Siemens has been working to stay on top of vulnerabilities found in its products, but more importantly, to ensure the security of its internal operations. The manufacturing giant, which works in several different lines of business, including industrial, smart, healthcare and financial services infrastructure, is protecting its systems by focusing on three main areas: zero trust, supply chain and legacy systems .
Siemens has grown exponentially through acquisitions in its 166 years and employs more than 300,000 people. Acquisitions mean system integrations and can often bring cybersecurity risks.
“We’re a company of companies,” Helen Negre, who recently took on the role of director of cybersecurity at Siemens US, tells CSO. That means it’s difficult to create a single enterprise-wide cybersecurity strategy, he explains.
Helen Negre, SiemensIt’s not an easy time to be a cybersecurity officer, and Siemens is in the crosshairs of advanced attackers because it’s heavily involved in the critical infrastructure space. “If you put a name on critical infrastructure, we probably have something to do with it,” Negre tells CSO. “And with today’s political landscape and cyber landscape, we see activity … we have billions of events a day that we have to manage.”
What zero trust means for Siemens
Siemens is not alone when it comes to putting zero trust at the top of its cybersecurity agenda. According to Forrester, 83% of large global enterprises have committed to adopting zero trust. A 2022 survey by Okta found that 55% of organizations already have a zero trust initiative and 97% plan to have one in the next 12 to 18 months.
At Siemens, zero trust means micro-segmentation, perimeter security, strict identity management and strict policy enforcement.
Siemens is taking a three-tiered approach to zero trust. The first stage is education, creating roadmaps, identifying the applications and assets that need to be secured, and coming to a shared definition of what zero trust looks like for each organization in the enterprise .
“Part of it has been a cultural mindset,” says Negre. “This includes getting people at all levels of the organization to understand what zero trust is, why it’s important and how it reduces risk, and developing a roadmap with specific milestones for each of our organizations.”
The goal was to create a zero-trust framework together with individual lines of business. “So it’s not cybersecurity coming to the organization and saying, ‘You have to do this and you have this amount of time to do it.'”
This first stage of the transition to zero trust has already been completed, he says. Siemens is now going through the second stage and towards the third.
This second stage involves addressing all the “low-hanging fruits” of the zero-trust roadmap, focusing on projects that will be implemented within six to 12 months.
The third stage would then involve long-term projects. Some of Siemens’ lines of business are in highly regulated industries. “It might require a slower, more deliberate transformation,” says Negre. And then there are the sites with legacy devices that will need significant investment before they’ve fully transitioned to zero trust.
The difficulty of protecting legacy hardware
In industrial and healthcare environments, it’s common to find old hardware that wasn’t designed to work in a connected world and certainly doesn’t live up to zero-trust principles.
“In manufacturing environments, the lifecycle of equipment is quite long. If you have an abandoned project in an industry that hasn’t changed much in 40 years, what you’re inheriting, especially in acquisitions, might be something your father or grandfather can recognize,” says Negre.
He said that 1% to 2% of Siemens factories are the most modern and up-to-date smart factories built around cybersecurity principles. Another 1% to 2% are relics of the past. The rest are somewhere in between.
Whether it’s working with internal business units or with external clients, “we have to serve them where they are,” says Negre. “And sometimes this is an older machine that has worked perfectly for 30 years. How can we move forward and provide connectivity, do it securely, and make it zero trust?
If this is a manufacturing environment, the machines may be running all the time and cannot be shut down for patching. In addition to that, some of these teams have custom software, she says, that is custom designed for that particular location. Putting a safety wrap around this equipment is only a stopgap measure. “We don’t just rely on that,” he says.
Even if the security envelope has connectivity and a firewall, this alone is not considered sufficient to meet Siemens’ internal standards. “You should meet our password and authentication standards, our micro-segmentation standards.”
The best option is to rip and replace, which is what Siemens is doing over time. But at the end of the day, everything has to go to zero trust, he says. “If you don’t want to run this machine the way our grandparents did, we have to have connectivity, but we have to add it securely.”
Supply chain security
Protecting internal systems and legacy equipment is only half the cybersecurity battle. Siemens’ zero trust strategy also extends to all its suppliers. According to Bulletproof’s 2022 Cybersecurity Industry Report, 40% of cyber threats now occur indirectly through the supply chain. “We deal with sellers who are not ready for zero trust,” says Negre. “Whether it’s an application that isn’t there yet, or a SaaS solution that isn’t there yet.”
In fact, Siemens has an entirely separate initiative on supply chain security, of which zero trust is only one part. “And a lot of it is about identifying which vendors meet our state-of-the-art cybersecurity criteria,” he says.
If they don’t meet the criteria, Negre says they’re sorting all vendors into categories and having honest conversations with their internal businesses. “This particular vendor, this particular supplier, may be too risky for the organization and maybe we should find an alternative.”
There is no one factor that makes a seller too risky, he says. “We evaluate technology holistically, based on a range of criteria including global cybersecurity standards, publicly accessible information on its vulnerabilities and recent cyber incidents,” he says. Vendors are also scored on their security posture in areas such as physical, endpoint and cloud security.
Having alternatives is also especially helpful when dealing with critical infrastructure and single-source providers. “This has become a pain point in many ways recently. There’s a push to find some diversity in the landscape, not just from a cybersecurity perspective, but from an availability perspective.”
Another key aspect of supply chain security is requiring vendors to provide software BOMs. There are regulatory requirements for SBOMs at some of the Siemens companies. Additionally, the company has deep ties to Europe and the upcoming Cyber Resilience Act (CRA) will require SBOM for most critical infrastructure.
“And sometimes we have products that are designed here and sold in Europe, or designed there and sold here, so we have to make sure that we have all of our dependencies defined as much as possible,” adds Negre.
Preparing for new regulations and strategies around the world
Europe’s CRA is just one of the regulatory changes Siemens is monitoring. In the United States, there have been several new cybersecurity initiatives, the most recent being the new National Cybersecurity Strategy.
Also in March, the Transportation Security Administration issued a directive requiring greater cybersecurity in the aviation industry. “It’s a dynamic place. We are figuring out exactly how it applies to our world and working as much as possible with our partners to have practical cybersecurity legislation that can be implemented not only by large organizations like us, but also by organizations below the threshold of cyber poverty.” Those other organizations could be Siemens vendors or external customers, he says.
Siemens is also committed to working with government organizations and information sharing and analysis centers (ISACs), it says, not just in the US, but around the world. “The key for us as an organization is that we build relationships. In every country where we have a presence, we probably have a relationship with the government in a way that allows us to share information and get an idea of what the threat is specific to this country”.
The company works primarily through public-private intelligence sharing groups such as the various ISACs. “We also work with government bodies like CISA, NIST, the FBI and many more to share knowledge, receive information and ensure we meet all regulatory requirements,” he says. This also helps create a safer cybersecurity ecosystem for all businesses.
The Siemens cybersecurity team considers future threats
There are also big technological changes coming. One of them, quantum computing, which some hope has the potential to make all current encryption obsolete. It’s a real threat, Black says, but not necessarily imminent.
“Quantum computing has been on the horizon for ten years, and they’ve said it’s going to happen any day now,” he says. “The computers that can really act in this space are quite limited. The algorithms have not yet been produced. Everyone should be preparing for it, but it’s not necessarily number one on your agenda.”
Another trend that exists today is that of artificial intelligence. Siemens has its own AI research and data scientists. “It helps us work more efficiently,” he says. “If you’re not using it in your cyber program, maybe you should evaluate it, maybe in automation or in remediation. What can be done with AI that can replace some of that manual effort, so experts key so they can be free to work on the important things?”
With more than a billion events per day, Siemens has had to build its own solutions, but it also works with external providers to integrate its solutions into its environment. “Some of our companies have been quite public in the way they use artificial intelligence to automatically correct entries and to drive some of our cybersecurity innovation,” he says. “We’re looking at all versions of AI and figuring out how best to use it in our organization.”
Siemens is not currently using OpenAI’s ChatGPT internally due to concerns about the security of communications. “We have our own version that we’ve encouraged employees to use,” he says. “It’s an internal solution.”
Copyright © 2023 IDG Communications, Inc.
Source link
Siemens, one of the world’s leading engineering and technology companies, is focusing on the implementation of a zero-trust security model, legacy hardware, and supply chain challenges in order to strengthen cybersecurity of its internal systems. In the face of increasingly sophisticated cyber threats, Siemens aims to better protect their valuable intellectual property, customer data, and other corporate information.
Central to Siemens’ model is the concept of zero trust security. Instead of relying on traditional firewalls and user authentication as the primary defense against cyber attacks, the company is focusing on granular control of user privileges and access to enable technology like virtualized networks and cloud infrastructure. Additionally, they have fortified and segmented networks, deterring intruders by limiting the scope of potential security risks.
However, many of the systems Siemens currently runs are based on legacy hardware, posing a continued challenge to the company’s security protocols. Old firmware and software aren’t always compatible with modern cybersecurity infrastructure and regularly require continual patches and updates.
Siemens is also increasingly aware of the need for stronger measures to protect its supply chain. Outsourcing components and services to third-party vendors can lead to vulnerabilities, so measures must be taken to ensure that all software is updated with the latest security measures.
Ikaroa, a full stack tech company, specializes in designing and implementing innovative security solutions that integrate these various protocols. We provide customized solutions tailored to the unique challenges faced by each of our clients and partner with leading vendors such as Siemens to help them safeguard their networks and data systems. Our advanced identity verification process, encryption protocols and multi-factor authentication provide unparalleled protection for our client’s data and systems. When you choose Ikaroa, you can be sure that all your cyber security needs are taken care of.
