With major cyber attacks like WannaCry, NotPetya and Triton affecting not only consumer entities but manufacturing and energy sectors as well, 2017 could be the year that industry finally took notice of the growing threat to industrial control systems. Does that also mean 2018 will be the year that industrial companies take the steps necessary to prevent the next attack?
“I think 2018 is going to be a defining year for industrial security,” said Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens Energy, in a conversation at the ARC Industry Forum in Orlando, Fla., last week. “There’s real recognition of the challenge that’s associated with cybersecurity.”
Addressing the challenge will require collaboration across the board—between partners, between customers and suppliers, and even among competitors. Siemens has been busy building those collaborative relationships over the past several months, announcing partnerships with PAS to provide real-time monitoring for control systems in the energy industry and with Tenable to improve visibility of vulnerable assets in energy, utilities, and oil and gas. This is in addition to its relationships with McAfee and Palo Alto Networks, with more agreements in the works and likely to be announced at Hannover Fair in April, according to Stefan Woronka, director of industrial security services at Siemens.
Now Siemens has taken a substantial step forward on that collaborative path with an announcement last week at the Munich Security Conference. Along with eight partners from industry, Siemens signed the first joint charter for greater cybersecurity—calling for binding rules and standards to build trust in cybersecurity and further advance digitalization. In addition to Siemens and the Munich Security Conference, the companies Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom are signing the Charter of Trust.
Avoiding advances in digitalization is not an option. To get the kind of visibility and insight that will ensure production optimization and market competitiveness, companies have to get connected, Simonovich insisted. “Cybersecurity has been eroding confidence in connectivity,” he said. “But the benefit of digitalization is too great.”
Connectivity and the cybersecurity diligence that needs to go with it are no longer just the domain of major corporations. “The trend we see is that midsize customers are now focusing on this challenge. For them, this is not just a corporate or governance discussion. It’s one where they need practical solutions,” Simonovich said, noting that many of them are looking for partners to help build capacity. “We need to come together to support midsize players.”
The charter delineates 10 action areas in cybersecurity where governments and businesses must both become active:
- Ownership of cybersecurity should be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a chief information security officer (CISO) at companies.
- Responsibility throughout the digital supply chain should be based on risk-based rules that ensure protection across all Internet of Things (IoT) layers with clearly defined and mandatory requirements. Baseline standards should be set for identity and access management, encryption and continuous protection.
- Security by default will include the highest appropriate level of security and data protection and ensure that it is preconfigured into the design of products, functionalities, processes, technologies, operations, architectures and business models.
- User-centricity means that suppliers should serve as a trusted partner throughout a reasonable lifecycle, providing products, systems and services as well as guidance based on the customer’s cybersecurity needs, impacts and risks.
- Innovate and adapt cybersecurity measures by combining domain know-how and a joint understanding between firms and policymakers of cybersecurity requirements and rules.
- Foster an understanding of cybersecurity through training and continuing education as well as international initiatives.
- Establish mandatory, independent third-party certification for critical infrastructure and solutions—above all, where dangerous situations can arise, such as with autonomous vehicles or collaborative robots.
- Provide transparency and response by participating in an industrial cybersecurity network to share new insights, information on incidents, etc.
- Promote multilateral collaborations in regulation and standardization to set a level playing field matching the global reach of the World Trade Organization (WTO). Cybersecurity regulations should be incorporated into free trade agreements.
- Drive joint initiatives including all relevant stakeholders in order to implement the above principles in the various parts of the digital world without undue delay.
“Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said Wolfgang Ischinger, chairman of the Munich Security Conference. “But the companies that are in the forefront of envisioning and designing the future of cyberspace must develop and implement the standards. That’s why the charter is so important. Together with our partners, we want to advance the topic and help define its content.”
Looking for ways to collaborate to ensure a more cybersecure industry is “not about risk shifting; it’s about shared responsibility,” Simonovich said. “We need to be at the center of the conversation. We have a responsibility, but it’s a shared one with our customer.” It’s important to be connected—both literally and in conversation, he added.
“Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Joe Kaeser, president and CEO of Siemens. “That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted—not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.”
Siemens is certainly not the only automation or cybersecurity supplier talking about the need for collaboration. It’s a common theme in so many of the announcements being made and the discussions going on behind the scenes.
At the ARC Forum last week, Schneider Electric spoke pointedly about the need to bring people to the table to work on cybersecurity—across geographic and competitive boundaries. The automation supplier is exploring ways to do just that. “It’s early days yet, but you will see a more aggressive call for collaboration,” said Tom Clary, director of global business communications at Schneider Electric. “It has to be far more collaborative across the board. We have to start talking about applications, with universal unifying standards. We have to have open, collaborative conversations. Everyone needs to understand the threats and how to fight back.”
Schneider Electric applauded the move by all the companies forming the Charter of Trust. “It’s another important step toward ensuring that the promise of digital transformation and automation will prevail over the threat of cyber terrorism,” said Peter Martin, vice president of business innovation and marketing for Schneider Electric.
“At Schneider Electric, we heartily encourage all collaborative efforts to strengthen cybersecurity,” Martin also commented. “The growing problem of cybersecurity is not specific to any single company, institution or country. Rather, it’s a threat to business and public safety that can only be addressed and resolved when suppliers, customers, integrators, developers, standards bodies and government agencies work together. This collaboration starts with common standards, agreed-upon rules, appropriate funding and active cooperation. It extends beyond national borders and transcends competitive interests.”