Siemens has developed a platform that makes it possible to check Siemens products for their digital vulnerabilities. Its name: SiESTA-Siemens Extensible Security Testing Appliance. This allows product departments to ensure that their devices and systems are protected against cyberattacks.
Hardly any other industrial company works with as many completely different devices and software applications on a daily basis as Siemens. For instance, Siemens works with open source software for frequently used product components, real-time operating systems in sensors and robots; it works with Windows on desktop computers and with the Internet of Things in the context of Mindsphere, an open cloud-based IoT operating system. And hardly any other company uses these digital tools in so many technology sectors – areas that include building management, digital factories, power plants, rail systems, and turbines that are expected to operate for decades.
Defending all this against hackers is no small task. According to a survey by the World Economic Forum in 2018, managers in leading industrial nations regard cyberattacks as the biggest risk for their companies. In view of this, in October 2018 Siemens set up a new Cybersecurity organization, which bundled a wide range of tasks to protect its IT infrastructure, products and customers.
Siemens’ ProductCERT (Computer Emergency Response Team) is an important element of this unit. The team identifies digital vulnerabilities in Siemens products at an early stage and quickly provides solutions. "Vulnerabilities can occur in any software," says Klaus Lukas, head of ProductCERT. "That's why we're always on the lookout for security vulnerabilities - and as soon as we find them, we support those responsible for a product in order to find solutions and inform our customers. Correctly done, this creates transparency and thus trust. This is the most important result of our work alongside security.”
Given the large number of its customers and products, how can Siemens help localize and close security gaps? ProductCERT has developed a platform that is unique on the market and can be used to test the security of Siemens products for known - and unknown - vulnerabilities. The platform is called “SiESTA®” (Siemens Extensible Security Testing Appliance) - a chocolate box-sized metal case with various connections that can be connected directly to a device or server. Once SiESTA has been configured on the basis of selected goals, an automatic test program starts various security tools, allowing the security expert – in principle – to have a siesta.
SiESTA entered service in 2014, when 'Heartbleed' made headlines. Heartbleed was a weakness in the OpenSSL open source library used at Siemens to secure communications between machines and production facilities. In order to find out which products were affected by this vulnerability, ProductCERT developed a test program that was distributed to various Siemens development departments. As a result, the affected products could be identified, and countermeasures were taken within a short period of time. "That gave rise to the idea of developing a user-friendly test device that could be used in a wide variety of Siemens products and their software environments and that could execute such test routines quickly and easily," recalls Tobias Limmer, a member of Siemens ProductCERT. SiESTA has been used within the security departments of Siemens business units since 2016 - and it is now also offered as a service to end customers.
SiESTA contains a large number of common security tools that are combined under one easy-to-use user interface that can be updated and expanded as required. One of the operating systems used by SiESTA is Kali Linux. It provides a variety of tools for security testing, but SiESTA also supports a number of common commercial tools. This allows Siemens test departments to see what an attacker would see when trying to penetrate a system from the outside.
Such tools make it possible to identify vulnerabilities such as Heartbleed, Ghost, Wannacry, NotPetya and many more. SiESTA is also in a position to find completely new vulnerabilities - with so-called fuzzing tests that send targeted, invalid inputs to systems and verify the behavior of the tested device. New versions of a product are also inspected using load tests to verify whether they operate correctly under high network load. In other use cases, such as the security evaluation of industrial networks, network scans determine which devices and software versions are available, whether they are securely configured and whether known vulnerabilities are present.
With SiESTA, we are giving product test departments a simple yet flexible way to incorporate basic security testing into their familiar testing process
SiESTA can also check whether the latest security update is installed on products and whether all necessary hardening measures have been carried out. If required, it uses lightweight tests that are specifically adapted for industrial environments. The service has been used within Siemens for several years and is now also being offered to customers. It enables security experts to ensure that their systems are armed against attacks and comply with international security standards.
Finally, in addition to common security tools, SiESTA also offers test cases specifically designed for Siemens products. This is not surprising. Product managers and security teams within the company usually find out about vulnerabilities before they become public. This in turn not only enables product managers to quickly develop and test a software patch, but also enables them to make sure that the patch solves the issue. Such test cases ensure that weaknesses in older versions of a Siemens product can be quickly detected and eliminated.
After a few minutes or hours, depending on the scope of the selected test program, the security platform delivers an easy-to-read report with a traffic light scheme, which indicates possible security gaps at a glance. It also highlights recommended actions for the operators of such networks. "With SiESTA, we are giving product test departments a simple yet flexible way to incorporate basic security testing into their familiar testing process," says Lukas. "It’s a Swiss knife, so to speak, for digital security."
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.
It looks like you are using a browser that is not fully supported. Please note that there might be constraints on site display and usability. For the best experience we suggest that you download the newest version of a supported browser: