Built-in cybersecurity

IT and OT (operational technology) are merging. It is a development that is also having an impact on cybersecurity. Particularly for automation systems. Protecting these systems from cyberattacks is a huge challenge. The vulnerable targets that lure hackers are growing, a fact that requires companies to reinforce their lines of defense. Protection must be systematically integrated into the product portfolio on every level. But how can companies with limited financial resources keep up? By using security functions that are pre-installed in automation components when they leave the factory, Axel Lorenz says.

 “Cybersecurity requires a holistic approach that applies equally to IT and OT and is based on a defense-in-depth concept.” Within this context, holistic means: Maximum protection can be provided only if all levels work together – from the factory and communication networks to the individual controller. 

It all sounds pretty plausible. But companies will ask themselves how they can apply the entire approach and still keep costs at a reasonable level. All components must remain state-of-the-art and be refined – because attackers are continuously fine-tuning their tactics.

“We want to be prepared for the future,” Lorenz says. “Our goal is to accelerate the integration of security functions into the portfolio of totally integrated automation (TIA). This is something that is happening in all technologies of the future.”

But what about the installed basis? Does this mean that it will no longer be secure? “No, of course not,” Lorenz says. “Here’s an example of what I am talking about: To keep our customers on the cutting edge, we recommend that they install security updates for their Simatic automation systems as soon as they become available. We are also working to increase security with the next version of the TIA portal and our latest automation product portfolio in the Simatic series.”

Siemens’ TIA portal is the central hub for digitalization in OT and is state-of-the-art in the world of automation. Engineers use the TIA portal to design and control automation systems used in production facilities and entire factories with Simatic components. The heart of cybersecurity is thus implanted deep inside the factory itself. 

The latest version protects communications in the TIA portal between the computer of the engineers and the controllers in the control cabinet or on the machine with the latest 1.3 version of transport layer security (TLS). The encryption is based on the very latest security standard.

Siemens also facilitates encrypted communications between state-of-the-art Simatic controllers and components made by third parties via the open OPC UA standard. 

The engineers can use their own certificates and protect sensible configuration data with passwords for every individual controller during ongoing operations. The user management system of the TIA portal can be used to assign access rights based on employees’ roles and rights. With the help of the “user management component,” the user management system can be connected to a central management system like active directory. This enables new rights to be assigned quickly and easily to employees or erased when, for instance, an employee moves to a different department or leaves the company. This prevents “zombie records,” or outdated files, that pose a potential threat.

Siemens has integrated a wizard into its TIA portal that walks the user step by step through the configuration process – based on the principle of security by default because the wizard is automatically activated. In their hectic work lives, many users will forget to change the standard password. The wizard prevents this from happening and demands that new, secure password be entered. Users can certainly skip this feature. But they will make a conscious – and risky – decision if they do so, Lorenz says. All settings are clearly explained, and the consequences transparently discussed.

The measures discussed here – and many others not discussed here – send a powerful signal, Axel Lorenz says: “Siemens takes cybersecurity very seriously. And we understand the special challenges in OT like no one else.” 

Bernd Müller

May 2022