Franz Köbinger, industrial security marketing lead, Siemens AG, details the company's multiple cybersecurity efforts and solutions at its booth during the recent SPS IPC Drives 2018 tradeshow in Nürnberg, Germany.
Effective cybersecurity requires cooperation by users, system integrators, contractors, suppliers and clients up and down production streams and supply chains. But how can all those players learn to collaborate?Probably the most comprehensive efforts so far is being spearheaded by Siemens AG and 16 of its primary industrial partners, who recently signed their jointly developed Charter of Trust, which is seeking to present a united front and standardized protections against cyber threats, intrusions and attacks. As part of their efforts, Siemens hosted a press tour in and around Munich in late November to provide an update on the partners' progress.
"Trust needs a level playing field, and that means having a baseline that everyone can follow," says Eva Schulz-Kamm, global head of government affairs, Siemens, who reported at the company's Munich campus that it's been rethinking its approach to cybersecurity ever since the Stuxnet virus emerged in 2010. "We've learned that digitalization creates risks as well as opportunities, which means we can't have smart devices enabled by microprocessors and networking without addressing their cybersecurity issues, too. Cybersecurity is crucial for increasingly digitalized economies, but we and our business partners can't jointly achieve it without trust, which is why we're taking it so seriously. Trust is the differentiator, but it's costly, and must be seen as investment that will deliver a return later."
Rainer Zahner, global head of cybersecurity governance, Siemens, adds has more than 1,200 cybersecurity experts on staff, who perform internal protection services, but are increasingly working with its clients on similar efforts to both improve their security and boost their digital businesses. It also recently established a hacking and research lab at its Munich facility, which examines and tests embedded devices.
"Siemens is in a unique position to lead on cybersecurity," says Zahner. "We're also taking a holistic approach to cybersecurity by initiating an improvement program to protect our IT/OT infrastructure, as well as secure our products and services. In fact, we're the first company to integrate cybersecurity in all phases of our product development lifecycle. The challenge now is that new approaches are always required, such as using data diodes that only let data out, but don't allow any access, or our Mindsphere technologies that are using security concepts like the IEC 62443 standard."
Zahner added that Siemens is also driving long-term research into core cybersecurity technologies, including:
-
Self-securing systems design;
-
Security validation for digital twin;
-
Next-generation patching;
-
Security for cooperative, autonomous systems;
-
Post-quantum cryptography
-
Homomorphic encryption
-
Automated forensics and malware analysis;
-
Secure, cloud-based, real-time control; and
-
Supply-chain security.
"We're seeing gas turbines with 5,000 sensors now, so the question is how to protect them over the next 10 years, which is why we're working on solutions like crytographic algorithms, and also initiating and driving the Charter of Trust," explains Zahner.
Charter essentials
Siemens and eight initial partners launched the Charter of Trust last February at the Munich Security Conference, and the group quickly grew to 16 members announced at National Infrastructure Week last May. The signers presently include AES Corp., Airbus, Allianz, Atos, Cisco, Daimler Group, Dell Technologies, Deutsche Telekom, Enel, IBM, MSC, NXP, SGS, Siemens, Total and TÜV SÜD AG.
These partners signed the Charter of Trust with three primary objectives: protect data of individuals and companies; prevent damage to people, companies and infrastructures; and create a reliable foundation on which confidence in a networked digital world can take root and grow. These objectives led to 10 key principles and 17 baseline requirements (sidebar) for supply chain cybersecurity. The 10 principles are:
-
Ownership of cyber- and IT-security;
-
Responsibility throughout the digital supply chain;
-
Security by default;
-
User-centricity
-
Innovation and co-creation;
-
Education;
-
Certification for critical infrastructure and solutions;
-
Transparency and response
-
Regulatory framework; and
-
Joint initiatives.
Siemens reports it's bringing the first three principles to life, respectively, by establishing a new cybersecurity unit in January 2018; providing a multilayered security concept to give its plant all-around and in-depth protections; and applying its holistic security concept throughout the lifecycles of the 15 million Simatic products it manufactures each year. To achieve its regulatory framework goal, Siemens is also participating in a network of cybersecurity-related organizations, such as ISA, FIRST, CERT community and SAFEcode.
"About 90% of smaller companies and other organizations have already experienced cyber incidents, so many users and governments have been asking how Siemens can help because you can't do cybersecurity alone if you've got a microprocessors that's networked to the cloud," adds Schulz-Kamm. "We want to create a global sandbox where we and others can test our cybersecueity solutions. This doesn't mean everything will be secure, but it will mean we can do something about it, lead by example, and raise the bar on cybersecurity."
Going global—and local
The 17 baseline requirements for supply chain cybersecurity in the Charter of Trust for next-generation products and solutions are divided into seven categories:
Data protection:
-
Design products or services to provide confidentiality, authenticity, integrity and availability of data;
-
Protect data from unauthorized access throughout the data lifecycle; and
-
Incorporate security in product and service designs, as well as privacy where applicable.
Security policies:
-
Make security policies consistent with industry best practices, such as ISO 27001, ISO 20243, SOC2, IEC 62443, including access control, security education, employment verification, encryption, network isolation/segmentation, operational security, physical security and vendor management;
-
Make guidelines on secure configuration, operation and usage of products or services available to customers; and
-
Implement policies and procedures that don't consent to include back doors, malware and malicious code in products and services.
Incident response:
-
For confirmed incidents, provide timely security incident response to customers for products and services.
Site security:
-
Put in place measures to prevent unauthorized physical access throughout sites.
Access, intervention, transfer and separation:
-
Make encryption and key management mechanisms available, where relevant, to protect data; and
-
Put in place and enforce appropriate levels of identity and access control and monitoring, as well as for third parties.
Integrity and availability:
-
Perform regular security scanning, testing and remediation of products, services and underlying infrastructure;
-
Implement asset, vulnerability and change management policies that can mitigate risks to service environments;
-
Put in place business continuity and disaster recovery procedures, and incorporate security during disruption, where applicable; and
-
Establish process to ensure that products and services are authentic and identifiable.
Support:
-
Define and make available timeframe of support, specifying intended supported lifetime of products, services and solutions; and
-
Based on risk, and during the timeframe of support, put in place processes for: contacting support, security advisories, vulnerability management, and cybersecurity related patch delivery and support.
Training:
-
Regularly deploy a minimum level of security education and training for employees, such as training, certifications and awareness.
"For example, we work with the U.S. Dept. of Homeland Security's (DHS) Industrial Control System-Cyber Emergency Response Team (https://ics-cert.us-cert.gov) when a vulnerability is found or an incident occurs, and determine what's happened, when a patch is available, and how to inform the installed base," explains Brian. "We also participate in Siemens' secure development and deployment lifecycle; conduct threat and risk analyses of each product and the supply chain, too. We ask what golden nuggets are we trying to protect, what would a hacker exploit, and what would be the impact? We use these questions to define and offer mitigation strategies that will be the best choice for each user."
Brian adds these options can include security awareness training, antivirus and whitelisting, patch management and detection of anomalous communications thanks to its recent partnership with Claroty.
Rainer Falk, principal research scientist, Siemens, adds the company also released a Data Capture Unit (DCU) secure data diode connector in 2018 to protect installed equipment and enable cloud connectivity by only allowing one-way data connections. The device supports OPC-UA communications, and complies with IEC 62443-4-2 SL3.
"DCU lets users safely extract data from old automation systems, and deliver it to the digitalized world," says Falk. "It's also certified for use with safety systems and other closed networks."
Partners weigh in
Several other Munich-based signers of the Charter of Trust echoed sentiments expressed by Siemens' representatives about how their agreement can help them and their clients achieve stronger protections and present a more united front on cybersecurity.
"We were an early participant the Charter of Trust and keen to drive its 10 commandments because without them we'll never get to a more stable market that can continue to grow because users can trust their devices and are willing to share their data," says Lars Regar, CTO, NXP Automotive.
Just as the Industrial Internet of Things (IIoT) and edge-based are transforming other applications and industries, NXP reports they're also penetrating its primary businesses, and require effective cybersecurity to succeed in these new areas.
"High-performance sensing is needed for precise recognition of analog and human environments, such as robots and autonomous vehicles," explains Regar. "We've been working with Siemens on devices that can deliver data outside of line-of-sight, such as equipping traffic signals with long-range RFID sensors that can work with car-to-car communications to inform vehicles of situations coming up. However, these applications must have secure connectivity and communications."
Wolfgang Steinbauer, vice president of cryptography and security, NXP, adds that, "Safety and security is built into everything we do because it's the basis of user acceptance. Previously, many device weren't connected, and they were less vulnerable. Now, they're more connected, so users need to know that of one layer is broken through, there will be another that will keep their application stable. They need ubiquitous security for an insecure world, which is why we support the Charter of Trust."
Likewise, experts at the Watson IoT Center in Munich report that IBM also joined the Charter of Trust to engage with policy makers to collaborate, educate and raise awareness about cybersecurity, and raise the bar for it with tangible measures and results. "Together, we strongly believe that effective cybersecurity is a precondition for an open, fair and successful digital future, and by adhering to and promoring the Charter of Trust's principles, we're creating a foundation of trust for all," says Jonathan Sage, government and regulatory affairs, IBM. "We're also doing roadshows to get others to join, and trying to bring more cybersecurity down to the industrial and measurement levels where we're also located."
For instance, to achieve the Charter of Trust's "Principle 6—Education," IBM is requiring cybersecurity training for all its employees, and establishing a mobile cybersecurity facility for conducting simulated data breaches as part of its training for staff and partners.
Angelika Steinacker, CTO for Identity and Access Management (IAM) and IoT, IBM Security Europe, reports that, "All of cybersecurity is related to identity, so we're bringing our experience in this area to the Charter of Trust and vice versa." For example, "Principle 2—Responsibility throughout the digital supply chain" includes IAM for connected devices, so Steinacker adds that, "Taxonomy, standardization and industry-based IAM frameworks are needed."
To use IAM for establishing cybersecurity IoT systems, Steinacker advises:
-
Get back to basic requirements such as establishing identity assurance requirements for device classes before setting up an IAM framework for IoT; and take into account that IAM might vary by device class, type of application, network strength, data sensitivity, operations criticality, and impact of a potential compromise through unauthorized access and more.
-
Define an enterprise security and IAM architecture by using a recognized method for an enterprise security and IAM architecture such as SABSA; adopt a graded trust model for IAM capabilities; and design authentication and authorization schemes based on risk models.
-
Establish an appropriate organization by working across business units.
Steinacker also suggests integrating IoT implementation into an existing IAM framework by:
-
Establish an extensible identity lifecycle for all categories of digital identities, especially for onboarding/registration;
-
Establish relationship mappings between all categories of digital identities;
-
Implement more restrictive logic in identity management workflows;
-
Integrate IAM with asset management repositories;
-
Establish authentication and authorization procedures for local access or when only intermittently connected to the network;
-
Implement a privileged user management system to ensure that administrators accessing systems and devices are under control;
-
Define privacy protections required for different data categories; and
-
Integrate with analytics solution.
Dave Braines, CTO for emerging techniology, IBM Research UK, reports that IBM is also developing fully homomorphic encryption that will let users analyze data while it remains secure and private. This method is based on lattice cryptography, and basically allows data to be viewed so calculations can be performed, but doesn't give access it.
Security joins safety
Another member of the Charter of Trust, TÜV Süd and its four-year-old cybersecurity services division, TÜV Süd Sec-IT, support it due to how fast the cybersecurity field is evolving. For example, conventional tools like virus scanners and firewalls aren't enough anymore, which is fueling demand for "predict, detect, prevent and respond solutions."
"The sheer numbers of connected devices in the future mean there will be a lot more vulnerabilities, so TÜV Süd has been shifting its focus from testing and verification for functional safety to also diving into cybersecurity," says Andy Schweiger, managing director, TÜV Süd Sec-IT. "We're also moving from testing and certification before a product goes to market to continuous testing of firmware and software updates. In addition, where virus control used to be signature-based to moving to become behavior-based, which is where machine learning and artificial intelligence (AI) can help by showing how viruses can occur and spread."
Schweiger adds that TÜV Süd has an advantage when addressing cybersecurity because it already knows the existing regulatory requirements and threat landscape, its experts are neutral and objective, and it can provide all needed cybersecurity services from one source. It presently has cybersecurity-focused hubs in Hong Kong, Shanghai, Mumbai, Singapore, Boston and Munich.
TÜV Süd Sec-IT also recently established its Octoforce team of cybersecurity experts to do accredited data protection testing within TÜV Süd's community and procedures, and produce reports and recommendations. "We can take a more dynamic approach with our testing because we're not focused on selling products," says Schweiger. "Much of the value today is in intelligence-led penetration testing. This is important because an IT-based hacker can use wind-speed and blade-angle-data from wind farm applications to decide how to alter algorithms to cause damage. Operations technology (OT) argue it would take years of proprietary data to learn to do this, but that isn't necessarily so."
Stefan Vollmer, CTO at TÜV Süd Sec-IT, reports that Octoforce has two main teams, penetrating testing and threat intelligence, which seek to better understand cyber threats and attacks to help prevent them. "Lockheed Martin's Cyber Kill Chain identifies seven steps that a cyber attack must complete, including reconnaissance, weaponization, delivery, explistation, installation, command and control, and actions on objectives. If a defender can break any one of them, they've been safe," says Vollmer. "However, this is no longer enough because there are more steps, such as attackers gathering information by emailing victims, or malware moving from staging servers to command-and-control servers to allow exfiltrations.
"Cyber attackers want to stay silent and invisible, so 70-80% of their spending is on planning and reconnaissance, and building networks of servers and domains, while only 15-20% goes to actual attacks. Attacks typically progress from unknown servers to known servers. Botnets are also used because they're cheap and simple, while machine learning allows attackers to adjust minute by minute, and communicate between attackers, botnets and victimized systems. This is why cyber attacks are hard to track down."
To help mitigate some cyber intrusions and attacks, Stefan Laudat, lead consultant at TÜV Süd Sec-IT, reports it's developing its TÜV Attack Surface Detection (ASD) service that includes:
-
Digital footprint of an entity;
-
Automated and manual red teaming
-
Device fingerprinting based on AI;
-
OSINT-based digital reputation;
-
Intelligence-led penetration testing;
-
Critical asset identification; and
-
Top management risk reports.
"TÜV ASD will also align OT and IT departments, combine their internal processes with best practices, and achieve complete risk awareness by using best-in-class tools and intelligence orchestrated with artificial intelligence (AI) and machine learning (ML) to determine weaknesses in infrastructure, web, cloud or social engineering," explains Laudat. "We'll also deliver impartial, easy-to-understand reports, updated metrics and indicators, intelligence and forecasting targeted at customers and/or third parties."
Solutions on display
The press tour concluded with a one-day visit to the recent SPS IPC Drives 2019 tradeshow in nearby Nürnberg, which included demonstrations of Siemens' cybersecurity solutions.
"We're integrating Claroty's anomaly detection technology with Palo Alto's firewalls, so HMIs can talk to PLCs, but not to other devices," explains Stefan Woronka, global head of Siemens Industrial Security Services. "This lets us create firewalls rules, so we can do micro-segmenting of networks for improved cybersecurity. Customers are also asking for security that's integrated into operations centers on the IT, and we're supporting those efforts, too. We also have McAfee's security information and event management (SIEM) scaled down into Siemens components, where it can run standalone or be integrated into those devices.
"We're also using a secure product development lifecycle that complies with IEC 62443-2-1, while our development team uses TÜV Süd-certified blueprints. Siemens Industrial Security Services is a comprehensive, modular, scalable portfolio that gives users everything they need to assess, implement and manage their applications securely."