Industrial security: The cyber guards

“More potential targets for cyberattacks” is the most frequently cited reason for being very cautious about digitalizing production. Is this a legitimate concern? No, say the security experts at Siemens.

A current statistic published by ICS-CERT, the U.S. authority for protection from cyberattacks, shows that the number of attacks to critical infrastructures is increasing. According to a study of the consulting firm KPMG in Switzerland, 54 % of the organizations have experienced a cyber attack in 2016. Nevertheless, “The growing number of cyber-attacks is a fact we cannot ignore. This, however, must not be a reason to avoid digitalization in industrial production.

We should consider cybersecurity a competitive advantage rather than a cost factor,” emphasizes Helmuth Ludwig, chief information officer at Siemens. That is why Industrial Security, the comprehensive security concept, is an essential component of the Digital Enterprise, Siemens’ Industrie 4.0 solution. Ensuring industrial security requires continual monitoring and adaptation of new security measures.

Among others, the Computer Emergency Response Team for Products (ProductCERT) is responsible for cybersecurity at Siemens. “Users only trust providers that deal transparently with discovered vulnerabilities in their products,” says ProductCERT leader Klaus Lukas. To safeguard its customers’ digital world, his team has a threestep approach: prevention, early identification, and professional treatment of security vulnerabilities in Siemens products.

Everything for IT security

Siemens products and solutions also contain some third-party components. “Attack technologies and methods evolve and improve, meaning the status of a component that had been safe yesterday may change overnight,” explains Oliver Hambörger, security expert at ProductCERT.

That is why he and his colleagues are always on the lookout for new information on security vulnerabilities. They closely check every piece of information: Is the software used in Siemens products, and if so, in which ones? How critical is the security vulnerability? If necessary, updates to the thirdparty component are immediately implemented in the product or solution.

This is only one of many factors, because the Siemens software portfolio is also growing steadily due to digitalization.

A watchful eye

At the same time, the digital plant must be protected. Updates, patches, and permanent monitoring are indispensable elements of Siemens’ repertoire for its products, and they are more important than ever because the Internet of Things is growing rapidly. “We are always prepared to work on any product security vulnerabilities detected. These are found and reported to us by security researchers, meaning IT experts at universities or IT security providers, but also by customers, national CERT organizations, or internal Siemens sources,” explains ProductCERT security expert Rupert Wimmer.

Wherever the report comes from, the process is routine: Wimmer and his colleagues communicate intensively with the person reporting the issue in order to understand the observations correctly and completely.

If it becomes evident that a new security gap has been found, a task force is convened with the product manager so that a solution can be developed as soon as possible. The workflow is methodical and very precise. If eliminating a vulnerability requires a product update, the Product CERT colleagues verify its efficiency before publication. Then a security advisory is published on the ProductCERT website to inform the customer about the security gap and its solution.

Users only trust providers that deal transparently with vulnerabilities discovered in their products.
Klaus Lukas, ProductCERT Leader at Siemens

Transparent cybersecurity

“Handling vulnerabilities professionally means informing users about their existence and the countermeasures that need to be taken. We set new standards in industrial applications with our security advisories,” explains Lukas. He is convinced that this is a real advantage in the face of increasing digitalization, because only transparency demonstrates our responsibility to the customer.

“Transparency is extremely important in the area of cybersecurity. This goes both ways. It applies to reports we receive as well as to messages we publish,” says Lukas. The ultimate goal, of course, is to avoid the need to issue any security warnings in the first place. For the Siemens test departments, security tests before delivering the company’s products are therefore an essential step in quality assurance.

Cybersecurity is a daily routine

“We continually work to make it possible for our customers to digitalize their plants so they can compete in the market,” Lukas says. “Monitoring, advisories, and testing are part of our daily routine in the field of cybersecurity response – just as it is a matter of course for operators of chemical plants to handle hazardous substances appropriately. Our team works for our customers 24/7.”

Picture credits: Siemens AG

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.