Rhythm for Security
Every second Tuesday of the month, ‘Security Advisory Day’ takes place – Siemens’ Vulnerability Handling Team informs its customers about security gaps in Siemens products and provides solutions for eliminating vulnerabilities.
Recently, a mail message arrived in Siemens security expert Thomas Pröll’s inbox that immediately piqued his interest. On behalf of a customer, a security researcher had tested an industrial plant and discovered a previously unknown vulnerability in a Siemens industrial control system. Vulnerabilities like this one are Pröll’s business – his team in Munich Neuperlach takes care of 'vulnerability handling', the coordinated handling and solution of reported vulnerabilities. If a new vulnerability emerges, Pröll and his colleagues have to deal with it immediately.
The damage that cyber-attacks can cause is immense: espionage, blackmail attempts, machine failure. There is not much that security experts fear more than vulnerabilities. According to a survey by the World Economic Forum 2018, managers in leading industrialized countries see cyber-attacks as the greatest risk for their companies. In view of this, in October 2018 Siemens set up a new Cybersecurity organization, which bundled a wide range of tasks to protect its IT infrastructure, products and customers.
The goal: maximum security, transparency and trust
At Siemens, product security incidents are addressed by the ProductCERT (Product Computer Emergency Response Team), which includes Pröll's Vulnerability Handling Team. It’s not an easy task. Although Siemens products are only introduced to the market after they have been thoroughly tested digitally, attack technologies and methods are constantly evolving. A product that was still safe yesterday can become a risk factor overnight.
"That's why we take every indication of a security vulnerability seriously. Every single report is investigated," says Klaus Lukas, head of ProductCERT. "By publishing advisories on any incident, we deem relevant, we create clarity for our customers – and that helps to build trust. Handling vulnerabilities in a responsible and transparent way is an essential step on the way to digitization." Joanna Burkey, head of Siemens Cybersecurity Defense at Siemens, adds: "Transparency is an important paradigm for Siemens, which we have also taken up with our ‘Charter of Trust’, which many companies have joined. If you want to be a leader in cybersecurity you have to apply these paradigms in everyday life as well.”
By publishing advisories on any incident, we deem relevant, we create clarity for our customers – and that helps to build trust. Handling vulnerabilities in a responsible and transparent way is an essential step on the way to digitization.
Pröll and his colleagues are well networked within the security industry. They regularly travel to the world's largest hacker conferences, such as BlackHat or DefCon in Las Vegas, as well hacker meetings.
Finding a solution with precision quickly
This network – security researchers, IT experts at universities, IT security service providers, customers, national CERT organizations or Siemens internal departments – allows them to receive reports of possible vulnerabilities almost daily. Whoever helps is acknowledged on a ‘Hall of Thanks’ on the ProductCERT website.
Whenever a report comes in there is a routine procedure: Pröll and his colleagues exchange information with the person reporting the vulnerability in order to correctly and completely understand the problem. If it turns out there is indeed a new vulnerability, a task force is formed to work out a solution as quickly as possible. The following steps are very methodical and precise. If a product update is necessary to eliminate the vulnerability, ProductCERT verifies its effectiveness before publication. "And then we schedule a report to be published on the next Security Advisory Day," says Pröll. "It always happens on the second Tuesday of the month; the same day Microsoft traditionally publishes patches for its vulnerabilities.”
Critical reports get out right away
The 'Security Advisory Day' marks another milestone for Siemens: Once a traditional hardware company, it becomes a company which runs on digitalization. "The advantages for our customers are clear," says Pröll. "They know when to expect our advisories and can plan accordingly. At the same time, it also helps us at Siemens, as it gives a clear schedule for preparing the Security Advisories.”
The Security Advisory Day at Siemens begins one month before its publication. All relevant stakeholders in the product units as well as everyone on Pröll's team is informed when the reports for the next Advisory Day must be ready. Only the immense support of the product units enables a coordinated publication across Siemens. On Thursday before the Advisory Day, international coordination takes place: Siemens informs authorities - such as the ICS (Industrial Control Systems) CERT in the United States or the CN CERT in China – so they can incorporate these reports into their advisories. After that, nothing stands in the way of the simultaneous, worldwide publication of the monthly advisories. Of course, if a vulnerability is particularly critical, a report gets out quickly, independent of the monthly advisory schedule. That is called a ‘hot fix’. "But the 'Security Advisory Day' helps here, too," says Pröll. "When customers hear from us specifically when they don´t expect a message, they know it’s important.”
Picture credits: Siemens AG
Subscribe to our Newsletter
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.