Cyber security in the age of digital transformation

An interview with Merle Maigre
Interview

Cyberspace security strategies

We are right in the digital age and Industry 4.0. In the course of this digital transformation there are not just changing markets and opportunities, but also many prospects are arising – for government, economy and the society. It allows new thinking to make processes more efficient, predictable, secure and flexible. Productions can be made more flexible and more resilient while at the same time improving documentation. However, many quality standards respectively have to be further enhanced as well.

Digitalization and the Internet of Things are advancing in all areas of life and industry at a rapid pace, as these current trends show: While there were about 8 billion devices connected to the Internet in 2017, by 2020, 20 billion are predicted. The intelligence and networking of devices and systems today provides the opportunity to unleash the full potential of data and transform it into real (added) value for enterprises, people and the environment.

 

But the potential of digital transformation can only be unlocked if it succeeds in achieving high security standards for the valuable data and networked systems. Cyber security is one of the major challenges being faced today. In 2016 alone, the damage caused by attacks from the Internet amounted to more than €500 billion worldwide. Cyber attacks are an international issue and have different objectives, from purely criminal activities, large-scale industrial espionage and sabotage, to military operations.   

We interviewed Merle Maigre on this topic. At the time of the interview, she was serving as the Director of the NATO Cooperative Cyber Defense Centre of Excellence.

Mrs. Maigre, everyone appreciates the advantages of digitalization, but also fears the risks. How high are these risks really?

Merle Maigre: We have learned to appreciate digital for the new normal. A part of that new normality that people find harder to accept is the fact that technology, basically, is not perfect. Some things are broken, some things are exploited, some things are patched. Technologies and threats in cyberspace are in constant change, our dependence on a digital lifestyle recognizes no geographical borders nor makes a difference between civilian and military, private and public domains – any technology or a system is a potential target for a cyber attack.

 

While the enterprises and industries might be more concerned with cyber crime and espionage for economic gains, nations and international organizations such as the NATO are defending against growing threats from state actors in cyber space. Incidents like WannaCry and NotPetya demonstrated how the paralyzing and damaging effect of a cyber attack can impact individuals and organizations across the globe in a matter of hours or even minutes. There’s the near-weekly news of extensive data breaches from around the world. News of software flaws and vulnerabilities enabling such incidents are commonplace, hardly a day goes by without new discoveries and subsequent patches.

 

Cyber operations have become a standard part of the toolbox of political and military intelligence-gathering and information. A growing concern for nations are potential targeted attacks aimed at our critical infrastructure.

Investments into digital innovation must go hand in hand with serious commitment to cyber security.
Merle Maigre

Considering the interdependencies in the cyber realm nations have to take measures to protect their vital services, critical information infrastructures and military systems too.

 

Otherwise, the risks of digitalization are not necessarily higher compared to reverting (our societies) to low-tech. They are different, and we are still in the learning and adjusting phase of digital societies – a challenge that the rapid development of digital technology no doubt aggravates. But as actors are growing in skill, cyber defense capabilities are improving as well.

Companies have been exposed to potential cyber-attacks already since the advent of automation. Today industrial production systems are not only largely digitalized, but also increasingly interconnected. Will they become even easier to attack as a result of the industrial Internet of Things?

Merle Maigre: Cyber attack methods and means evolve as technology continues to advance. This does not necessarily mean that performing attacks is becoming easier – as the industrial systems have become more complex, the attacks are also more sophisticated.

 

This has led cyber security experts to promote security by design, especially in the case of managing the risks related to the provision of vital services. In case of some critical services a more conservative approach serves to be more reasonable – not every system and device has to be connected. In addition, both nations and private institutions are leaning towards making technology issues also management decisions, in order to avoid delegating everything as “technical details” to the IT department or support. In the long run this approach hopefully also generates demand for more secure products on the market. Currently the market offering tends to focus rather on the comfort and convenience of the end-user.

 

None of these solutions is a silver bullet against disruption, but their combination does contribute to increased resilience.

Can specific precautions be taken in critical areas like the military, government and industry? How are individual players like companies contributing to the new security measures?

Merle Maigre: Militaries, governments and industry need to recognise the interdependencies in cyber space and develop reliable ways for information sharing, joint training efforts and other practical cooperation initiatives to build a more resilient defense strategy and system. In that sense everything starts with basic cyber hygiene – every company, institution and private individual needs to be aware and uphold the basic measures –, and ends with the national cyber defense strategy.

 

One of the unique examples of interdisciplinary approach and practical cooperation of like-minded nations that CCDCOE is very proud to host since 2010, is Locked Shields, the largest and most complex international live-fire cyber defense exercise in the world. The annual real-time network defense exercise is a unique opportunity for national cyber defenders to practice protection of national IT systems and critical infrastructure under the intense pressure of a severe cyber attack.

 

This year the exercise involved critical infrastructure that our entire modern lifestyle depends upon – power supply, clean water and emergency communications. The exercise trains the teams in how to protect unfamiliar environments and to make right decisions with incomplete information, as computer emergency specialists often have to in real-life situations. The systems running our critical infrastructure are in constant development, we have to test and drill our resilience and defense on a regular basis – our cyber defenders need to keep learning and practicing cooperation with Allies on a regular basis. It would not be possible to arrange this exercise with this level of complexity without the valuable contribution of industry partners. We cooperate with industry partners that bring to the exercise specialized capabilities and technologies, which are widely used all over the world and represent the best market expertise in their respective industries. For example, software solutions by Siemens, 4G Public Safety Systems by Ericsson and drones by Threod Systems enable the participants of the exercise to familiarize themselves with these vital devices and software solutions.

It’s wise to assume that every digitalized and connected device and system includes vulnerabilities that need to be detected and mitigated.
A great security problem in the digital age is the large number of different and constantly emerging new threats. What can companies do to defend against the different types of cyber-attacks? How can experts always be up-to-date, even beyond international standards such as IEC 62443?

Merle Maigre: We should aim for community building, building trust and social capital between state and private sector. For example, already around 20 years ago there was a common accord among Estonian banks to compete in services but not in cyber security. In practice this meant sharing both expertise and information.

 

Facilitating – both by trust relationships and reliable info exchange mechanisms - and strengthening rapid information exchange throughout the community will be beneficial once another serious incident occurs.

And if a serious attack does occur, what fundamental measures must be taken to prevent entire factories from being shut down?

Merle Maigre: Safeguarding, patching and updating systems and developing security processes together with continuous training and regular practice are essential in dealing with potential vulnerabilities. When a serious attack occurs, the victim might be tempted to keep quiet of the extent of the damage and handle the incident on their own, however strong partnerships and trusted allies might provide valuable support. It is important to start building these alliances, cooperation practices and coalitions already before the trouble hits.

What is the future of cyber defense? Does it mean forming centers of expertise such as the CCDCOE or a worldwide network of experts? Can technologies based on artificial intelligence also be used in this context?

Merle Maigre: It is our firm belief at NATO Cooperative Cyber Defense Centre of Excellence that in this constantly changing and challenging environment one of the keys to stronger cyber defense are interdisciplinary approach, trust-building measures and cooperation of like-minded nations. CCDCOE provides its member nations, NATO and community at large access to a pool of various high-level experts, working together side-by-side conducting research, training and exercises.

New study areas emerge all the time, our researchers are already looking into the cyber aspects in the development of automated systems and AI.

Holistic protection of industrial plants

For us at Siemens, industrial security plays a major role. Together with partners and customers, we continuously work on holistic security concepts that protect and defend data, processes and systems against external attacks. “The lucrative digitalization is only successful if customers can rely on the integrity of the data,” says Natalia Oropeza, head of the new corporate department Cybersecurity at Siemens.

"Defense in depth"

For this purpose, we at Siemens use a comprehensive defense-in-depth protection concept based on the recommendations of ISA99/IEC 62443, the leading standard for security in industrial automation applications. With solutions based on defense-in-depth and an integrated product and service offering, Siemens supports its industry customers in reliably implementing appropriate protective measures.

 

There are essentially three levels or key elements. The first is basic asset security, meaning protection against physical access supplemented by organizational measures such as security policies and monitoring of equipment for anomalies that may indicate attacks. Another key element is network security, which uses firewalls and encrypted data transmission. Finally, system integrity focuses on the protection of individual devices and systems against unauthorized access and modification.

 

With this protection concept, attackers always have to overcome several hurdles. This is much more difficult and costly than simply overriding individual security measures.

Customized solutions for the process industry

The process control system Simatic PCS 7 also offers these integrated, comprehensive security solutions. They are tailor-made for the special requirements of process plants. With our security concept you can effectively increase protection, reduce risks, help prevent security incidents and thus increase plant availability.

 

Its strength lies in the fact that different security measures in the plant network interact in combination. For this purpose, systems can be set up from closed security cells, which ultimately results in a closed system in compliance with how ISA99 defines security in manufacturing and process control systems.

 

In addition, the process control system received official certification from TÜV SÜD in November 2016, which confirms compliance with the IEC 62443-4-1 and IEC 62443-3-3 security standards.

Together against common opponents

With its unique portfolio of cyber security technical expertise for factories and facilities, power grids and healthcare, Siemens is well positioned to be a thought leader in the field. For this reason, the concern has launched the “Charter of Trust” together with the Munich Security Conference (MSC) and industry players such as IBM, Daimler, Dell, Cisco, Deutsche Telekom and several other well-known companies and partners.

 

The Charter contains ten principles designed to make our digital world safer and sets three important goals: to protect the data of individuals and enterprises, to prevent harm to people, industries and infrastructure, and to establish a reliable basis where confidence in a networked, digital work can take root and grow.

 

Successful solutions using Siemens security technology, such as those for the Middle East R & D center of DowChemical, demonstrate that this can be achieved by protecting its research activities.