There’s no question that attacks on critical infrastructure are becoming increasingly common and emboldened, and it’s also very clear that effectively defending against such attacks is not something that can be done alone. Following an announcement in September about its partnership with PAS, Siemens made public today another partnership focused specifically on protecting the critical infrastructure industries of energy, utilities, and oil and gas.
Announced at the Gartner Symposium/ITxpo in Barcelona, Spain, the partnership between Siemens and Tenable—whose Tenable.io cybersecurity platform focuses on asset discovery and visibility—helps organizations understand which of their operational technology (OT) assets could be the most vulnerable.
It’s not that energy companies don’t understand that they’re at risk. At least two-thirds of oil and gas companies appreciate the fact that increased digitalization comes with increased cyber risk, according to a study released earlier this year by the Ponemon Institute.
“The industrial cyber risk has become a major problem in this space. The number of attacks targeting OT increased to over 30 percent [of all cyber attacks], and yet most companies are not prepared,” said Leo Simonovich, vice president and global head of industrial cyber and digital security for Siemens Energy. “They’re struggling to address the fundamentals.” Those fundamentals, he added, include basic hygiene and understanding what assets they have; and deploying advanced monitoring measures to help address the threats to those assets.
Read more about "Cybersecurity Lessons From Critical Infrastructure" in Automation World's November cover story.
The work between the two companies combines Tenable’s OT-dedicated passive vulnerability detection system with Siemens’ domain expertise and operational know-how. Tenable technology provides safe, reliable asset discovery and vulnerability detection purpose-built for industrial control systems and supervisory control and data acquisition (SCADA) systems. Using passive network monitoring based on Tenable’s Nessus Network Monitor, the OT-native system helps identify and prioritize OT risks.
“Passive” is an important element of Tenable’s technology. Around for about 10 years, the technology is designed for critical systems that require a non-intrusive approach to vulnerability detection. Traditional cyber defense has involved actively routing packets across a network to try to extract information from endpoints, explained Ray Komar, vice president of technical alliances at Tenable Network Security. But this could negatively impact elements of the network, which is a huge problem in the OT space. “So historically they’ve done nothing, which is also not the right answer.” Tenable’s technology is passively listening to network activity, doing analytics, Komar added.
“The passive piece is really key because a single patch can bring down our plant,” Simonovich said. “The whole idea behind our partnership is to empower our partners to make decisions. Today, on the OT side, a piece of malware can sit on there for years. The reason is because our customers are hesitant to deploy measures because they’re weighing the risk and reward. The unknown causes them concern.”
Through its partnership with Tenable, Siemens can help its customers discover assets and identify vulnerabilities. “We can give them information and insights, or work in tandem with them to deploy the fix,” Simonovich said. “Siemens helps prioritize this; understand the risk but also the business impact that’s associated with the fix.”
Siemens provides the end-to-end managed service—from hardening to monitoring to response, Simonovich said. “With Tenable, we go to market together and deploy the Tenable solution as a service—as an assessment to help understand the security posture,” he explained.
Simonovich referenced the “string of announcements” about various Siemens partnerships within the cybersecurity space. “There’s really no silver bullet for security, so we identify the best in breed and help customers secure the whole lifecycle—from the discovery piece all the way through mediation,” he said. “We see this as working towards a solution set. And it really is a solution set that helps solve a puzzle for our customers.”
Though its underlying technology is mature and robust, Tenable recognizes that they can’t do it all themselves, Komar said. “Security is such a complex and fragmented area,” he said. “Partnering is the way to achieve actionable success.”