Cybersecurity is a topic you don’t ever want to say you have a mastery of, says Raj Batra, president of the Industry Automation Division for Siemens, because it’s an evolutionary topic. “Hacker” is no longer enough to describe the people who can cause harm to a company’s network, and cyber concerns today face an ever-evolving arsenal of cyber enemies who include anyone from “hacktivists” to “script kiddies.”
Speaking to a cadre of industry journalists Friday, Siemens announced its intent to meet the cyber concerns head-on with the roll-out of its Managed Security Services. Despite not wanting to claim mastery, the automation supplier contends, nonetheless, that its expertise puts it in a good position to provide the protection that industrial control systems (ICS) need. In a space dominated by enterprise IT players, Siemens will focus on providing continuous protection specifically to production environments. Services include assessment of security posture, implementation of recommended security measures and transitions into ongoing defense against evolving ICS cybersecurity threats.
Batra and other executives acknowledged the security troubles that Siemens products have faced in recent years. It was Siemens equipment that was attacked in 2010 by the Stuxnet virus that targeted Iran’s nuclear industry.
Answering the question of why Siemens thinks now is the time to focus on cybersecurity, Galina Antova, global head of industrial security services at Siemens, said, “It should’ve been yesterday. Proactive action is already overdue.”
But it’s not as if Siemens was alone in being unprepared for the attacks that its equipment faced. There was widespread unawareness of just how dangerous and prevalent the cyber threats could be, and industry still battles that somewhat today. But more companies are moving in the right direction. “The automation products we ship today incorporate much more in the way of cybersecurity than we ever have before,” Batra says. “They’re light years ahead of the ones we sold a decade ago. There just wasn’t a demand to address cybersecurity back then… You couldn’t sit in Starbucks and access your plant.”
Since Stuxnet in particular, global threat intelligence has enabled the “transition from reactive to proactive behavior,” Batra says. For example, Siemens has been working with the U.S. government to help craft the Cyber Security Framework (CSF), a “prioritized, repeatable, cost-effective approach for increasing security against any type of cyber attack,” Batra says, describing the document that will be released early next year. “I fully believe this will be the framework that will evolve over time, and will get stronger.” With “more collaborative approaches,” he adds, “we may see things getting pushed into law.”
The impact to manufacturers from the cyber threat is significant, including unplanned downtime, loss of product or impaired quality, manipulation of data, unauthorized use of systems, employee death or injury, environment damage, loss of intellectual property, damage to brand image, and financial loss.
Unfortunately, many manufacturers are not prepared to deal with cybersecurity threats. “Today there are thousands and thousands of control systems worldwide that are of varying ages,” Batra says. “There are also some outdated mindsets of what the typical roles of IT are. Many plants are in the midst of a chasm between operations and IT departments.”
Part of the problem, he notes, is that nobody really holds the cybersecurity budget. The plant manager lacks the budget to address cybersecurity issues; the production manager is focused more on uptime; the maintenance manager knows that he must not impact production; enterprise IT can’t get access to the ICS; and the cybersecurity officer is not set up for success. “It’s still a very opaque landscape,” Batra says, adding that a severe skills gap in the industry also plays an important role in an organization’s ability to mediate the threats.
Siemens, of course, recommends that manufacturers rely on its new services rather than try to go it alone. “Do they want to be in the business of security, or do they want to be in the business of doing what they do best? Again, it’s back to core competencies,” Batra says. A valid point, certainly, is that, while an automaker’s core competency is making cars, they must compete with attackers whose core competency is cybersecurity. “We believe, very much so, this is a core competency that we have at Siemens.”
The cybersecurity landscape is constantly evolving, creating more organized, sponsored, for-hire cyber attacks, notes Roger Hill, head of automation technology management for industrial security services at Siemens. “They keep working at it. They have a specific goal in mind,” he says. “No one is safe. Bad things will happen because the attackers are getting very advanced, and they’re getting more advanced every day.”
And as Siemens built its cybersecurity expertise, it could no longer hide from the lack of skills and core competence inside its customer plants, Antova says. Customers were asking for help in protecting plant operations. “This was a fundamental shift for us,” she adds. “The customer doesn’t care about protecting the Siemens equipment, but protecting the whole plant.”
Hill emphasized the differences between cybersecurity requirements for enterprise IT and those for control systems. At the enterprise level, for example, security concerns focus on confidentiality, integrity and system availability. “At the control system, that model is inverted,” he says, noting that maintaining availability in highly redundant production systems is critical.
The most important part of enterprise IT is the data. In the ICS, on the other hand, “we’re protecting equipment; we’re protecting the process,” Hill says. Likewise, IT security impacts intellectual property. “In our space, it’s closely related to the safety environment. We’re talking lives and the environment.”
From continuous process to factory automation, it’s important to really understand the manufacturing segment, Hill says. That is Siemens’ focus, and why the company believes in the benefit of its cybersecurity expertise specific to ICS. The manufacturing environment, Hill notes, brings with it some common challenges:
- Network communications
- Access control
- Disaster recovery
- ICS alarm management tie-in
- Remote operations
- Plant hazardous operations
Siemens is not trying to reinvent the wheel with it cybersecurity offering, Antova says. “We’re really trying to make it applicable for the industrial control space.” Siemens has been using its own factories in Germany as pilot projects, and has customers in the U.S. involved in pilots as well.
Siemens advocates a holistic approach to cybersecurity management. “It’s a journey,” Hill says. “It’s not a measure; it’s a way of life. It’s a mindset and requires continuous investment and continuous attention.”