Cybersecurity for Industry: always one step ahead
Cybersecurity at Siemens
Today’s factories are digital and connected – they are an enticing target for hackers as a result. This article describes how factories can defend themselves from attack. It is the first installment in our series on Cybersecurity for Industry, a collection of stories that will take a closer look at individual strategies to fend off cyberattacks.
Some developments evolve slowly, unnoticed, but steady nonetheless. Others announce themselves like a clap of thunder. Franz Köbinger has experienced both in the field of cybersecurity. In 1995, the electrical engineer joined the Siemens division that is known today as Digital Industries. As a product manager, he has been responsible for the company’s first industrial firewall since 2004.
This was a time when the first cybersecurity requirements in operational technology (OT) appeared as a result of the initial networking of individual systems. But cybersecurity was not an issue for most applications.
“Some customers asked me why they needed it for this very reason,” says Köbinger, who works today as the Marketing Manager Cybersecurity for Industry at Siemens. “Some even suspected that we were conducting ‘business with fear.’”
Then came the clap of thunder: In 2010, the first attack was launched on industrial control systems. A malware called Stuxnet manipulated these systems and caused tremendous damage. This attack acted as a wake-up call for the entire industry because it clearly showed just how vulnerable and exposed industrial automation systems were. As the world market leader, Siemens was placed in the spotlight. Everything changed over night. “Customers began asking how they could protect themselves from cyberattacks in OT. During podium discussions, people wanted to know why industry was so ill-prepared to deal with cyberthreats,” Köbinger said.
The beginning of a new era
For cybersecurity in industry, Stuxnet amounted to something like the beginning of a new era. The risks have grown constantly ever since. Ten years ago, a machine would mill or drill holes into metal completely on its own, operated only on the control panel on the machine. Today, many machines and entire factories are online and connected to one another in order to take advantage of efficiency gains or new business models created by digitalization, including predictive maintenance. The merger of information and production technology (or simply IT and OT) poses a tremendous challenge for production companies – and for Siemens, particularly in the industrial division DI. It has developed an entire arsenal of carefully coordinated weapons to fend off cyberthreats, and this arsenal must prove its worth day in and day out. Cybersecurity products, services and solutions from Siemens identify threats, close security gaps and sound the alarm when an attack occurs. They are an integral aspect of Siemens’ products and protect customers’ manufacturing capabilities throughout their entire life cycle.
Even in ancient times, good fortifications employed a multi-layered system of walls to defend themselves. This tactic tremendously increased the effort that attackers were required to make. If such fortifications had weak spots, they could be offset by taking other defensive measures. This analogy aptly describes the multi-layered Defense-in-Depth concept used by Siemens, a system that will be examined in greater detail in the second installment of the series. It ensures long-term security in the factory and in the network as well as system integrity in automation. “We combine security functions on all levels of our automation portfolio and erect a multi-layer protective wall in the process,” Franz Köbinger says.
It is hardly surprising that major IT companies sense business here. By combining OT with IT, many think that they can also solve the problems of operational technology with their IT methods. But it’s not that easy.
Never touch a running system.
If it ain’t broke, don’t fix it, as the saying goes in OT. It’s a philosophy of life that can no longer be practiced in light of the growing risks faced by today’s digital community. But it also shows that OT lives in a world governed by different fundamental conditions than IT. A new security update must be installed as quickly as possible after it is issued. Unfortunately, it is generally impossible to do so while operations are running and cannot be completely done by automation as it can in IT. This is just one example that shows that experts need not only security expertise but also related domain knowledge to implement effective and acceptable security solutions in OT. Siemens can combine this knowledge because it produces its own automation technology. The company knows how to wall off hackers and malware without jeopardizing factory operations. After all, no company can afford to shut down operations. You will find more information about system integrity and patch management in the third installment of this series.
Divide and conquer
Machines will run for 20 and occasionally 30 years. Such machines are now being connected as part of upgrading programs. In the process. they are being turned into a security risk. To solve this problem, experts recommend network segmentation – the fourth installment in this series will offer more information about this process. Areas that are difficult to secure in a production network are segregated and placed behind an extra line of defense. If a hacker still manages to breach the system, the malware used in the attack will be unable to do its harm throughout the entire factory. Siemens uses this know-how and applies it in its own factories.
Hackers continue to come up with new ideas, especially in terms of new technologies. We have to remain a step ahead of them – there is always something to do.
Everything from a single source
Every factory uses technology made by a range of companies, not to mention its office IT. Nonetheless, many customers want their cybersecurity to be provided by a single source, from a provider with expertise in both cybersecurity and OT. Siemens is frequently the provider of choice as a result. This is where Stefan Woronka, the Director of Industrial Security Services at Siemens DI, comes into play: “We offer a wide range of services for entire factories – from an assessment that identifies the soft spots in a customer’s operations to implementation of security technology and training.” The fifth installment in this series will explore the strategies employed by Woronka’s team in greater detail.
Practice, practice, practice
Speaking of training. Stefan Woronka considers it to be one of the most important steps of all. All of the technology in the world is useless if an employee decides to charge his infected smartphone by using a machine’s USB port, something that is actually only supposed to be used for maintenance purposes. “Cybersecurity is like occupational health and safety: You have to keep reminding employees about it,” Woronka says.
This rule of thumb applies to Siemens and its factories as well. These facilities are ideal places to apply new security concepts and services that will ultimately benefit customers as best practices. As part of a huge digitalization offensive, Siemens added far-reaching security measures to its global production operations. These measures are constantly improved and adapted to fend off growing threat. The work is apparently paying off because major disruptions of the company’s production operations have not occurred.
But Woronka sees no end to his mission and that of his colleagues: “Hackers continue to come up with new ideas, especially in terms of new technologies. We have to remain a step ahead of them – there is always something to do.”
Subscribe to our Newsletter
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.