Q&A: Siemens Industrial Security Exec on Cyber Priorities
I hear that the industrial sector is making strides in making cybersecurity a priority, but the number of attacks is increasing. How do you reconcile those two trends?
Simonovich: The external environment is getting worse. The number of attacks against the industrial environment has ramped up. At the same time, our customers, especially in the energy sector, which is the most attack critical infrastructure vertical, are gaining awareness.
In our study we do with the Ponemon Institute, we saw that 59 percent of respondents said that OT is now a greater concern than IT.
That study also reported that 67 percent of respondents believe the risk level to industrial control systems over the past few years has substantially increased because of cyber threats. What do you make of that?
Simonovich: They know they have problems. But when we asked them: ‘What stage of the maturity curve are you on?’ Seventy-two percent said: ‘Low to medium maturity.’
There is increased awareness, but at the same time, the threat landscape is changing very quickly. You have enormous amounts of cyberattacks and what is important for customers, you have to take steps [to address the issue]. Holding up your hands and saying: ‘I don’t know what to do’ is not the answer.
That is why we at Siemens are partnering with our customers on the cyber journey. And we are enabling them through consulting and professional services to develop a strategy and then begin to tackle the core problems like cyber asset management and vulnerability management incrementally. Otherwise, the problem is too complex.
How do you see the energy sector responding to the industrial security challenge compared to other industries?
Energy customers have had the perfect storm: increased risk, corresponding regulation and then a push to go digital.
This means that regulation has given a number of our energy customers the foundation to think about security. But compliance does not necessarily equal risk reduction.
This means that our energy customers, especially those that are considered leaders in this space who are in a later stage of the cyber journey, have taken great steps to improve their cybersecurity posture.
They have done this despite the fact that in oil and gas, they are operating in distributed environments with lots of suppliers where asset owners don’t necessarily own the risk.
What I am concerned about is how do we take the lessons learned from the leaders that we are partnering with and apply those lessons learned to the middle.
You are only as good as your weakest link, whether it is in your supply chain or your ecosystem.
What kind of take-home message would you like to impart to industrial professionals?
Simovich: Security needs to be closely linked to safety and quality initiatives.
A great cybersecurity program will directly benefit the business. Security can be considered as a core part of the business and a competitive advantage.
In safety, the focus was to prevent incidents from happening. You had to reduce human error.
A similar approach has to be taken in security, too.
Think about the impact on safety that a major [accident] can have. A major incident can drive the adoption of a safety mindset. We recommend that our customers have a safety and security mindset. The two have to go hand in hand.