15 June 2020

Lasting cyber security for industrial assets

The constant cyber threat is a fact of life. Today, everyone needs a profound understanding of data protection – even in private life. We live in the digital age, where data is seen as the new gold, where ,things’ are constantly connected and online, where cyber criminals are as creative as just can be.
Sounds awful? Maybe. But it doesn’t have to be. Companies just need the right knowledge and attentive digital behavior. Of course, they will need to stay up-to-date and adapt as the cyber space is a volatile framework. This is the same, when it comes to manufacturing. Protecting automation systems from cyber-attacks is a job that can never be finished, so we need a profound consciousness and protection must be built into the portfolio, consistently and at every level.

Industrial Cybersecurity

A game without rest

About 100 billion euros every year – this eye-popping number is the estimated cost of cyber-attacks on German companies alone. The number of companies reporting cyber-attacks has risen dramatically since 2015. In 2019 75% of companies reported attacks within two years,  according to Germany’s digital association Bitkom, but the real number may even be significantly higher.

Worldwide, it’s a similar story. The victims range from multinational corporations to SMEs and startups. Some are household names; others are suppliers of vital components and even operators of critical infrastructures. The clear increase in confirmed (as opposed to suspected) attacks reflects the fact that companies are getting better at detecting attacks – given what’s at stake, that is surely the minimum that’s required.

With the rapid growth of the Internet of Things and the convergence of OT and IT, there are more and more potential targets. Taking into consideration the huge costs of disruption to production operations, and the threat to people’s safety when physical systems are compromised, cyber-criminal activities are getting more lucrative for attackers and more threatening for the rest of us.

As a result, cyber security is a never-ending process, facing specific threats that constantly evolve as the methods and capabilities of attackers become increasingly sophisticated. It’s not surprising then that more companies are not only being targeted but report suffering damage due to cyber-attacks.

Exploiting vulnerabilities

A favored method of attack is to identify and exploit vulnerabilities in industrial control systems (ICS). For manufacturers of automation systems like us at Siemens, it is imperative that we develop our products securely, but also provide comprehensive information and solutions (such as a security patch) as quickly as possible when new vulnerabilities are discovered.

In this area, cyber mature manufacturers collaborate with security researchers who identify and report vulnerabilities in products before malicious attackers have the chance to exploit them. One such company is the Siemens partner Claroty, who among other things, performs security research on Siemens products and solutions. Put simply, the researchers do their best to hack those products – thereby revealing potential vulnerabilities, which can then be eliminated.

The lessons learned from this kind of research are crucial to achieving high standards of security and benefit the further development of products such as SIMATIC. Just as future technologies are incorporated step by step in the Totally Integrated Automation (TIA) portfolio, a similar principle applies to security features: constantly adapting to the ever-changing threat landscape ensures Siemens solutions remain secure in the future.

New focus

Experiences with security research can also lead to new insights into how we should approach security overall. Looking back over the last decade, we have seen certain types of cyber-attacks occur (and frequently succeed) again and again. This tells us that perimeter-based defenses alone cannot effectively keep attackers out, at least not indefinitely. It is smarter to assume that attacks will penetrate defenses sooner or later and be prepared for that with, for example, multiple layers that provide “defense in depth” and segmentation that restricts movement to other parts of the network.

Traditionally, industrial security puts its main focus on reliability and availability. In modern data-driven and connected systems however this is only one side of the coin. Integrity (to protect data from unauthorized modification or deletion) and confidentiality (to prevent unauthorized access to data) are key security goals for a holistic security concept. Security features such as

  •  Strong machine-to-machine and user-to-machine authentication based on custom digital certificates
  •  Fine-grained access control

become mandatory in the future.

Manufacturers, system integrators, operators and many others depend upon the security components available in products and systems.  With a secure, robust solution featuring well-structured real-time information of high integrity, the various stakeholders will be able to work together more effectively.

Given the growth in potential vulnerabilities and the improvement capabilities of the attackers, a holistic cyber security concept for the whole value chain – one that adheres to leading international standards, such as IEC 62443 – is required to ensure clarity and structure. Risk assessment becomes more effective, so that decision makers can clearly see where the priorities lie and what the implications for business operations are.

Siemens is committed to the ten principles of the Charter of Trust to improve the Security capabilities of our products, solutions and processes. This allows us to support our customers to establish a holistic cyber security concept, based on our own experience, products and services.  It is fundamental to mitigate risks, avoid harm and protect the productivity of industrial plants and machines. Let me finish with this appeal: Prepare against cyber threats to be prepared for the future.

Read in my previous blog, where automation is heading, and what enterprises should think about it.

Related Tags