Giving Hackers a Hard Time
Cybersecurity at Siemens China
As always, the first thing he does in the morning is to look at the security incidents and latest security regulatory update. Jian Jun Hu gives a satisfied nod – nothing special happened last night. Now he can go get a tea, after which it’s already time for the day’s first meeting. The Chief Cybersecurity Officer at Siemens in China and his team talk over what more they can do to protect Siemens IT/OT infrastructure and products. Because hackers have been aiming more and more at industrial domain, whether to gain reputation in this new area, damage a competitor or to extort money. But systems with Siemens technology almost always turn out to be a hard nut for cybercriminals to crack. That’s why Hu found the Siemens Cyber Defense Center in Suzhou, as a part of Siemens’ holistic security strategy in 2016, is a OT cybersecurity pioneer in China. For instance, Siemens is the first one who meets the local National grade protection level 3 among multinational companies in China.
The China Cybersecurity department was setup in the end of 2004, and Hu was one of the first interns. After completing his master degree in computer science at Beijing University, he joined the company as a “pen tester” in 2005. “My job back then was to break things.” Not really, of course – in fact Hu was what’s known as a “white hat” hacker, one of the good guys who attack IT systems to probe for vulnerabilities before the “black hat” hackers do. The young expert was so good at it that he rose steadily, from security tools developer, to cybersecurity consultant, to advisor on cybersecurity in industry, project manager, and later a department head of research. For a year now, Jian Jun Hu has been the Chief Cybersecurity Officer at Siemens China, leading the cybersecurity community with more than 100 employees.
There’s no such thing as hundred percent security. So we have to be constantly on the alert
Stuxnet the turning point
Hu was really impressed how big the business impacts could be, when in 2010 the Stuxnet computer worm paralyzed an Iranian nuclear powerplant. It was “a real emergency,” he remembers. Suddenly every customer wanted to know the insights and how Siemens was going to safeguard its products’ security for the future. Stuxnet is now history – the company has learned from the incident and massively expanded its cybersecurity activities worldwide. But Hu still sees challenges, and they’ve even grown. “Even though we’ve done our homework and are a trailblazer in cybersecurity today, there’s no such thing as hundred percent security. So we have to be constantly on the alert,” he warns.
Speed is of the essence, but the key is transparency. Here transparency means the situation awareness of external as well as internal. “Know yourself and know your enemy, then you will win the war”, said Sun Tzu, an ancient Chinese strategist. Hu agrees: “We need to know the latest threats from the outside”, thus his team keep consistent communication with the headquarter, the involved local parties and institutes like the National Computer Network Emergency Response Technical Team. And his team is doing the research in the attacking and defense technology, and developed systems to automatically collect and track cybersecurity incidents, reports and news regarding Siemens portfolios in China. “It is a challenging work and we are still on the way.”
Based on Sun Tzu´s philosophy, Hu’s team has innovated a solution called OT Cybersecurity Appliance (OSA) which has been applied in some factories of Siemens and leading customers like BaowuSteel and SINOPEC. “We are desperate for the best technology for cybersecurity, same as our customers, and together we find the best solution.”
All for trust
Siemens did proactively what the law requires. The Cybersecurity Law took effect in China in 2017 – intended in part, like the European Data Privacy Regulation, to protect individuals’ personal data, but also setting stiff requirements for protecting critical infrastructure like power plants, telecommunications networks, banks and transportation systems. The law lists cybersecurity requirements that a product or a service must meet in order to be sold in China. “It’s like a driver’s license: if you don’t have one, you’re not allowed to take a car out on the road,” says Hu. There are mandatory measures on top of that – and Siemens complies with them.
Hu’s team initialed a company level program to centrally analyze the law, identify the gaps, implement followup mitigation measurements and keep regular updates. Trust has to be earned with years of effort – and it can easily be lost. “What keeps me awake during the night? The things that might damage the trust of our customers and market,” says Hu. His team does everything possible to raise the bar of trust in Chinese market, and Siemens is the first industry company getting a full set of PLC products certified in China.
A worldwide security network
Besides about 60 full time employees in China, there are more colleagues working as an interface or ambassador to businesses. Besides that, Hu’s team built a network with stakeholders like customers, standardization bodies and institutes. “Through this network we could collect latest information, exchange experience, get the support, develop our talents, and what’s more important: apply cybersecurity into our business in a more efficient way.” Says Hu: “The success of cybersecurity relies on collaboration.”
2004: Team set up for cybersecurity research and development
2006: Certified by CN ITSEC for a Security Service License, the first among all multinational companies.
2007: China Hub for Product & Solution Security set up. First demo of hacking an industrial system.
2014: Siemens Industry Security Lab go-live in Beijing and defense-in-depth concept roll-out with pilot customer.
2017: First Cyber Defense Center for Operation Technology go-live in Suzhou
2019: First international Industry Company in China to have organization, infrastructure and portfolios certified with local security law and regulations
Awarded prize as “Outstanding Contributor in Vulnerability / Incident Handling” – likewise the only multinational corporation to win.
Subscribe to our Newsletter
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.