you put a lock on your door, but what about your company’s communication
network? On the one hand, hackers can cause damages in the millions. On the
other hand, investing in security can seem like a visit to the dentist’s office
– everyone knows it’s necessary, but no one really enjoys it. Jens Dolenek,
Head of Sales for Industrial Communications Systems in Germany, spoke with me
about the question of a path towards a sensible network door lock.
Keyword Security – On the one hand, there are numerous reports of attacks on corporations; on the other, German security experts say that companies are doing too little about it. How is the situation with your customers?
Dolenek: A great number of customers already have some relative awareness and
know they could be the target of an attack. But one has to differentiate
between specific stages of implementing a security policy in a business. Here
we find a heterogeneous landscape: Corporations, big businesses and
forward-thinkers do a great deal for their company’s security. This is mostly
based on the high likelihood of being attacked, but also due to prior know-how.
As soon as a company has its own process or has established an organization for
their security, it knows very well what to do and looks for technological
the small and medium-sized businesses have their work cut out for them.
Sometimes they only have one employee managing their operational technology
(OT) who is then given the added task of cyber security. Here the practical
relevance can leave much to be desired.
What does this mean in concrete terms?
Some of the
first questions we ask customers are, “Do you already have organizational
structures for managing your OT security? And do you know how to respond in
case of an attack?” The primary focus here is on defense, but there also
needs to be an emergency plan for how to correctly respond should an incident
occur. I sense this requires that a learning process take place within an
How do you support the businesses along this track? Can one buy a ready-made security solution from Siemens?
(laughs). Security is not a finished product with an order number, because
there can never be a “one size fits all” solution. In the private
sector, everyone has different demands, like for a life insurance policy for
example, and they define these based on their own individual concerns. The
topic of security within a company can be viewed similarly.
however, we support our customers by analyzing and determining individual needs
and then implementing security concepts when desired.
The path to
company-specific security measures starts with a comprehensive evaluation to
form a risk-based assessment. Here we discuss which areas need protection
overall, and which areas appear less critical regarding the effects of a
potential attack. It’s not only about the network, of course, but also about
topics like access controls for certain plant areas, for example.
second step, a security expert typically takes 2 to 5 days to carry out a focused
analysis concerning the defined protection goals in possible attack scenarios.
In the third step, we take a look at the findings for the identified weak
points. For example, are program blocks in a PLC password-protected to protect
the know-how of the code from manipulation? Is there whitelisting or
blacklisting for network connections? Only now do we begin discussing the
technological aspects and possible approaches to solutions. Moreover this
usually also establishes good transparency about communication relations
between systems which, until now, may not have been known or documented.
forth step, a company must address the implementation of possible protection
measures. Here, the passwords for the function blocks may not be the biggest
problem, but rather the insufficiently protected physical access to the network
or critical plant areas. Or maybe it’s the network-specific segmentation for
out-of-date industrial PCs for which there are no more security patches but
which are still indispensable for production.
Is the customer then protected? Is that the end of it?
Security is a continuous process. For one, the hacker scene never stands still, and new security vulnerabilities are discovered and shared in ever shorter intervals. And secondly, the security architecture has to constantly be adapted to changes in the company. Then there are the matters of relationships to suppliers, changes and extensions to the automation, a service technician might connect an unsecured notebook to the system – all things which must have an effect on the demands and solutions for cyber security. Therefore, a continual process must be put in place.
Cyber security and the industrial IoT are not mutually exclusive, rather both must go hand-in-hand. Jens Dolenek
How much does security cost? Is it worth it?
We get this
question often, but a lump sum cannot be named. It all depends on the assets to
be protected, the probability of risks, the existing level of security, and
ultimately how much a company values its plant security and know-how. This is
the reason for our security assessment where, after a week or two worth of
man-hours, we take the suggestions and realistically evaluate and identify
solutions based on concrete findings. Only then can we really say which
measures make sense according to relevant standards and tell which investments
have to be made. Some suggestions cannot simply be deployed with our
technological concepts, but must instead be instituted as a process in the
aspect people are talking about is the topic of digital transformation, the
industrial internet of things etc. – concepts which necessitate increased
networking between devices and the internet. Is the threat of cyber attacks and
their protections a roadblock for digitalization?
how I see it. Based on this concept, the IIoT will be the driving force behind
further developments simply because companies can use it to decisively boost
their competitiveness. A company’s security concept must then provide the
suitable answers. Cross-manufacturer concepts for this are already available to
some extent and will be continuously developed in the future – they must be
proportional and correctly implemented. Moreover, such security is already
being integrated into the products and solutions of leading providers – Siemens
included. Take the OPC Foundation for example and see how security has become a
standard component of the architecture.
To learn more about the topic: In three events in Germany, Siemens will provide information about the procedure, suitable solution concepts and successful references. Register here.