Siemens Moves to Secure Industry 4.0

Whether we like it or not, manufacturing is becoming increasingly digitized and connected. Industry increasingly connects production machinery with Internet of Things (IoT) devices, gathers multiple real-time sensor information into large datasets and harnesses machine learning to make data driven decisions. The advantages of this 4^th industrial revolution are expected to generate huge increases in profits over the next few years. However, these developments are not without risk.I’m not going to discuss the existential risk of drifting into dependence on a system so complex that only machine intelligence can make any sense of it. Cyber security presents much more immediate risks. Industry 4.0 brings the possibility of both terrorists and state actors gaining the ability to remotely shut down and sabotage critical infrastructure and military assets.

One of the key shifts in capability that big data is bringing, is the ability to combines what were previously separate packets of information into an overview of the entire organisation. This will help optimise productivity and set up a cycle of continuous improvement, driving still more efficiencies across unconnected business functions.

It’s important that in our haste to embrace data as a powerful commercial enabler we don’t forget fundamentals like business continuity, and health and safety. When we forget these basics, it can lead to machinery breaking down, power outages, or even fatal accidents. The conservative and sceptical, who view Industry 4.0 as something to be approached cautiously, should not be dismissed as luddites. Rather, their concerns should be addressed. The risks of disruption and security breaches must be reduced to enable a more widespread adoption of these technologies.

“When talking to either a ‘big data’ evangelist or a risk-averse naysayer, I often find they both share a lack of understanding about the nature, value and significance of the data they produce. Some simply don’t know what data they are generating, whether it is secure and whether it needs to be secure,” said Paul Hingley, Business Manager, Data Services at Siemens. “Questions such as is the data subject to compliance, is it a business continuity risk or is it actually a piece of proprietary IP, are not always considered. And when I ask how robust the data security is within their supply chain, the answer is very often ‘I don’t know’.”

How Important is My Data?

When data is used as part of an optimization process, its importance invariably changes. Data that was previously seen as of low importance may now impact on critical processes. As an organisation becomes more connected and uses data more intelligently, the overall importance of data therefore increases. Hingley refers to Siemens’ work at Heathrow Airport as an example of this: “As part of a wide-ranging data analytics project, we installed performance monitors on the 3,000 baggage carts which run around tunnels under the terminals.Data gathered from these helped Heathrow to predict when a wheel was likely to fail, at which point the cart was automatically diverted into a repair area.However, while this is great example of predictive maintenance being driven by data analytics, Heathrow is also a piece of the UK’s critical infrastructure.”

Many experts agree that cybersecurity, as with other safety issues, is best addressed by standard protocols and procedures. Siemens’ answer to securing industrial data is to create the world’s first joint cybersecurity protocol for manufacturing last year. The Charter of Trust already has 16 international signatories including Airbus, Atos, Cisco, Daimler, Dell Technologies, Deutsche Telekom, IBM and Mitsubishi Heavy Industries.

Assessing Safety, Security, and Vulnerability

Critical infrastructure, such as power generation, is perhaps at even greater risk from cyber-attack than manufacturing and has become a major target for hackers. The energy sector is experiencing increasing numbers of near-miss safety events at power generation plants around the world. These attacks could lead to significant wider economic impacts as well as damage to plant and injury to people. According to Leo Simonovich, vice president and global head for industrial cyber and digital security at Siemens, cyber-attacks within the energy sector are getting increasingly both more frequent and more sophisticated. As an example, Simonovich referred to an attack late last year at a Schneider Electric safety system in a Saudi petrochemical plant. Hackers were able to rapidly move from IT, to operations (OT), and into safety. “Attackers are interchanging their techniques—leapfrogging from digital to physical and back again… What’s common between IT and OT attacks is human error, we want to borrow the principles from safety and the principles of hygiene and awareness and bring those two together.”

Building on their Charter of Trust, Siemens has now collaborated with TÜV SÜD to provide digital safety and security assessments, as well as industrial vulnerability assessments to help global energy customers identify asset risk and cybersecurity solutions.

The partnership will see TÜV SÜD providing digital assessments with cybersecurity vulnerability assessments carried out by Siemens. The assessments are not specific to Siemens technologies and products, they are vendor-agnostic when it comes to industrial control systems (ICSs). The target customers are the oil and gas, and power generation sectors. Nuclear power is not yet covered.

“We’re combining core strengths that both companies have in order to bring a holistic approach for the energy industry, we are leveraging our deep know-how across disciplines,” said John Tesoro, president and CEO of TÜV SÜD North America.

Cybersecurity Hygiene a Focus

A key innovation of this alliance is an emphasis on minimizing the impact of human error. This involves borrowing principles from safety, and from hygiene and awareness, in an integrated way. Cybersecurity should incorporate resiliency, hygiene and security by design. It’s important to understand specific cyber risks and defences, but generic safety measures are also important. For example, gaining visibility and situational awareness of the risks is important. This depends on correctly implementing root cause analysis. In this way, the principles are the safe as with health and safety, there needs to be a culture where people within the organisation report an incidents that represent a breach of protocols or near-miss events. Examples might include using an unauthorized USB stick on the network or forgetting to log off a terminal. Creating this culture requires continual learning and training.