A backbone of our society
We do not realize just how dependent we are on digitalization until something goes wrong – something like an attack launched by a horde of hackers. For this reason, cybersecurity acts as the fundamental basis of the efficient and long-range advancement of our society.
There was something fishy going on here. The cursor in the control system of the water treatment system of Oldsmar, Florida, seemed to be guided by an invisible force. The IT specialist who was overseeing the operation watched as the amount of sodium hydroxide, a chemical used to regulate acid levels, shot 100 times above its normal level. The IT specialist at the waterworks realized one thing right away: A hacker had struck. The employee then had to do some fast thinking on his feet: Once he had wrestled back control of the system, he lowered the level of the chemical back to normal levels. The plant operator announced that the incident posed no danger to the community of 15,000 residents. It also noted that it would have taken 24 hours for the contaminated water to have reached households and that an automatic alarm would have sounded long before then.
The incident that occurred in Oldsmar in February 2021 can repeat itself anywhere at any time – and possibly have much more serious consequences. It also illustrates just how dependent we are on a smooth-running system that supplies us with food, water, energy, information, mobility services and healthcare – and just how vulnerable these infrastructures truly are. Digitalization is both a blessing and a curse. On the one hand, it facilitates a highly efficient system that meets the growing needs of our civilization – things like smart homes, medical centers, train travel, production and, of course, water supplies. No matter where you look: Nothing works without digitalization. On the other hand, our vulnerabilities are well known to criminal hackers, individuals who are out to extort money or destabilize countries – and are able to wreak havoc in our daily lives rather easily.
More like a marathon than a sprint
For this reason, cybersecurity is not an optional, nice-to-have feature of digital technology. Rather, it is a fundamental pre-condition for public services and high standards of living for everyone, services and standards that are achieved while using as few natural resources as possible. “Digitalization and cybersecurity have to be friends,” says Christian Paulsen, the Product and Solution Security Officer at Siemens Mobility.
Cybersecurity is a job that resembles a marathon more than a sprint. It is a fact of life that Paulsen’s colleagues at Siemens Mobility know only too well. They think in terms of decades when they tackle such jobs as upgrading the signal system of a rail line. Such service contracts usually run for 30 years. The hardware may wear out, but the software does not. Nonetheless, it will turn into a security risk if it is not updated. This is the problem that nearly led to a disaster in Oldsmar. The water treatment plant was using a Windows 7 operating system. In addition, the simple password used to gain access to the system was never reset.
It was an approach that was much different from the holistic security concept that Siemens uses for transport systems, a strategy that consists of a wide range of measures. Two key factors come into play here: The concept must be seamless and holistic. It must also be used throughout the entire life cycle of a product, from development and installation to operation and decommissioning. This effort includes regular updates, penetration tests designed to analyze vulnerabilities, secure data connections, transparency extending across all measures, rapid responses to security breaches and much more. “By taking this approach, products can maintain their youth even as they age;” Paulsen says. “They will also remain secure and can be used for years and years to come. It all boils down to what sustainability is all about.”
A matter of life, death and good health
Every business field takes a similar approach. For example the healthcare sector, where the challenges are especially great. The number of cyberattacks launched against the healthcare system has climbed nearly 30% during the pandemic. One reason for the increase is the expanded number of targets now available to hackers, a rise attributed to the expanded number of online services that have arisen as a result of remote working by healthcare employees. Hackers are also increasingly exploiting the pressure faced by healthcare providers to exhort money with the help of ransomware. Cybercrime is a business. “The healthcare sector clearly demonstrates that cybersecurity is a necessity and is thus a sign of quality,” says Carlos Arglebe, the Head of Cybersecurity at Siemens Healthineers.
It can even amount to a question of life and death. Last year, for instance, a woman had to be transported by ambulance to the University Medical Center in Düsseldorf. Unfortunately for the patient, hackers had brought the hospital’s IT system to a standstill in a bid to extort money. As a result, the ambulance was redirected to a hospital in Wuppertal, a city located more than 30 kilometers away. It was a detour that cost precious time. The woman died. Her death was probably not the result of the hacker attack – but the incident clearly illustrates the potential threat that hacker attacks pose to hospitals.
The attack carried out over a period of several days had other far-reaching effects on the hospital as well: The Düsseldorf medical center was able to admit only half the number of patients that it normally does. Its surgeons were able to perform a maximum 15 operations each day instead of the normal number of up 120 procedures. Unfortunately, such cases are occurring more frequently throughout the world.
A focus on people
Arglebe says cybersecurity experts have rethought their approach to their job. Cybersecurity cannot simply be an end in itself, he says. It has to benefit people – and avoid offsetting the strengths of digitalization in the process. Here is an example: Every second counts when a patient is treated in the emergency room. A large number of processes offered by various providers have to work seamlessly together to save lives. Technical security precautions may be the right way to protect office work (something like a complex, 12-letter password or two-factor authentication). But they do patients little good in an emergency. Experts who develop security processes have to view security, service supply and data protection from a holistic perspective and remember that medical personnel in many countries may not be particularly well trained.
But that’s not all: They should bring the people who will eventually use the product into the development process as well. As part of the Seestadt Aspern urban development project in Vienna, for instance, Siemens Smart Infrastructures has been working with residents on an energy transition since 2013. This work is focusing not just on research into individual technologies. It is also exploring their complex interplay through networking and cloud services. The focal point: users, those individuals who will enjoy a boost in their quality of life while saving money and protecting the environment.
“The residents will get involved only if they are certain that their personal data will not end up in the wrong hands and that their homes will be protected from hackers,” says Erhard Fischer, the Chief Cybersecurity Officer of Siemens Smart Infrastructures. To satisfy these needs, Siemens uses the very latest communication protocols in the building networks and supplies products that come with pre-configured security settings. But it also goes a step farther and designs a tailored security package for every building in Aspern to meet individual needs.
Secure supply chains
But all of this hard work means little if suppliers cut corners on security. Secure supply chains are one of the principles contained in the Charter of Trust that Siemens initiated in 2018 and that now comprises 17 companies. As a result, new suppliers of charter members like Siemens must observe binding minimal requirements imposed on cybersecurity. These requirements are spelled out in a mandatory clause contained in all new contracts. The Charter of Trust is composed of 10 principles that contain recommendations for improved cybersecurity, including enhanced training and regulatory conditions.
The principles serve as the big picture. In doing so, they expand the horizons of cybersecurity, an area that is still largely confined to technical measures. But they are a means to an end: like the sustainable development of our civilization and our planet.
Subscribe to our Newsletter
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.