“The Internet of Things would be inconceivable without Cybersecurity.”

The Cybersecurity-Initiative Charter of Trust is a year old. An interview with Siemens’ COO and CTO Roland Busch and Chief Cybersecurity Officer Natalia Oropeza about the importance of Cybersecurity.

 

by Norbert Aschenbrenner

The Charter of Trust was launched a year ago. What’s your assessment so far?

 

Roland Busch: Very good. There’s been a lot of interest from government, business and civil society. A steady stream of attacks and data leaks have shown that we need a robust framework for action in cybersecurity. Government and business need to work together here. The Charter of Trust has asked France to take up the topic during the country’s presidency of the G7. One of the points under President Emmanuel Macron’s cybersecurity strategy is working on international cybersecurity standards. So the topic has arrived at the very top levels and shows the need for cross-border cooperation.

 

Natalia Oropeza: The content has also advanced. The 16 partners have not only signed and reaffirmed the ten principles of the Charter of Trust, but also signed an agreement to keep working together in the future. One important result to emerge from this cooperation is that last October, we adopted 17 minimum requirements for the digital supply chain. These include, for example, that suppliers have to implement specific standards, procedures and methods to prevent vulnerabilities, malicious codes and security incidents in their products and services. On top of that, a number of companies have come to us and wanted to join the Charter, so we’ll soon be able to include additional partners. And we’ll also be speaking at this year’s Munich Security Conference. 

"We have very quickly recognized that cybersecurity is an integral part of the digital revolution."

Why here in particular?

 

Roland Busch: The Munich Security Conference is the major global think tank on security policy, and a joint initiator of the Charter of Trust. And it speaks volumes that cybersecurity is now one of the top themes at this well-established security conference.

 

Natalia Oropeza: Besides that, we’re pursuing a strategic buildup of additional partners. The main focus is on content. Basically, we’re open to everyone. But we don’t want a loose commitment to the Charter’s ten principles – we want an active contribution toward shaping them. So we have a selection process in which all the founding members reach agreement.   

Why does Siemens have a lead role?

Roland Busch: Since we have a lead position in industrial digitalization, we very quickly recognized that cybersecurity is an integral part of the digital revolution. The industrial Internet of Things (IoT) would be inconceivable without cybersecurity. We see how important that is to our customers every day as we work with them. They all want to advance digitalization. But without trust, it won’t work. Our digital services and products for all aspects of MindSphere in the IoT will be a success only if we can simultaneously offer the best possible protection from data theft and attacks. And that, in turn, is something we can’t guarantee by ourselves. Which is why it’s so important to join forces with partners.

Which of the 10 Charter principles are most important to you?

 

Roland Busch: Without a doubt, taking responsibility and acting accordingly. That applies to us ourselves, but also our partners. Concurrently with the Charter, we set up our own cybersecurity ecosystem of some 1,300 employees all over the world, who hitherto were scattered around. Natalia heads the core unit, and reports directly to the Managing Board as Chief Cybersecurity Officer. Today, we can respond faster to threats and protect ourselves better by looking ahead. Another of Natalia’s tasks is to make our own products more secure, and to develop new solutions for customers together with our businesses. And that brings Siemens’ suppliers into play. In the future, all new contracts will be introducing binding minimum cybersecurity requirements, step by step. They’ll apply to suppliers of next-generation products, such as security-critical components like software, processors and electric components for control units – in other words, anything from the IoT environment. Existing suppliers will gradually have to meet the requirements. Once all Charter partners introduce these measures, we’ll have a massive multiplication effect – because taken all together, the partners’ suppliers worldwide number more than a million.

Natalia Oropeza: As I see it, the most important point is education, at all levels. Cybersecurity affects everybody – it’s not a task that my team and I can manage for Siemens all by ourselves. We’ll only make Siemens really secure once, for instance, passwords are assigned that meet the highest standards and aren’t just 123456. That’s why we have to raise our employees’ awareness and improve training – including on the customer’s end. Which is exactly what we’re aiming for with the Charter of Trust. By which I mean getting concepts of cybersecurity well established everywhere, whether in schools or at universities or in all levels of vocational and professional training. And another important point that will enhance the application of security technologies is user-friendliness. We’re working on that too, to make things as easy as possible for our customers and fellow workers. Security mechanisms should be integrated as directly as possible, without requiring any cumbersome interaction with the user.

You’ve been at Siemens for a year now. What has your experience been like? 

 

Natalia Oropeza: Just forming the new unit was a Herculean task. But it was fantastic to experience how everybody on the team pulled together. Now we can look ahead and move Siemens ahead in this direction and lift it to a new level. By that I mean our holistic approach to protection, detection and defense all along the cybersecurity value chain – infrastructure, IT, networked products, services and solutions, and also what we have to offer our customers.

 

Vision2020+ of course offers greater freedom and flexibility for all operating units. How does a centralized approach to cybersecurity fit in that situation?

Roland Busch: It fits very well. There are centralized and decentralized aspects that are driven by the operating businesses. It’s all ultimately guided by the CEO principle – meaning the CEO of a given Operating Company has full responsibility, including for cybersecurity. Just as with the Charter of Trust, this is about partnership – in other words, the strong central organization supports the businesses with services that the businesses then don’t need to maintain for themselves – such as access or encryption technologies, attack tests and monitoring. Pooled expertise means maximum quality at a reasonable cost for all. Plus, we need speed and complete transparency about the status of cybersecurity at all units that bear the Siemens brand. 

"We’ll support the business units in offering high-quality cybersecurity solutions for their customers."

Siemens intends to market cybersecurity solutions more heavily in the future. Which role will the organization around the Chief Cybersecurity Officer play here?

 

Natalia Oropeza: We’ll support the business units in offering high-quality cybersecurity solutions for their customers. We’re a central contact point that can benefit all our units. That way, they can all achieve the same high level of security.

 

Roland Busch: On top of that, we’ve pooled our technological content in our Company Core Technology for Cybersecurity. This is where experts from our businesses and Corporate Technology develop the solutions of the future for the entire company.

 

What challenges will we face in the coming years?

 

Natalia Oropeza: Attacks will keep increasing, in part also because more and more devices will be networked. That will directly affect our daily lives, and here it’s not just our personal data that will be in danger, but our way of life at home and at work. Just for example, think of autonomous cars, hospitals, energy utilities, or digital factories. So we’re working on automating cybersecurity solutions that can avert the vast majority of threats. And for that purpose we’ll also be applying various technologies like artificial intelligence to achieve prevention. 

2019-02-15

Norbert Aschenbrenner

Picture credits: from top: picture 1: Getty Images / Westend61

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.