Cybersecurity: Siemens factories lead the way

Security in operational technology (OT) is just as important as it is in IT. This is common knowledge not just among the 200 OT specialists who are part of Siemens’ team of about 1,300 cybersecurity experts. In recent years, the Group has invested significant amounts of money in technology and know-how for the purpose of protecting its factories and in employee training. Due to its leading position in industrial digitalization, Siemens realized early on that cybersecurity would be a driving force behind the digital revolution. Companies that have faith in their own products are the only ones that can credibly sell these same products to customers. The main point is this: Cybersecurity always begins within the four walls of a company’s own factory halls – and with its own employees.

This workforce poses a major challenge. These heavily worked individuals may think that “cybersecurity is being dumped on me now as well.” The best way to overcome such feelings of frustration is to train employees and to automate as many cybersecurity measures as possible. “You simply cannot pile cybersecurity on top of everything else employees are doing,” said Michael Engel, Information Security Officer of the Motion Control Business Unit at Siemens Digital Industries. 

The experience gained by the Group’s factories where such programs have been used for years shows just how cybersecurity can be effectively deployed. “As time goes by, a security culture in which cybersecurity is no longer considered to be a pain in the neck will take root,” Engel said. To illustrate his point, he mentioned a visit that he recently made to a Siemens factory. He said employees proudly told him about their cybersecurity activities – without being asked to do so.

Such a culture requires the support of the management team as well. Cybersecurity does not come free of charge. But when it is applied correctly, it will eliminate presumed conflicts of interest that pit such things as productivity and security against each other. Marc Friebel, the Information Security Officer for the global electronic factories of the DI Business Unit Process Automation, said he sees a growing awareness of the need. Management teams have realized that cybersecurity systems are like health insurance, Friebel said. The policies cost money and initially offer nothing in return, he added. “But just wait until you get sick – the bills can pile up quickly then, and health insurance is worth its weight in gold,” Friebel said. A successful attack will lead to a factory shutdown. For this reason, cybersecurity also facilitates smooth production and availability. For this reason, no one wants to do without it any more, Friebel said. 

The Log4j incident that occurred at Christmas time in 2021 showed just how fast investments in cybersecurity can pay off. The Java library had a vulnerability that hackers could use to gain access to the software of many companies in the widest range of industries, including operators of critical infrastructures. Log4j is just one of thousands of Java libraries that also may have vulnerabilities. Faced with this threat, the carefully coordinated procedures introduced at Siemens worked flawlessly over the holidays. Marc Friebel praised the company’s response: “In response to Log4j, the procedures in both our factories and product development worked very well, and we used the incident to improve them even more.”

One key element in this line of defense was the Cybersecurity Improvement Program (CSIP) that Siemens launched for IT security in 2017 and expanded to operational technology (OT) in 2020. More than 700 employees are working on 39 projects in this program to take cybersecurity to a new level. These projects include secure cloud technology, improved protection of facilities and plants and a better overview of the overall security situation. And they are designed for the entire Siemens universe.

As part of its work, the cybersecurity team of Siemens Smart Infrastructure (SI) has drawn on the wide-ranging experience gained from the CSIP as well as on audits, OT assessments and the best practices of many customers around the world to develop an IT/OT implementation guide that includes areas of responsibility, processes and solutions. This guide serves as a binding set of blueprints e.g. for the factories of the SI Electrification & Automation business around the world. “Our IT/OT Implementation Guide offers an array of solutions because our factories have different degrees of digitalization,” said Wibke Reuter, Cybersecurity Officer at Siemens Smart Infrastructure. “We place special emphasis on cybersecurity incidents at suppliers.”  

Another aspect of effective cybersecurity is the regular security assessments that Siemens Digital Industries has been conducting in all of its factories since 2018. During these assessments, a team of experts spends several weeks examining all areas of a factory and tracks down potential security vulnerabilities. Physical and digital security is viewed holistically. This work also involves something known as friendly hacking, a process in which Siemens hackers try to break into a factory. “They also examine dependencies that devices, systems and entire factories have with one another,” said Daniel Filor, the Head of the Holistic Security Concept at Digital Industries. The special features of a location in terms of employees, processes and technology are just as important as the later comparability of locations and business units. Long-term protection is assured by introducing a defined protection level based on IEC 62443 and a maturity model. 

Protection is also provided by automated tools like OSA (OT Security Appliance for Industrial Anomaly Detection) that stands watch over factories during ongoing operations and SiESTA, a software suite that tests facilities for vulnerabilities. They were developed by Siemens to protect factories. Another service is the industrial vulnerability manager that sounds an alarm when vulnerabilities are found in the IT and OT components of all possible manufacturers that the customer is using in its operations.

In addition to a continuously growing array of cybersecurity tools and solutions, factories need more trained employees who are versed in OT security. These employees must pull off the trick of meeting the growing cybersecurity needs of industrial companies while enabling the production operation to continue running. “Our customers are increasingly asking for tailored OT security programs that include the appropriate training programs,” said Saman Farsian, the Head of Cybersecurity for OT Protection and Consulting at Siemens. “This interest highlights our role as the pacesetter in OT security and shows just how much confidence our customers have in us.” 

Bernd Müller

May 2022