At home, you put a lock on your door, but what about your company’s communication network? On the one hand, hackers can cause damages in the millions. On the other hand, investing in security can seem like a visit to the dentist’s office – everyone knows it’s necessary, but no one really enjoys it. Jens Dolenek, Head of Sales for Industrial Communications Systems in Germany, spoke with me about the question of a path towards a sensible network door lock.
Keyword Security – On the one hand, there are numerous reports of attacks on corporations; on the other, German security experts say that companies are doing too little about it. How is the situation with your customers?
Jens Dolenek: A great number of customers already have some relative awareness and know they could be the target of an attack. But one has to differentiate between specific stages of implementing a security policy in a business. Here we find a heterogeneous landscape: Corporations, big businesses and forward-thinkers do a great deal for their company’s security. This is mostly based on the high likelihood of being attacked, but also due to prior know-how. As soon as a company has its own process or has established an organization for their security, it knows very well what to do and looks for technological solutions.
Conversely, the small and medium-sized businesses have their work cut out for them. Sometimes they only have one employee managing their operational technology (OT) who is then given the added task of cyber security. Here the practical relevance can leave much to be desired.
What does this mean in concrete terms?
Some of the first questions we ask customers are, “Do you already have organizational structures for managing your OT security? And do you know how to respond in case of an attack?” The primary focus here is on defense, but there also needs to be an emergency plan for how to correctly respond should an incident occur. I sense this requires that a learning process take place within an organization.
How do you support the businesses along this track? Can one buy a ready-made security solution from Siemens?
No (laughs). Security is not a finished product with an order number, because there can never be a “one size fits all” solution. In the private sector, everyone has different demands, like for a life insurance policy for example, and they define these based on their own individual concerns. The topic of security within a company can be viewed similarly.
At Siemens, however, we support our customers by analyzing and determining individual needs and then implementing security concepts when desired.
The path to company-specific security measures starts with a comprehensive evaluation to form a risk-based assessment. Here we discuss which areas need protection overall, and which areas appear less critical regarding the effects of a potential attack. It’s not only about the network, of course, but also about topics like access controls for certain plant areas, for example.
In the second step, a security expert typically takes 2 to 5 days to carry out a focused analysis concerning the defined protection goals in possible attack scenarios. In the third step, we take a look at the findings for the identified weak points. For example, are program blocks in a PLC password-protected to protect the know-how of the code from manipulation? Is there whitelisting or blacklisting for network connections? Only now do we begin discussing the technological aspects and possible approaches to solutions. Moreover this usually also establishes good transparency about communication relations between systems which, until now, may not have been known or documented.
In the forth step, a company must address the implementation of possible protection measures. Here, the passwords for the function blocks may not be the biggest problem, but rather the insufficiently protected physical access to the network or critical plant areas. Or maybe it’s the network-specific segmentation for out-of-date industrial PCs for which there are no more security patches but which are still indispensable for production.
Is the customer then protected? Is that the end of it?
Security is a continuous process. For one, the hacker scene never stands still, and new security vulnerabilities are discovered and shared in ever shorter intervals. And secondly, the security architecture has to constantly be adapted to changes in the company. Then there are the matters of relationships to suppliers, changes and extensions to the automation, a service technician might connect an unsecured notebook to the system – all things which must have an effect on the demands and solutions for cyber security. Therefore, a continual process must be put in place.
Cyber security and the industrial IoT are not mutually exclusive, rather both must go hand-in-hand.Jens Dolenek
How much does security cost? Is it worth it?
We get this question often, but a lump sum cannot be named. It all depends on the assets to be protected, the probability of risks, the existing level of security, and ultimately how much a company values its plant security and know-how. This is the reason for our security assessment where, after a week or two worth of man-hours, we take the suggestions and realistically evaluate and identify solutions based on concrete findings. Only then can we really say which measures make sense according to relevant standards and tell which investments have to be made. Some suggestions cannot simply be deployed with our technological concepts, but must instead be instituted as a process in the customer’s organization.
Another aspect people are talking about is the topic of digital transformation, the industrial internet of things etc. – concepts which necessitate increased networking between devices and the internet. Is the threat of cyber attacks and their protections a roadblock for digitalization?
That’s not how I see it. Based on this concept, the IIoT will be the driving force behind further developments simply because companies can use it to decisively boost their competitiveness. A company’s security concept must then provide the suitable answers. Cross-manufacturer concepts for this are already available to some extent and will be continuously developed in the future – they must be proportional and correctly implemented. Moreover, such security is already being integrated into the products and solutions of leading providers – Siemens included. Take the OPC Foundation for example and see how security has become a standard component of the architecture.