Companies around the world are facing the growing risk posed by cyberattacks. Such attacks can have both a devastating material and image impact. As part of an intensive effort, Siemens has taken its data security system to a completely new level in recent years – and set new standards with its Cybersecurity Improvement Program (CSIP).
The threat posed by cyberattacks has never been higher. A study conducted by the University of Maryland found that, on average, a hacker attack is launched every 39 seconds around the world. That amounts to 2,244 times a day. News reports about major attacks that have been launched against companies have become almost routine.
Siemens, a major producer of control technology for industrial facilities, knows about the risk. The company views itself as a focused technology group and a driver of digitalization. There are many other examples here in addition to control technology. The company not only sells technology, but also uses it itself.
It set up its first small data-security team in 1986. This cybersecurity team has growth to roughly 1,300 experts since then. Large companies like Siemens, businesses that have a huge number of departments and branches, face one major challenge: How can they form a sturdy line of defense that runs throughout the entire company? While head of IT Auditing, Bernd Bauer began thinking a few years ago about the dangers lurking in cyberspace. Acting on these concerns, his colleagues and he selectively put the company’s huge IT structure and products to the test in risk-based audits. “We sort of hacked our way into our own company and uncovered some vulnerabilities in the process,” Bernd Bauer says.
One such problem discovered by the team was that employees were continuing to use weak passwords – a potential welcome mat for hackers. The problem: Once hackers gain access to an IT system, they can easily fan out, spying on employees and pressing their way deeper into the system itself – a hacking strategy that experts call lateral movement. The team found the same causes for a range of successful hacker attacks over and over again. But it was not clear where the attacks came from. The operational technology (OT) used in factories and production locations lagged behind security-related technology and the current level of technology overall. The company also lacked transparency about who was responsible in detail for technical facilities and individual servers – for the purpose of reacting quickly should an attack occur. For these reasons, Siemens made data security a higher priority.
The Cybersecurity Improvement Program was born. Bernd Bauer changed sides in the process. Instead of acting as the vulnerability hunter, he assumed leadership of the program – with the goal of eliminating problems throughout Siemens as best as possible. The extent of the three-year program was considerable. A total of 39 projects were set up, and more than 700 employees tackled various aspects of them. The overarching goal was to place cybersecurity on a completely new level – an effort that included secure cloud technologies, even better defenses for facilities and, in general, an improved overview of the security situation.
The CSIP was completed three years later. Thanks to the program, Siemens has succeeded not only in creating new cybersecurity services, but also in closing a large number of purported vulnerabilities. Here is an example: Passwords: A black list was set up as part of the CSIP. It was designed to prevent employees from using simple passwords like “Siemens123.” The function also indicates just how strong a password is when it is set. Weak passwords are technically impossible as a result. Access rights were also minimized to prevent employees from installing software on their work computers and unknowingly introducing malware to the system in the process. Only about one-fifth of the workforce now has administrator rights.
Transparency as the key to more security
The cybersecurity experts have also installed new detection agents that can spot unusual processes in the system very quickly – things like access to certain storage locations in Windows. These agents enable attacks to be identified and repulsed within minutes. Another challenge that Bernd Bauer and his team faced was the sheer number of data servers that Siemens has: roughly 70,000. The company uses them to store technical information, accounting data and information about customers. In the past, it was frequently difficult to see which servers belonged to which department, what purpose they served and who was responsible for them. This situation complicated efforts to close identified vulnerabilities. “That would be a real problem if an attack occurred because we security employees would not have been able to simply shut down an affected server,” Bernd Bauer said. “We would not have known exactly what could have happened next. In the worst case, we could have shut down a production line.”
The overarching goal of CSIP was to take cybersecurity to a completely new level.
For this reason, something called asset transparency is a major part of the CSIP. Today, cybersecurity experts have a much better idea about which server is assigned to which division and who should be contacted in an emergency. Bauer’s team provides a double layer of security here: It also minimizes something called shadow IT, systems that are operated by the businesses themselves and not by the IT organization. Central cybersecurity measures could not work otherwise. Projects are already being conducted to close this gap.
Security in our factories
Siemens operates dozens of production facilities where machines manufacture components for power plants, computer-aided tomography scanners and electric motors. Such machinery remains in operation for many years, and it frequently uses outdated software and IT infrastructure in the process.
The job of replacing or even updating such software and IT infrastructure can be complicated if a production operation or assembly line has to be shut down. “For such reasons, this operational technology – OT – is frequently less sophisticated than the IT environments and can be particularly vulnerable for hacker attacks,” Bernd Bauer says. Methods that have proven themselves in IT are now scheduled to be used in OT environments. For this purpose, his team has joined forces with the divisions to develop a range of services aimed at building a strong line of defense for the company’s factories. This includes asset transparency, the identification and elimination of vulnerabilities and a range of attack-spotting capabilities.
Driver’s license for employees
As a way of sharpening Siemens’ employees awareness of cyberrisks, they will be required to attend training courses at least once a year. The topics and depth of information provided in the courses will vary based on roles. Colleagues who have no administrator rights will be trained in things like setting secure passwords and watching for cyberthreats. Administrators will receive more intensive training in such areas as server operation. They will have to demonstrate their knowledge on a test. “The colleagues who pass will be given a cybersecurity driver’s license,” Bernd Bauer says. A type of CE marking will also be issued to IT infrastructure that meets the security standard. Managers who work in different departments will be able to check the current security situation on dashboards. This will enable them to take action if necessary.
“Digitalization and cybersecurity are two sides of the same coin. We have used the CSIP to demonstrate that a technology company can address the risk by itself,” says Cedrik Neike, a member of the Managing Board at Siemens AG. “We conduct cybersecurity hygiene on a high level and set standards once again.” The company can seize the tremendous opportunities of digitalization only if it minimizes its risks.
Subscribe to our Newsletter
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.