An information service of vital relevance
The 'Security Vulnerability Monitoring' team at Siemens ensures that asset owners at Siemens and other companies quickly learn about security vulnerabilities in thousands of components and are able to react promptly.
When you enter their room, you see security experts on their computers, busy typing on their keyboards. On one screen you can see a list of possible software vulnerabilities for web applications written in Java, on other Internet forums, e-mails or even many, many lines of code. It is a special kind of information service these experts supply at Siemens Corporate Technology (CT) campus in Munich's Neuperlach district. "We aggregate news about vulnerabilities," says Lukas Braune, security expert with the Siemens Security Vulnerability Monitoring (SVM) team. "We are constantly looking for new information about vulnerabilities in software and hardware components used by Siemens. As soon as we have analyzed and rated it, we share them with asset owners like product managers or infrastructure operators."
For industry, vulnerabilities are a major concern. Managers in leading industrialized countries see cyberattacks as the highest risk for their companies according to a 2018 survey by the World Economic Forum. In view of this, in October 2018 Siemens set up a new Cybersecurity organization. It bundled a wide range of tasks to protect its IT infrastructure, products and customers.
Transparency creates trust
The ProductCERT (‘Product Computer Emergency Response Team’), which also includes SVM, cares about security issues related to Siemens products and solutions. The SVM service has been operating for more than ten years now and is constantly looking for information on vulnerabilities in thousands of software and hardware components that are built into Siemens products or used in Siemens' IT-infrastructure. "Outdated software with known security vulnerabilities is one of the main entry points for attacks," says Klaus Lukas, head of ProductCERT. "So, acquiring information about these is vital in order to keep products and IT-infrastructures up-to-date.”
Every month, the SVM team sends information on about 1,000 vulnerabilities to asset owners - whether in one of Siemens' business units or companies outside Siemens that use the SVM service.
The service monitors open source, commercial software and hardware components for vulnerabilities over their entire lifecycle. Lukas Braune and his colleagues in the SVM team do not search manually every conceivable website for clues about new security vulnerabilities. Instead, they have developed a unique monitoring infrastructure, which allows them to gain relevant information from all over the internet – among those sources such as official security advisories, vendor support pages and security communities.
If they find what they are looking for, they use two rating scales. One is a criticality scale in which the colors red, orange or yellow at a glance show how dangerous a vulnerability is. The other is the widely used CVSS (‘Common Vulnerability Scoring System’) rating, which ranges from 0 for uncritical to 10 for imminent danger. Both standards are helpful, because sometimes CVSS may consider a vulnerability to be less critical than the SVM team's expert evaluation.
This was the case, for example, in 2014 with the 'Heartbleed' security vulnerability, which affected the commonly used Open Source library OpenSSL. "Heartbleed only partially affected the confidentiality of stored data according to the CVSS method. Consequently, it had only a score of 5 on the scale. What the evaluation did not take into account was the devastating consequences for applications integrating OpenSSL," explains Braune. "Our individual expert evaluation was able to correct this to gain the appropriate prioritization at the asset owners."
If a member of the SVM team encounters a vulnerability in one of its information sources, it evaluates it for plausibility. This assessment takes into account the trustworthiness of the source as well as an analysis of the code itself. But before a notification is issued, the four-eyes principle comes into play. A second security expert takes a further close look to the message. "Only then, when both agree, the internally called 'hit' becomes a 'security notification' and is sent out," says Braune.
Over 1,000 vulnerabilities per month
Surprisingly, the analysts of the SVM team are not specialists for the respective industries, such as building automation or energy production. "Generally, the software applications are relevant for a broad range of industrial sectors," explains Braune. "What matters though, is a sound knowledge of different types of security vulnerabilities. Among those are entry points for denial of service attacks or ways to bypass online authentication. In addition, the SVM team also notes when manufacturers no longer offer service and security updates for some components. This information is essential to be known, as the asset then urgently needs to be updated with a different, still supported component.
Every month, the SVM team sends information on about 1,000 vulnerabilities to asset owners - whether in one of Siemens' business units or companies outside Siemens that use the SVM service. "Depending on their assessment of criticality, they can then find a timely solution," says Braune.
Picture credits: Siemens AG
Also for Siemens Customers: Our Industrial Vulnerability Manager
Did you know that not only Siemens business units benefit from the work of the SVM team? Our customers can also take advantage of this service - via the "Industrial Vulnerability Manager" from Siemens. This is based on the SVM data and is available as an application with various variants (e.g. for end customers and OEMs). This is how external companies can also draw on the expertise of Lukas Braune and his colleagues and thus achieve better transparency about any vulnerabilities in their systems. Further information on the Industrial Vulnerability Manager can be found here.
Subscribe to our Newsletter
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.