Time for Action: Building a Consensus for Cybersecurity

Siemens teamed up with the Munich Security Conference and other governmental and business partners to present the Charter of Trust initiative in February 2018. One of the initiative’s key goals is to develop and implement rules for ensuring cybersecurity throughout the networked environment. The first major successes have already been achieved.

by Hubertus Breuer / Sebastian Webel

We rely on the digital world each and every day. We take it for granted that we can use debit cards to pay for our purchases in supermarkets, that our health data is well protected on computers in doctors’ offices, that we can use smartphones without reserve, and that we get electricity from systems to which smart grids may have just distributed the appropriate amount of energy produced by wind turbines. Wherever we go, we are surrounded by a network of bits and bytes.

However, dangers lurk everywhere as well. Criminal attacks on security gaps can cause considerable damage – whether they result in data theft at hospitals, sabotage in factories, power failures or industrial espionage. That’s why protective walls need to be erected around our digital world. People who need to access mission-critical systems need to identify themselves by biometric means or know the pertinent PIN codes. Moreover, data must be transmitted in encrypted form and protected behind firewalls. Meanwhile, antivirus programs must constantly be on the lookout for malware, and standards such as IEC 62443, which specifies the IT security of automated facilities, must provide guidelines for the protection of critical systems.

Needed: Minimum Standards for the Entire Value Chain

In spite of these barriers, we still lack mandatory basic cybersecurity criteria for the entire value chain. That’s why, in February 2018, Siemens teamed up with the Munich Security Conference (MSC) and six other governmental and business partners to create the Charter of Trust.

 

One of the Charter’s aims is to set minimum general standards for cybersecurity that are in keeping with the requirements of state-of-the-art technology. “Governments need to take a leading role here. However, the standards have to be developed and implemented by the companies that are at the forefront of visualizing and shaping the future of cyberspace. That’s why the Charter is so important,” said Wolfgang Ischinger, Chairman of the Munich Security Conference, at the time. “We will work together with our partners to promote this topic and fill it with content.”

Governments need to take a leading role here. However, the standards have to be developed and implemented by the companies.

It is certainly high time for action. That was not only demonstrated by Stuxnet malware in 2010, but also by WannaCry and NotPetya ransom ware in 2017 and the processor vulnerabilities known as Meltdown and Spectre. It is estimated that cybersecurity threats caused more than €500 billion in damages worldwide in 2016. Moreover, the risks associated with cyberattacks are steadily growing. Whereas 8.4 billion networked devices were in use in 2017, experts estimate that 20.4 billion such devices will be in operation by 2020. Threats to these devices can pose a danger to life and limb – for example, when the safety-related systems in autonomous vehicles are manipulated during production so that they fail to work in an emergency.

Ten Steps to a More Secure World

The Munich Security Conference that took place in February 2018 was an ideal platform for laying the Charter’s groundwork in front of a global audience. This was done not only by industry-leading companies but also in the presence of political decision-makers, experts, and civil organizations. This is crucial because cyber security affects everyone. Siemens wasn’t one of the Charter’s initiators by accident, as digital value added is becoming rapidly more important in industry – also one of the pillars of Siemens’ business.

 

The Charter contains ten principles that should make the digital world more secure and also sets three important goals: Protect the data of individuals and companies; prevent damage to people, companies, and infrastructures; and create a reliable foundation for instilling trust in a networked, digital world.

 

The Charter contains ten principles that should make the digital world more secure and also sets three important goals: Protect the data of individuals and companies; prevent damage to people, companies, and infrastructures; and create a reliable foundation for instilling trust in a networked, digital world.

Strengthening Trust in the Digital World

Everyone will have to pull together if this goal is to be achieved. A global network is a precondition – and this network has grown significantly in the meantime. Alongside Siemens and the MSC, the IT major IBM, Daimler, the insurance group Allianz, Airbus, Deutsche Telekom, Dell, Cisco, the petroleum company Total, TÜV Süd, the product testing group SGS, the semiconductor manufacturer NXP, the energy supply utilities Enel and AES Corporation, and the IT group Atos are all members. And the list is set to grow.

 

It’s now up to these players to achieve a clear consensus for the basic principles of a secure digital world. According to the Charter, this includes, among other things, mandatory cyber security certifications for critical infrastructures and devices that might pose a danger to life and limb. It’s also essential that there be clearly defined areas of responsibility and contacts for cyber security at companies, governments, and authorities.

 

And this is going to need an great deal of encouragement. Whether Berlin, Brussels, Paris, Rio de Janeiro, Singapore or Washington, many rounds of talks – round table sessions in which the Charter partners have been able to discuss the matter with politicians on site – took place last year. With success: The French President, Emmanuel Macron, adopted the suggestions of the Charter in the cybersecurity strategy he presented in November 2018. And the EU Cybersecurity Act from the European Union and the strengthening of the German IT security law also orient themselves on the suggestions in the Charter of Trust.

Moreover, global networks of experts should communicate more extensively about shared, overarching risks.

Agreed: Cybersecurity Guidelines throughout their global Supply Chains

Another success that was achieved in the first year of the Charter was the participants’ agreement to embed comprehensive cybersecurity guidelines throughout their global supply chains. The partners will each roll out their own implementations. For Siemens this means new suppliers must undertake to implement minimum requirements for cybersecurity and be constantly accompanied by regular security checks and continual monitoring of their products, services, and infrastructure. It’s a giant step that will benefit everyone involved. After all, according to the consulting company Accenture, more than 90 percent of all IT-based attacks take place at small companies.

 

Moreover, global networks of experts should communicate more extensively about shared, overarching risks. In addition, binding security standards are needed for the rapidly growing Internet of Things, including rules for authorized access and data encryption. Last but not least, the Charter of Trust aims to make cyber security an integral part of the curriculums at schools and universities – doing this will be no mean feat, considering the large number of curriculums. “This is one of our most important concerns,” says Ischinger. “In this way, we don’t just want to increase people’s awareness of cyber security, but also give young people the tools they need to help shape the security of the digital world in the future.”

2019-02-15

Hubertus Breuer / Sebastian Webel

 

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.