Talking Cybersecurity w/ Galina Antova of Siemens Industrial Security Services
Q: The cybersecurity landscape has drastically changed during the past several years, for both the users of industrial control systems and the suppliers. How has Siemens evolved during this time?
A: Siemens has a high level of commitment to cybersecurity. We invest heavily in our technology to make it as secure as possible. We have a central security organization located in Germany and six regional hubs, in the US, China, Russia, France, the UK and India. The job of the Siemens experts staffing those offices is to learn of a vulnerability or attack quickly and to work rapidly with customers, industry partners, and appropriate government authorities to analyze the problem, limit the impact, and minimize the likelihood of repetition. Siemens remains in continual contact with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the US Department of Homeland Security. We tell them what we know, and they tell us what they know. They challenge us to do more when there is more we can do, and they help communicate state-of-the-art defensive and preventive systems and practices quickly, objectively, and authoritatively to the many relevant product suppliers and customers. Siemens is an active member of the Industrial Control Systems Joint Working Group, which ICS-CERT established under the Critical Infrastructure Partnership Advisory Council. We sit on standards making bodies and have been an active participant in the creation of the Cyber Security Framework that came out of President Obama's Executive Order on Cyber Security in February 2013. In short, Siemens is actively engaged to increase the cybersecurity of our customers and our infrastructure.
Q: Are asset owners turning this newfound awareness about cybersecurity into actionable plans?
A: The implications of a cyber-attack are many, including unplanned downtime, loss of production or impaired product quality, manipulation of data, unauthorized use of systems, employee death or injury, environmental damage, loss of intellectual property, damage to the brand image and financial loss. We are seeing more implementation, but there remains a lack of intelligence to understand the increasing threat levels, and the information needed to take proactive defense measures. Asset owners also under pressure to understand and stay current on emerging government rules and regulations, as well as managing aging infrastructure.
Q: Are you seeing more collaboration and communication within a facility's IT and ICS teams?
A: Many plants are still in the midst of the chasm between the plant operations side of the house and the IT department. While the plant manager may be vaguely familiar with of cyber-attacks, his budget probably doesn't include a line item for cybersecurity. The production manager's job is to be secure but also to maintain uptime and keep production lines running 24/7. The maintenance manager wants to be protected but that protection can't have an impact on production. The cybersecurity officer is not set up for success because this is a new role for manufacturing and there is a severe skills gap. The enterprise IT manager is often on the sidelines and can't get access to control systems. As a result of this emerging threat landscape, it has become clear that the only strategy that would work is one with comprehensive security programs that address not just the technology, but also the people and the processes. Individual security measures, such as firewalls, network segmentation, DMZs are only effective if implemented as a component of an overall program, and we cannot expect those individual measures to guarantee security. It's the equivalent of locking your front door, and leaving your garage door open. It's important to realize we need to protect the production site as a whole, not just individual systems. Siemens takes a three-step approach to addressing specific aspects of industrial security regardless of whether the customer is operating a legacy control system or a recently installed control system.
Q: Siemens recently introduced a new cybersecurity services offering. As a traditional hardware/software company, why did it make this move?
A: As we routinely tell our customers, security is a way of life. It's not a one-time measure but rather a continuous life-cycle. Continuous monitoring is critical. And many of the most effective defenses against cyber-attack do not take the form of software or hardware. Rather, they are best practices to be woven into the daily routines of managers and workers at the facilities that contain computerized industrial automation systems. A key feature of these best practices is documentation of policies, procedures, guidelines and administrative controls. Siemens, working with customers, periodically re-assesses these processes and makes necessary adjustments based on the changing threat landscape.
To learn more about Risk-Driven Industrial Control System Cybersecurity Investment, join MAPI for its upcoming cybersecurity webinar, 2:00 p.m., August 19, presented by Mr. Tamer Soliman, Head of Services Operation for Siemens Industrial Security Services. Or click here to attend our October 15 Cybersecurity Forum, a one-day event for industry leaders to share best practices.