Fortunate to be hacked

A group of Siemens hackers launches daily attacks against the digital defenses of its own company and products. The in-house team helps boost cybersecurity in an age of proliferating attacks by closing security loopholes before malicious parties can find them.


Hackers sit at screens until late into the night, manipulating their digital crowbars, software lock-picks, and even subtler tools, looking for ways to break through the online security barriers of companies, authorities, and infrastructures – and once they’re in, doing their malicious dirty work. But that’s not always the case.


Sven Lehmberg, a hacker employed by Siemens, opens the door to a workshop in Munich-Neuperlach where there’s not a single monitor in sight. Instead, a colleague is seen using a hot-air soldering station to remove a component from a printed circuit board. Another colleague is bent over a microscope examining a chip connected by hairs-breadth wires. They’re surrounded by various kits, pliers, and clamps. A red light indicates high-voltage current. “We don’t just hack with our keyboards,” says Lehmberg with a mischievous grin. “We also take the hardware apart to find weaknesses.”

“You can’t completely seal off a networked system. Someone with endless resources and the best hackers in the world is almost impossible to stop. But you have to at least build the wall to a certain height.”

The team of cybersecurity specialists has a somewhat unusual assignment at Siemens. Every day, they attack the company’s digital defenses, disassemble its products, and even perform tests to see if they can trick employees into playing into their hands. If these “white-hat hackers” are successful, it means that malicious attackers could also find a way to penetrate the fortifications protecting a database, power plant, or factory. Potential consequences include sabotage, espionage, and extortion. But to keep things from ever getting that far, the company’s own hacker team looks for security loopholes and then helps close them as quickly as possible.

Digitalization and Cyberattacks go Hand in Hand

For over 30 years, Siemens has maintained a team to protect computer systems, digital products, and infrastructure. Today this team has grown to include some 1,300 cybersecurity experts. And no wonder: Digitalization has become the engine that keeps industry and infrastructure, two of Siemens’ major core businesses, up and running. As digitalization grows, so does the number of cyberattacks. Computers are attacked, passwords are stolen, factories are sabotaged, and systems are hijacked and then released only in exchange for a payment in bitcoins.

Siemens has been employing benevolent “white-hat” hackers since 2002: That’s when Lehmberg and two colleagues began ferreting out security loopholes in the company and in Siemens products. Today they number more than 25. At first their job was primarily confined to testing communications products like routers, but this soon extended to the testing of corporate software, embedded systems – for instance, in medical technology – and the Internet of Things, which is used for tasks like networking a production line in a factory. Meanwhile, the need for defensive measures has also grown. “Every year we work on about 250 projects worldwide – such as attacking a corporate network or testing a system controller,” explains Lehmberg. “The number of projects is steadily growing, and there’s no downtime. On the contrary, however much we refine our defensive strategies, the attacks become that much more sophisticated.”

Attacking in stages

Lehmberg’s team begins by defining a target, like a Siemens factory that makes control systems. First the hackers sound it out online using commercially available scanners that generally find only 20 percent of existing security loopholes. They then deploy tools for stealing account names and passwords. They also apply social engineering by sending customized e-mails to specific employees in an attempt to lure them into opening documents and downloading malware. And occasionally they dissect printed circuit boards in their hacking lab in order to read a chip’s firmware. The white-hats then use these elements to create an attack string that ideally fits the lock like a key and allows them to slip through the defensive walls.

Once this type of toehold is established, the work of the criminal “black-hats” begins. For example, if they manage to hijack a computer with administrator rights for a network, they can use it to infiltrate thousands of other computers, steal data, or manipulate control processes in manufacturing plants. These types of incident happen all the time. “It’s often because security-related updates aren’t downloaded fast enough,” says Lehmberg. “Security is dynamic, and every company, including Siemens, has to stay on top of this at all times.”

Simplest precautionary measures are often overlooked

To make it harder for potential attackers, Lehmberg has put together a checklist for system administrators to help them avoid the most common errors. Recommendations include using sophisticated authentication processes with complicated passwords, regularly downloading software updates, encrypting communication, isolating outdated sections of a network, and simply keeping an eye on the system. “It might sound trivial, but we were surprised to see how often such precautionary measures are overlooked.”

But even if someone puts all these measures into practice, they still shouldn’t assume they’re safe. “You can’t completely seal off a networked system,” warns Lehmberg. “Someone with endless resources and the best hackers in the world is almost impossible to stop. But you have to at least build the wall to a certain height.” That’s why the Siemens hacker team regularly launches cyberattacks, to ensure that the wall around Siemens and its products is high enough.

Creativity is the ideal key

It’s not surprising that Lehmberg’s team also participates in the development of many Siemens products – whether it’s digitally controlled factory systems, trains, or power supply networks. The hacker team also performs security tests as part of maintenance agreements. In 2018, Siemens Mobility was commissioned by the company responsible for the Norwegian national railway infrastructure to develop a fully digitalized signal system for the national rail network. The contract was awarded largely on the basis of the cybersecurity concept, which included regular test runs.

Penetrating security walls requires a profound knowledge of hacker tools and Siemens systems. But that’s not all: It mainly requires creativity. “Experience has shown that our unconventional methods uncover more weaknesses than commercially available scanners or even external service providers,” says Lehmberg. “And of course, it helps if you enjoy being a little destructive.”


Hubertus Breuer


Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.