The constant cyber threat is a fact of life. Today, everyone needs a
profound understanding of data protection – even in private life. We live in
the digital age, where data is seen as the new gold, where ,things’ are
constantly connected and online, where cyber criminals are as creative as just
Sounds awful? Maybe. But it doesn’t have to be. Companies just need the right
knowledge and attentive digital behavior. Of course, they will need to stay
up-to-date and adapt as the cyber space is a volatile framework. This is the
same, when it comes to manufacturing. Protecting automation systems from cyber-attacks
is a job that can never be finished, so we need a profound consciousness and
protection must be built into the portfolio, consistently and at every level.
A game without rest
About 100 billion euros every year – this eye-popping
number is the estimated cost of cyber-attacks on German companies alone. The
number of companies reporting cyber-attacks has risen dramatically since 2015. In
2019 75% of companies reported attacks within two years, according to Germany’s digital
association Bitkom, but the real number may even be significantly higher.
Worldwide, it’s a similar story. The victims
range from multinational corporations to SMEs and startups. Some are household names;
others are suppliers of vital components and even operators of critical
infrastructures. The clear increase in confirmed (as opposed to suspected)
attacks reflects the fact that companies are getting better at detecting
attacks – given what’s at stake, that is surely the minimum that’s required.
With the rapid growth of the Internet of Things
and the convergence of OT and IT, there are more and more potential targets. Taking
into consideration the huge costs of disruption to production operations, and
the threat to people’s safety when physical systems are compromised, cyber-criminal
activities are getting more lucrative for attackers and more threatening for
the rest of us.
As a result, cyber security is a never-ending
process, facing specific threats that constantly evolve as the methods and
capabilities of attackers become increasingly sophisticated. It’s not
surprising then that more companies are not only being targeted but report suffering
damage due to cyber-attacks.
A favored method of attack is to identify and exploit vulnerabilities in industrial control systems (ICS). For manufacturers of automation systems like us at Siemens, it is imperative that we develop our products securely, but also provide comprehensive information and solutions (such as a security patch) as quickly as possible when new vulnerabilities are discovered.
In this area,
cyber mature manufacturers collaborate with security researchers who identify
and report vulnerabilities in products before malicious attackers have the
chance to exploit them.
One such company is the
Siemens partner Claroty, who among other things, performs
security research on Siemens products and solutions. Put simply, the
researchers do their best to hack those products – thereby revealing potential
vulnerabilities, which can then be eliminated.
The lessons learned from this kind of research
are crucial to achieving high standards of security and benefit the further
development of products such as SIMATIC. Just as future technologies are
incorporated step by step in the Totally Integrated Automation (TIA) portfolio, a similar principle applies to
security features: constantly adapting to the ever-changing threat landscape ensures
Siemens solutions remain secure in the future.
Experiences with security research can also lead
to new insights into how we should approach security overall. Looking back over
the last decade, we have seen certain types of cyber-attacks occur (and
frequently succeed) again and again. This tells us that perimeter-based
defenses alone cannot effectively keep attackers out, at least not indefinitely.
It is smarter to assume that attacks will penetrate defenses sooner or later
and be prepared for that with, for example, multiple layers that provide
“defense in depth” and segmentation that restricts movement to other parts of
industrial security puts its main focus on reliability and availability. In
modern data-driven and connected systems however this is only one side of the
coin. Integrity (to protect data from unauthorized modification or deletion)
and confidentiality (to prevent unauthorized access to data) are key security
goals for a holistic security concept. Security features such as
- Strong machine-to-machine and user-to-machine authentication based on custom digital certificates
- Fine-grained access control
become mandatory in the future.
system integrators, operators and many others depend upon the security
components available in products and systems.
With a secure, robust solution featuring well-structured real-time
information of high integrity, the various stakeholders will be able to work
together more effectively.
Given the growth in potential vulnerabilities
and the improvement capabilities of the attackers, a holistic cyber security concept for the whole value chain – one that
adheres to leading international standards, such as IEC 62443 – is required to
ensure clarity and structure. Risk assessment becomes more effective, so that
decision makers can clearly see where the priorities lie and what the implications
for business operations are.
Siemens is committed to the ten principles of the Charter of Trust to improve the Security capabilities of our products, solutions and processes. This allows us to support our customers to establish a holistic cyber security concept, based on our own experience, products and services. It is fundamental to mitigate risks, avoid harm and protect the productivity of industrial plants and machines. Let me finish with this appeal: Prepare against cyber threats to be prepared for the future.
Read in my previous blog, where automation is heading, and what enterprises should think about it.