep security quiet and continue to work with customers, but the Charter of Trust is not quiet. Is the Charter of Trust putting a big target on your backs or is it a thing where you are just trying to move security forward?
Simonovich: I think it is the latter. It is a call to action to do something. It is a pledge and a commitment that says we are going to invest and we are going to do this collaboratively. We are going to solve problems around threat intelligence, incident response, dedicated operational technology, that is why we built an OT cyber portfolio from the ground up. The secret sauce, the tools of the trade, is we need to do it in a way that creates those layers of defense and we need to do it in a distributed environment. The probability of an attack happening for most of our customers is 100 percent. We live in this new reality of mega attacks. To say cybersecurity is something we can’t talk about leads to a lack of cooperation. We should talk about it. We should be collaborating around it. But the how (we do it) should be in a community — and a trusted community, and that is the whole intent of the Charter.
ISSSource: Putting the Charter aside for a moment, what is Siemens focusing on right now for security.
Simonovich: First and foremost, we have recognized that OT security is very different than the IT side. You need dedicated solutions and the center of this is visibility. Visibility gives you the power to act. We also recognize the industry is not very mature. We talked about the Ponemon study that says 72 percent of respondents are at low to medium maturity – they are not ready. There are two tracks. One is to address fundamentals and the other one is to detect. On the fundamental side, we are leveraging the power of our control systems experts, the engineers, to harden our customers’ environments. Really work with them in a trusted way to do so. On the detection side, we are partnering with Darktrace, PAS, and Tenable, to give that true visibility. That visibility comes with not just looking at the network layer or the control layer, but also the asset layer and all three of those together. Applying machine learning and analytics to detect and providing some context around it. We have built security operations centers globally to do this. Now we are delivering it as a service to our customers, recognizing oftentimes they don’t have the capacity to do this. We need to work with them either in a fashion where they let us run it for them or we just provide a data feed. Wherever they are in the maturity spectrum, whatever capacity they have, the important thing is to deal with it and tackle the challenge.
ISSSource: Are your customers seeing security as a cost center?
Simonovich: I don’t think so. I think the biggest challenge is they know they have a problem, but they don’t know how to get started. If you talk to our customers they say this is such a complicated problem. We have analog assets, there is serial with digital bolt on, we have open architecture, there is a shortage of skilled personnel to help address this problem we don’t have dedicated OT technology and at the same time we have all this exponential risk. That is like the perfect storm — and that is a problem. For them, they don’t know how to get started and it is now increasing at the board level with a note that this is a safety issue. That is why you saw the CEOs of major infrastructure providers like Enel, AES, Total, and Daimler saying we have got to deal with this. The how (to do it) is going to take some collaboration. There are some things we can do right away that are really important and there are some things that will take time.
ISSSource: We all know security is a long evolution, but in this environment, users look at here is what we need to get fixed, let’s put a project in and get it fixed and then move on to the next thing. The problem is security is not that way.
Simonovich: I agree, it is not that way at all. I think step one in all of this is knowing what you have. I think the utility space was forced to do that because of NERC CIP. The rest of the energy industry was not. With renewables, distributed energy with unconventional oil and gas suddenly you have a much more complicated problem that needs to be solved because your assets are everywhere because you don’t have a central place where this stuff gets extracted or power gets produced so how do you deal with that? How do you have points of control in the network looking at the system point of view? That is why asset inventory is so key as the first step. And then matching it up with vulnerabilities, running it as a program and having the confidence to know when to invest. PAS and Tenable solve a discrete problem, but when you bring them together you can suddenly build resilience, which is the way we approach it. Cyber asset management as a program. Not just for hard assets, but also for data and also for people.
ISSSource: Take out your crystal ball out for a moment and let us know what trends are you seeing today and down the road for security?
Simonovich: Today, there is a wake-up call, there is awareness. There is increasingly more ownership of the problem. There is increasingly more focus and dedicated budget to address this. There is not today a holistic program to address it. For instance, there are no dedicated controls for OT in any of the frameworks that exist, that is why we built this framework for our customers. Where the industry is going to go is increasingly applying the analytics to the challenge. Today, it shocked me, 20 percent of respondents were not using any analytics at all. I am not talking about AI and supervised learning and bayesian belief – any of that good stuff. Really what we are talking about any analytics any business intelligence. Increasingly, visibility will be driven by analytics. We believe AI, when there is context behind this, is going to help short circuit this. It is not going to be a silver bullet, but it will help. That is why I said two tracks, the fundamental or the hygiene track and they visibility and the detection track and you have got to do both.
Today, there is a wake-up call, there is awareness. There is increasingly more ownership of the problem. There is increasingly more focus and dedicated budget to address this. There is not today a holistic program to address it.
ISSSource: One of the other panelists talked about not getting caught up in the hype of AI or the latest and greatest thing, and if you do the basics and get good cyber hygiene and know what you have, that takes care of 95 percent of issues. Then you can add AI on top of that can help improve things. Is AI at a point right now where it is strong enough to get something out of it?
Simonovich: AI has to be done in context. I really believe detecting the anomaly only gives you so much. From there, you have to contextualize it. What does this anomaly mean in my production process? What does it mean for the asset? How do we map the topology? (You need) that kind of context which empowers customers to take action. Without that, AI is just a black box.
ISSSource: How do you see security in a few years? Security is changing and evolving, do you eventually see IT and OT coming together?
Simonovich: I don’t think of it as IT and OT convergence. I think of it as the digital and physical world coming together. In that world, the intelligence is going to sit at the edge. It is also going to sit in the control room. The box layer is going to get thinned out. That is why it is important for us to understand how security is going to scale with the way connectivity scales and the way intelligence, or the critical points, in that convergence, where those control points sit. That is happening. However, if you look at the brownfield, where digital has been bolted on top, that is the stuff that needs to be secured first.
ISSSource: Brownfield to me is 99 percent of the industry, how do you eliminate the bolt on approach? How do you rectify a brownfield environment to create security by design or by default?
Simonovich: To make it simple there are three ways. One is detection, that is really key. Step one provide visibility. Step two, if it is too risky, you have to rip it out and secure it. Step three, you have to provide an approach that creates layers of defense so it is very hard to get to the thing that is most important. So, you have got to do all three of those things so there is not one approach. The rip and replace approach sometimes is not going to work because it is too hard and too costly, but sometimes is makes a lot of sense. Defense in depth is just so important.
ISSSource: How do you win at security because you are constantly getting hit? I am a believer if you live purely in a defensive mode you lose, but if you have a holistic security program you can win the battle.
Simonovich: The only way that works is you don’t just secure the box. That is why you have to secure the supply chain all the way to the component level, but also the device level, the asset level — with the concept of the substation and the secure power plant – that is the only way that will work. And to swap out the intelligence from the hardware. We know the attackers are going to get more sophisticated. Well, the code has to be built in blocks in an agile way for things that matter so they can be swapped out, secured, and then brought back in and do it in a way that does not interrupt operations. That is greenfield stuff. Secure by design is important, but only when it is flexible, and only when it covers the value chain. Then there is the brownfield stuff which is the elephant that needs to be tackled.