Why does Siemens publish so many Advisories?

Cybersecurity at Siemens

Every month, Siemens AG publishes 'Security Advisories' on security vulnerabilities in Siemens' products. And year over year, the number of reported vulnerabilities increases. But that doesn’t mean products are getting less secure – quite the contrary: with the continued digitalization of industry products, more vulnerabilities are to be expected.

An aging cement factory is ready for digitalization. In its kilns, limestone is burned with aluminum oxide, granulated blast furnace slag, gypsum or bauxite, then ground and with the help of conveyor belts filled into bags before being packed onto pallets. While it works well, the owners are planning to replace it with a more modern factory that not only saves energy and requires little maintenance, but also automates producing a wide variety of cement mixtures.

But which control system to use for the new plant? When someone suggests using controls by Siemens, the operators take a look at the company’s security website and realize that Siemens publishes vulnerabilities and patches quite regularly. Even more, instead of becoming fewer, they appear to become more over time. And that’s why they feel a bit uneasy that the company’s products might be vulnerable to cyber-attacks. 

Vulnerability handling is key for earning a client’s trust

In fact, the opposite is true. The more digital technologies become interconnected – from power plants to rail transport to medical technology – the more important it is to regularly update their operating systems and apps to keep security at the highest level. It's similar to smart phones and PCs – we accept their regular software updates, as we want them to be secure. Likewise, dealing with software vulnerabilities is an important prerequisite for the successful digitalization of industries. 

With the digitalization of industry looking out for vulnerabilities becomes a necessity. That’s why professional vulnerability handling is key for earning a client’s trust.
Karen Gaines, Head of Siemens Cybersecurity Defense

The result: In 2020, Siemens reported more than one hundred fixed vulnerabilities including solutions for around 41,000 products. And the numbers go up every year. This makes Siemens a pioneer among large industrial companies. But it is by no means the record holder. By way of comparison, major software vendors, with far smaller product portfolios than Siemens, reported more than 1000 vulnerabilities in the same period, despite having excellent secure development processes. That shows that the number of known vulnerabilities is simply increasing as digitalization and cybersecurity efforts intensify. Karen Gaines, head of Siemens Cybersecurity Defense, who worked for Microsoft and AWS before coming to Siemens in 2020, confirms this: "With the digitalization of industry looking out for vulnerabilities becomes a necessity. That’s why professional vulnerability handling is key for earning a client’s trust.”

Secure today, vulnerable tomorrow

At Siemens, ProductCERT (Product Computer Emergency Response Team) manages the receipt, investigation, internal coordination, and public reporting of security issues related to Siemens' products. On the second Tuesday of every month, the team informs Siemens' customers about potential issues and the corresponding solutions in so-called ‘Siemens Security Advisories’. This Security Advisory Day falls on the same day Microsoft traditionally publishes patches for its vulnerabilities to allow IT-managers to kill two birds with one stone. Obviously, there is no such thing as 100 percent security. Even though Siemens products only reach the market after they've been thoroughly tested, the continuous monitoring over the entire lifecycle of a product usually turns up new vulnerabilities. Also, attack methods are constantly evolving. A component that was secure yesterday can become vulnerable to a new attack overnight. That’s why Siemens has established a comprehensive process for detecting potential security issues in its products. Naturally, as digitalization is at the center of all of today’s industrial innovations, this also means that the number of vulnerabilities has increased.

The ProductCERT is connected – globally

ProductCERT not only monitors the company's own products, but also components from third-party suppliers or open-source software applications built into Siemens' products – along the entire supply chain. This way, Siemens not only creates end-to-end protection for its products, but also transparency. “Our goal is to detect vulnerabilities as soon as possible – and that means best during a product’s early development stage”, says Klaus Lukas, Principal at Siemens ProductCERT. “This way we can ensure its security is at the defined level from beginning."

Intense internal testing reveals vulnerabilities. For testing Siemens's products, various methods are used, among them a device called ‘SiESTA’ (Siemens Extensible Security Testing Application), which can be directly connected to a device or server to carry out automatic testing with various security tools. Additionally, the ProductCERT team is well networked among security researchers all over the world, from experts in universities to IT security providers.  And last but not least, it also receives information from customers, national CERT organizations, and internal Siemens departments. 

Automated patch management

On average, the ProductCERT receives one report per day. It is then reviewed and evaluated by the team. If a product update is required, the team verifies its effectiveness. "Afterwards, the report is scheduled for publication on the next 'Security Advisory Day,'" says Lukas. "In critical cases, of course, a notification goes out right away."

And while it may appear unsustainable to handle an ever-increasing number of known vulnerabilities, here, too, digitalization shows the way. Similar to conventional software systems, vulnerability handling for industrial products can leverage automation to increase security. Today, it’s already possible in some cases to transmit information on vulnerabilities in a machine-readable form. Then, patches only have to be applied to the correct product. The goal, however, is to deploy patches automatically, without any further human intervention.  "Then customers won’t have to spend any more time on patch management - and yet, their security will automatically be increased.", says Lukas.

Until that day arrives, the operators of the cement factory will have to deal with advisories arriving regularly in their inbox, and patching vulnerabilities in their plant. But as they do, they can appreciate the fact that the products they use every day are up to date.


Hubertus Breuer