Here at Siemen’s press event on cybersecurity in Munich, the company is focusing on the issue of trust — without trust in digitalization, industrial users will not embrace the IoT and connected technologies. Eva Schulz-Kamm, Global Head, Government Affairs, Siemens, spoke today on “digitalization and the importance of cybersecurity.” Schulz-Kamm, a physicist by training, is responsible for global affairs and is based in Berlin.
While security might seem to be a recent concern for the world, the company and others like it have been worrying about this issue for more than three decades. In the 1980s, it was about connected products. In the 1990s, it was connected systems. And in the 2000s, the IoT was coming, with connected facilities/plants/sites being the focus. By 2020, we will have billions of devices that are connected. And security will be more important than ever.
“The growth is more than 30% and it’s really getting into the steep part of the curve,” Schulz-Kamm said.
She explained that customers want smart solutions, and they are telling Siemens that they want more, but they are concerned whether they can trust the solution.
“They ask, ‘Do I really want to open up my factory, so others can look at it or compromise it?’ I think they’re right to have doubts and need evidence and proof that the system can be trusted,” she said.
And while it’s impressive to look at the growth of our connected world, its exposure to malicious cyberattacks is also increasing dramatically, putting our lives and the stability of our society at risk.
“The attacks are becoming stronger and more massive and more damaging,” she said.
Cybersecurity, she said, has to be more than a seatbelt or an airbag, it’s got to be a basic, crucial factor. If people and organizations can’t trust digital technologies, they will not accept or embrace the coming digital transformation. These two things — digitalization and cybersecurity — must evolve hand in hand.
“There is no smart solution without trust,” Schulz-Kamm said.
Here, the company is driving cybersecurity holistically with clear overall goals. Siemens is in a somewhat unique position in this field, being a global player in digitalization, having a domain know-how of verticals in cybersecurity and being a founder of the Charter of Trust — a 2018 agreement begun with 10 principles across industry and government that sets minimum general standards for cybersecurity. Plus, software is more a focus for the company than it has been in the past. With acquisitions and in-house developments, Siemens today is the eighth largest software company in the world. There have been more than 10 billion euros of software acquisitions since 2007.
Rainer Zahner, Global Head of Cybersecurity Governance, Siemens, explained that the company is driving security down the digital value chain. It has initiated an improvement program to protect IT/OT infrastructure, created initiatives to secure products and services, and was the first company to integrate security in all phases of the product development lifecycle.
Zahner said that new approaches to technology are needed. Increasingly connected industrial control systems offer new levels of efficiency and productivity — but these critical connected parts of infrastructure also mean that there are new possibilities of being attacked.
The IEC 62443 security levels are defined as:
SL1: Protection against casual or coincidental violation
SL2: Protection against intentional violation using simple means, low resources, generic skills, low motivation
SL3: Protection against intentional violation using sophisticated means, moderate resources, ICS specific skills, moderate motivation
SL4: Protection against intentional violation using sophisticated means, extended resources, ICS specific skills, high motivation
According to Zahner, Siemens is driving long-term research in cybersecurity internally. This involves self-securing system design, security validation for digital twins, NextGen patching, security for cooperative automation systems, post quantum cryptography, homomorphic encryption, automated forensics and malware analysis, secure cloud-based real-time control, and supply-chain security.
Schulz-Kamm said that Siemens has requested France include cybersecurity as a topic for the 2019 G7 meeting, and that 16 partners have now signed the Charter of Trust. The Charter of Trust has three main objectives: Protect the data of individuals and companies; prevent damage to people, companies and infrastructure; and create a reliable foundation on which confidence in a networked world can be based.
“In the end, we could all lead by example, but we need governments to be involved. If you look at global supply chains around the globe, the Siemens, the Airbuses, the Daimlers are the ones providing security. But we’re all connected, and if we don’t have at least a baseline, attacks can happen. We’re telling the companies and the governments that we have to look at it in a connected holistic way — and we have to do it now.” she said.
Within governments, the focus on security is scattered, for example in the United House, there are different focuses (and people involved) in the White House, the Department of Defense, and the Department of Transportation. Schulz-Kamm said that this patchwork approach is a problem … and that the same thing is happening in many countries. Industry needs to bring this issue to the forefront and must get government officials to understand the need for a holistic approach.