“I am sure you all agree that it is pretty annoying when someone steals our smartphones or when someone tries to break into our personal cloud storage stuff,” Joe Kaeser, Siemens CEO divulged at a recent press conference in San Francisco. “But at the end of the day, does it matter? No, it doesn’t matter much.”
As Siemens’ leader, Kaeser has been worrying about the growing threat cybersecurity poses to critical infrastructure such as the power grid, water treatment plants, public transportation and food supply. “But the point is, when the security of critical infrastructure is breached, the stakes are really much higher,” Kaeser said. It is a relatively new occurrence for hackers to be able to cause physical damage by targeting networked industrial equipment. “It is not so much that a cyberattack would make your production line stop,” Kaeser added. “That is simple because then you know [something is wrong]. But what if they are corrupting the data so that your food-and-beverage- or your pharmaceutical production has a slightly different recipe? That definitely would cause a disaster. This discussion is definitely new.”
Although the threat may be recent, the industrial cybersecurity risk will only grow with the continued development of autonomous vehicles and robots that physically interact with humans and other advances that bridge the gap between the digital and physical worlds.
[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]
The cyberattacks on critical infrastructure, and against democratic processes have quickly progressed from being mostly a theoretical-seeming threat to a common occurrence. As a result, industrial vendors are noticing a growing number of customers asking for help protecting their physical assets from cyber breaches. To help tackle the problem, Siemens has unveiled a cybersecurity framework with nine prominent partners — among them Airbus, Allianz, Daimler and IBM — at the Munich Security Conference, a military-focused event attracting heads of states, politicians and military leaders. Known as the Charter of Trust, the document has three primary goals: protecting individuals’ and businesses’ data, preventing harm to people, businesses and infrastructure; and fostering confidence in a connected digital world. “If you want to have industrial digitization and want to have the internet reach the industrial world — and make it a better world, there has got to be cybersecurity,” Kaeser said.
The risk of cyberattacks to virtually all infrastructure has become so pressing that no single organization or government can tackle it. On top of that, securing operational technology and critical infrastructure, complying with regulations such as the provisions for essential services protection in the NIS Directive can be demanding for even large organizations, said Aleksander Poniewierski, global IoT leader at EY. “The natural way [to deal with the challenge] is to build a consortium.” The organizations involved, which also include the Munich Security Conference organizer, the Dutch semiconductor firm NXP, Deutsche Telekom and the Swiss-headquartered inspection and testing service SGS, can pool their resources to come up with an evolving cybersecurity framework.
Critical infrastructures and regulated environments such as medical device manufacturing, banking and financial technologies operate within consortiums called Information Sharing and Analysis Centers (ISACs). In the case of FinTech, cyber threat information is shared within the Financial Services Information Sharing Analysis Center. While consortia can create a transformative ecosystem and strategic methodology for pooling resources, large collectives don’t necessarily equate to better flow of information according to Peter Tran, vice president and head of global security strategy at Worldpay. “At a certain point, consortia can become bureaucratic and the law of diminishing returns will kick in for when information becomes too old, inaccurate or delayed,” said Tran.
The Charter of Trust has 10 principles. Kaeser called out three as being especially important. The first principle is to establish responsibility for security at the highest level of government and business. The next guideline calls for defining baseline requirements for cybersecurity across the IoT supply chain, along with the development of independent certification for critical infrastructure and Industrial IoT technology. “Thirdly, and this is really important, we believe there has got to be cybersecurity rules in free trade agreements whether that is going to be a WTO, NAFTA, T-TIP or TPP or whatever the trade agreements are being called,” Kaeser said. Agreements need to be in place to delineate how cybersecurity is handled when going from country to country, he added. “There has got to be a cybersecurity agreement because the internet doesn’t know any borders.”
The companies involved in the charter will also work to help standardize IIoT deployments and assist manufacturers in addressing cybersecurity collectively, avoiding duplicating or overlapping development work. The aim of the agreement, however, is to go beyond merely having organizations reinvent the wheel when it comes to cybersecurity. “In many cases, I don’t think the wheel has been invented yet,” said Leo Simonovich, vice president and global head, industrial cyber and digital security at Siemens. Yet Simonovich also added that the thinking behind the Charter of Trust is not new. “Siemens has been on the cyber journey for the last 30 years. I think the call to action came in the last couple of years with the increase of cyberattacks against the industrial environment where they have gone from low single digits to over 30 percent. And we saw from our study with the Ponemon Institute that operational technology in the oil and gas sector is a greater concern [than IT].”
With the Charter of Trust, Siemens and its partners are hoping to improve the state of cybersecurity readiness across the industrial landscape. “The intent is very clear. We want to make this world a better world,” Kaeser said. “Not just in the physical area but also in the world of the digital age.”