Decades ago, the term “industrial security” primarily referred to safeguarding physical assets. With the rise of connected industrial control systems, the focus expanded to keep remote intruders out. In both cases, industry professionals often approached security as a mission to keep some malevolent “other” out of their premises and away from critical machinery. While the threat of external threat actors is very real, the greatest danger for industrial companies may be insiders. A 2017 Poneman Institute survey of 377 security professionals in oil and gas facilities reported that the top threat to critical operations is negligent employees (earning 65 percent of responses) followed by malicious or criminal insiders (15 percent). Many security experts also believe employees are generally a greater threat than external hackers in various industries.
In a recent interview, Leo Simonovich, vice president and global head, industrial cyber and digital security at Siemens touches on both internal and external cybersecurity risks, and also touches on the importance of aligning cybersecurity with quality and safety initiatives and the role AI and machine learning can play in protecting against bad actors.
Some industrial organizations have resisted embracing Internet of Things technology out of security fears. Do you see this behavior changing in the near future?
Simonovich: The benefits of digitalization are too great to ignore. Many organizations realize this, and yet, they are inhibited by the fear that once they get connected, their risk is going to increase exponentially. But I think you have to look at the sources of risk. Many organizations think if they are airgapped, then there are safe. The fact is that connectivity gives you the insight into what is happening in your environment and also gives you the opportunity to react.
[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]
What is your advice for aligning cybersecurity with other industrial priorities?
Simonovich: We have to separate the progression on the cyber journey from the mechanisms by which you protect yourself.
As you have more information pushed out to the edge, it is important to prioritize your assets based on two perspectives: risk and business priority. You have the highest level of protection going to your most critical assets and lowest level going to your less critical ones.
At the same time, cybersecurity is a journey, and the probability of being attacked is 100 percent. What is important is to take incremental steps to improve one’s readiness to face those attacks. I think of this as resiliency.
What are the core steps organizations should take concerning industrial security?
Simonovich: The steps for us are as follows:
- Develop a strategy.
- Address the fundamentals, which include patching, whitelisting, configuration management, incident response and monitoring.
- Develop a clear plan for deploying resources in case of an attack.
Organizations should have a cyber asset management program that looks at the discovery of assets, maintenance and disposal.
How do you see most industrial companies approaching asset management?
Simonovich: What is important is to be able to look at the cyber asset management from those two perspectives: first as an asset — a physical device — and second, as being a piece of data traveling across your operating environment.
It is not just the physical asset you are securing. You are also securing the types of data that flow across your wires.
Today, most industrial organizations do asset management with a clipboard, and, if they are lucky, an Excel spreadsheet. What that leaves behind, especially in OT deployment, is a whole swath of connected devices especially at the edge.
My advice is for organizations to mature their cyber asset management program incrementally. Where I think that begins is with this idea of prioritization.
You secure your most important assets and then, from there, think about how those assets interact with one another. Understand that interaction — and the corresponding data flows — require data classification systems.
What role do you see machine learning and artificial intelligence playing in industrial security?
Simonovich: We at Siemens think that AI and machine learning is an important approach by which to short-circuit some of the core problems in security.
When I talk to customers they will have eight different protocols, on average, if you are not counting what is homegrown. They will have legacy assets some of which are analog, some are digital — with digital often being bolted on.
What that means, is that it is important for the customer to take incremental steps to short circuit this problem. AI and machine learning give you that pathway. It allows you to work in an environment that otherwise is very complex. It establishes a baseline and from there, helps with detection. We, for example, partnered with a company called Darktrace that provides anomaly detection using unsupervised machine learning. And it does this in real time by learning what is happening and from there, detecting even the smallest variances in network traffic. Those variances, no matter how small they are, can have major consequences.
What is important is not just to have AI and machine learning to detect something, but in OT, to actually understand what that [thing] means. So for us, Darktrace does the detection. We’ll help guide, contextualize and understand what this means for the production environment. Whether this particular PLC or RTU sits in a production process, and what this could mean in the case of energy customers to plants and power outages.
Siemens has a significant digital twin initiative. How do you see digital twin technology changing the industrial security landscape?
Simonovich: To do monitoring and detection well, there are three pieces to the puzzle. You have to look at network data, control data and asset data. We at Siemens combine all three through our analytics for security.
Asset data is an indicator, whether it is the comparison between what the control system is saying the turbine should do and what the turbine is doing in real time.
We partnered with PAS, which looks at the control layer. Darktrace looks at the network layer. And of course, we are one of the largest producers of heavy machinery and turbines in the world.
We can adjust all three — not just ourselves but across our customer install base. And then give the customer insights into detection of anomalies but also contextualization of what is happening.
That is a similar concept to digital twins.
I hear that the industrial sector is making strides in making cybersecurity a priority, but the number of attacks is increasing. How do you reconcile those two trends?
Simonovich: The external environment is getting worse. The number of attacks against the industrial environment has ramped up. At the same time, our customers, especially in the energy sector, which is the most attack critical infrastructure vertical, are gaining awareness.
In our study we do with the Ponemon Institute, we saw that 59 percent of respondents said that OT is now a greater concern than IT.
That study also reported that 67 percent of respondents believe the risk level to industrial control systems over the past few years has substantially increased because of cyber threats. What do you make of that?
Simonovich: They know they have problems. But when we asked them: ‘What stage of the maturity curve are you on?’ Seventy-two percent said: ‘Low to medium maturity.’
There is increased awareness, but at the same time, the threat landscape is changing very quickly. You have enormous amounts of cyberattacks and what is important for customers, you have to take steps [to address the issue]. Holding up your hands and saying: ‘I don’t know what to do’ is not the answer.
That is why we at Siemens are partnering with our customers on the cyber journey. And we are enabling them through consulting and professional services to develop a strategy and then begin to tackle the core problems like cyber asset management and vulnerability management incrementally. Otherwise, the problem is too complex.
How do you see the energy sector responding to the industrial security challenge compared to other industries?
Energy customers have had the perfect storm: increased risk, corresponding regulation and then a push to go digital.
This means that regulation has given a number of our energy customers the foundation to think about security. But compliance does not necessarily equal risk reduction.
This means that our energy customers, especially those that are considered leaders in this space who are in a later stage of the cyber journey, have taken great steps to improve their cybersecurity posture.
They have done this despite the fact that in oil and gas, they are operating in distributed environments with lots of suppliers where asset owners don’t necessarily own the risk.
What I am concerned about is how do we take the lessons learned from the leaders that we are partnering with and apply those lessons learned to the middle.
You are only as good as your weakest link, whether it is in your supply chain or your ecosystem.
What kind of take-home message would you like to impart to industrial professionals?
Simovich: Security needs to be closely linked to safety and quality initiatives.
A great cybersecurity program will directly benefit the business. Security can be considered as a core part of the business and a competitive advantage.
In safety, the focus was to prevent incidents from happening. You had to reduce human error.
A similar approach has to be taken in security, too.
Think about the impact on safety that a major [accident] can have. A major incident can drive the adoption of a safety mindset. We recommend that our customers have a safety and security mindset. The two have to go hand in hand.