On the face of it, the Charter of Trust—a cross-industry alliance of manufacturers focused on improved cybersecurity practices—sounds like a group that is determined to do what it takes to ensure that its products and manufacturing operations are as safe as possible. True enough, but it’s not purely for altruistic reasons.
These industry players—Siemens and its partners—are pushing their 10 key cybersecurity principles because they know that they will never be able to get their customers to buy in to an increasingly connected industrial world if those customers cannot trust that it is also a secure industrial world. Smart manufacturing has no viable future if it opens manufacturers up to undue dangers.
Customers are questioning whether they really want to open up their factories—which are otherwise running smoothly and making a decent profit—to possibilities of compromise. “I think they are right to have doubts,” said Eva Schulz-Kamm, global head of government affairs for Siemens, adding that customers need evidence that their systems will be safe.
The whole basis behind the Charter of Trust, launched early this year, is the fact that these companies cannot expect people to support digital transformation if the security of data and networked systems is not guaranteed. In manufacturing and beyond, cybersecurity is a crucial factor for the success of the digital economy, Schulz-Kamm said. With that in mind, digitalization and cybersecurity must evolve hand in hand.
“There is no smart solution without cybersecurity,” she said. “A solution is not smart if it can be attacked or if a business customer cannot trust it.”
During a three-day briefing of U.S. journalists recently in Munich, Germany, several Charter of Trust partners pointed to the need to establish that trust. The idea is to protect society from cyber threats and risks, but it’s vitally important to increase trust in digital solutions in order to improve a competitive advantage.
“Trust is a differentiator in competition,” Schulz-Kamm commented. It’s a very costly differentiator, she added, but an important one. “We see trust as an investment into our products.”
Siemens is an automation supplier that certainly understands what it means to lose the trust of its customers. When the Stuxnet virus attacked Iran’s nuclear industry in 2010, it was the Siemens control system that it hit. Those were the early days of understanding the cyber threat in production environments. “We have been completely reshaping, rebuilding the way we handle cybersecurity in our products since then,” Schulz-Kamm said.
The nucleus of the Charter of Trust came from Schulz-Kamm and her team, which works closely with governments around the world on cybersecurity, she said. “In Washington, Brussels, Beijing—all over the globe—this is a top concern,” she said. “We are in a mess here. We really have to do something about it so that the world gets more trusted.”
The 10 commandments
Schulz-Kamm stressed that the Charter of Trust is a partnership and not an association. “An association is there to represent the interests of its customers,” she explained. “We want to raise substantially the bar for cybersecurity.”
To do this, the Charter of Trust focuses on 10 key principles for a secure digital world:
- Ownership of cyber and IT security
- Responsibility throughout the digital supply chain
- Security by default
- Innovation and co-creation
- Certification for critical infrastructure and solutions
- Transparency and response
- Regulatory framework
- Joint initiatives
“Without these 10 commandments of the Charter of Trust, we will not get a market,” said Lars Reger, chief technology officer for NXP Automotive. “We all want to be a corporate citizen. We also want to have stable markets. So it’s not only the good corporate citizenship that’s driving us. But the nice thing is that it goes together.”
The merger of NXP Semiconductors with Freescale Semiconductor a few years ago created the world’s largest automotive chipmaker—in fact, the only semiconductor manufacturer with the portfolio to completely outfit a modern car with electronics. The average car contains about 100 NXP chips, Reger said.
During a visit to NXP’s facility in Munich, Reger referenced several different types of chips used to make cars smarter, even to the point of autonomy. In all cases, safety and security—including privacy—are vital. “There is no such microcontroller from us that doesn’t have crypto cells,” Reger said.
“We need to ensure that only authorized people have the ability to change, configure, update or use a system in a way that it stays secure over the lifetime of a product. This is a new challenge,” said Wolfgang Steinbauer, who leads NXP’s Innovation Center for Crypto and Security. “A lot of applications require devices connected and we also benefit a lot from those connected devices. But the implication is I need to ensure that I can keep my systems secure over their lifetime.”
There are differing views among the Charter of Trust partners about what the Internet of Things (IoT) is. “But we all agree that, however you define IoT, it’s important for everything,” said Jonathan Sage, a government and regulatory affairs executive for IBM, serving as IBM’s global lead on the Charter of Trust.
However, with great connectivity comes great responsibility. Sage referenced a quote from Ginni Rometty, IBM’s CEO and president, emphasizing the belief that organizations that collect, store, manage or process data have an obligation to handle it responsibly. Without that core tenet, IBM’s customers would not trust IBM as a steward of their most valuable data. “Trust and responsibility is at the heart of relationships,” Sage added during a visit to IBM’s Watson IoT Center in Munich.
IBM signed the Charter of Trust with important objectives aimed at collaborating, educating and raising awareness in cybersecurity. “We want to raise the bar in cybersecurity with tangible measures,” Sage said. “We want to create a foundation in which confidence in a digital world can grow.”
Expanding the trust
NXP and IBM are among the eight original partners that Siemens signed the joint charter with, along with manufacturing users like Airbus and Daimler. The charter has since expanded to 16 partners, adding a few key European energy players in March, as well as U.S. companies like Cisco and Dell.
The partnership is looking to grow further in 2019. “Do we want to include everybody? No way,” Sage said, emphasizing the difficulty to maintain compliance with all the key principles if the group expands too quickly. They want to make sure all sectors are covered, and they want to expand geographically—in Asia-Pacific and a wider representation of the U.S.
“We don’t want to become big, but we want to become better,” Schulz-Kamm said. “We really want to follow those principles. And if you’re a huge crowd, it gets too complicated to work together.”