In many ways, cybersecurity is a mirror of safety; plenty of experts advocate a similar route to standard protocols and procedures to protect the castle from cyber incidents as they would from safety incidents. Looking at the potential effects of a cyber attack on critical infrastructure in the energy sector really brings this all to light. Becoming a primary target for hackers has exposed the sector to a record number of near-miss safety events at plants around the world, creating significant potential for harm to the health and safety of people, processes, plants and products.
With its roots around the work they’re doing together on the Charter of Trust, Siemens and TÜV SÜD are collaborating to address these concerns with a new approach they’re calling Digital Safety. Introduced this week at the Offshore Technology Conference (OTC) in Houston, the partnership will provide digital safety and security assessments, as well as industrial vulnerability assessments to help global energy customers identify asset risk and cybersecurity solutions.
TÜV SÜD will offer digital assessments that incorporate cybersecurity vulnerability assessments from Siemens. The offering is not limited to customers using Siemens technologies and products; it will include vendor-agnostic assessments of industrial control systems (ICSs) in both the oil and gas and power generation sectors (nuclear applications excluded).
Cyber attacks are coming more frequently, and they’re also getting increasingly sophisticated. Outlining the threat that they pose to the energy industry’s safety systems, Leo Simonovich, vice president and global head for industrial cyber and digital security at Siemens, used a high-profile attack in late 2018 as an example. In this case, attackers went after a Schneider Electric safety system at a petrochemical plant in Saudi Arabia. The speed with which the attackers traversed from IT to operations (OT) to safety was alarming, he said.
“Attacks are interchanging their techniques—leapfrogging from digital to physical and back again,” Simonovich said. They also typically involve some level of human error, he said, noting that insider threats make up an overwhelming majority of these attacks.
“What’s common between IT and OT attacks is human error,” Simonovich added. “We want to borrow the principles from safety and the principles of hygiene and awareness and bring those two together.”
The new approach that the two companies are teaming up on is aimed at minimizing the impact of human error, said John Tesoro, president and CEO of TÜV SÜD North America. They advocate understanding your risk and building your defense, but also point to lessons that cybersecurity can learn from standard safety measures. You need to gain visibility and situational awareness, and at the center of both is root cause analysis, Tesoro said. Similar to safety situations, employees need to report when they see something wrong, like another employee bringing in unauthorized portable media or forgetting to log off a terminal. Continual learning and training are important as well.
There’s a need for cybersecurity that incorporates resiliency, hygiene and security by design. “We’re combining core strengths that both companies have in order to bring a holistic approach for the energy industry,” said John Tesoro, president and CEO of TÜV SÜD North America. “We are leveraging our deep know-how across disciplines.”
With a redefined approach—combining safety and security to address the human element—Siemens and TÜV SÜD aim to reduce risks in the digital and physical worlds. Companies need to be looking at both safety and cybersecurity from a threat point of view as well as an impact point of view. “We hope through our partnership to change the conversation,” Simonovich said.