Siemens’ Strategy to Secure the Industrial Internet of Things

MUNICH—Smartphones, smart homes, smart cities, smart buildings, smart hospitals, smart manufacturing… The “smart” moniker seems to be everywhere these days.

But there is no point to smart technology unless it offers security. “What is the point of a smart solution if you can’t trust it?” asked Eva Schulz-Kamm, head of global government affairs at Siemens at a cybersecurity-focused press tour in Munich.

And so cybersecurity has become a core focus for the conglomerate as it seeks to fuel growth with digitalization. With its software and digital services businesses worth approximately 5.2 billion euros and growing at a projected rate of 8 percent from 2018 to 2022, Siemens’ leaders see considerable more growth in that unit than in its classic services business units. The company reports that its MindSphere industrial IoT platform business links 1 billion devices and is growing at a double-digit rate. By contrast, its automation business unit is projected to grow at 3 percent in the same time frame, while its electrification unit is expected to grow 1 to 3 percent.

[IoT World is the event that takes IIoT from inspiration to implementation, supercharging business and operations. Get your ticket now.]

With CEO Joe Kaeser positioning cybersecurity as a digitalization enabler, the company is taking a holistic approach to cybersecurity. For instance, it offers its industrial customers cybersecurity assessments as well as products and services to help them shore up vulnerabilities. The company’s leadership also acknowledges the importance of building security into product development as well as the role of asset owners, system integrators and product suppliers in helping secure products in the wild. It works with internal and external security researchers to identify cyber-vulnerabilities and conducts threat and risk analyses for new products.

Other components of its cybersecurity strategy include compliance with the IEC 62443 risk management methodology, maintaining an internal Wikipedia-like website to support secure software development and internal and external cybersecurity education initiatives. The company is committed to addressing the entire product life cycle, offering penetration test automation during production and testing, as well as a security analytics platform and a secure access management capabilities for public clouds for currently deployed products.

The company also has a number of key vendor partners, including McAfee for antivirus software, with Palo Alto Networks on firewalls and Claroty on industrial anomaly detection and passive asset identification. The company tracks vulnerabilities in third-party software and communicates vulnerabilities with its customer base. It offers patch management, helping its customers move from a manual to an automated approach of addressing software vulnerabilities. If a company is breached, Siemens offers a service where its employees will do remote forensics and mitigation.

Siemens also created a cybersecurity consortium with 16 prominent partners including Cisco, IBM, Daimler, Dell Technologies, NXP and Airbus. Known as the Charter of Trust, the initiative presents a series of 10 principles such as security by default, user-centricity and education intended to help establish a common security framework and core best practices across the industrial landscape. “We asked the governments and companies to look at [cybersecurity] in a connected, integrated and holistic way and we have to take responsibility now,” Schulz-Kamm said. “The idea is to set a level playing field. What is that bar that you have to jump over?”

Without initiatives such as the Charter of Trust, “there would be no trust or stability in the market,” said Lars Reger, chief technology officer of NXP Automotive.

Related content:

• How Siemens’ Charter of Trust Aims to Improve Industrial Security

• 10 Ways to Support IoT Device Security in the Enterprise

• Defending Your Industrial IoT Protocol Stack from Hackers

• Can Supercomputers Improve Cybersecurity? Not for a While.

The company offers its employees cybersecurity training — both internally and through partnerships with security-focused organizations such as SANS.

Siemens is also focused on long-term research on emerging topics such as homomorphic encryption, post-quantum cryptography, security for cooperative autonomous systems, self-securing systems design and security validation for digital twins. The company offers internal cybersecurity testing and research and development centers in facilities located internationally where it identifies and addresses vulnerabilities in its products.

A core focus of its cybersecurity initiative is providing holistic answers to evolving threats. Given the rising traction of the Internet of Things, which spans an array of industrial building blocks, connectivity options and middleware, Schulz-Kamm points out that the company must partner with peers as well as with governmental organizations and officials such as finance, health and defense ministers. Government bodies are taking a growing interest in cybersecurity because of the cyber impact on critical infrastructure as well as connected buildings, cities and the overall economy.  

Werner von Siemens was the father of the approach for cybersecurity,” Schulz-Kamm said. “He strongly believed that what Siemens does needs to be sustainable. It needs to do more than provide a solid business.” While acknowledging the impossibility of making the world 100 percent secure, the company’s leadership stresses the importance of establishing a shared common cybersecurity framework to better define and address cybersecurity vulnerabilities.

When asked what the reception to its cybersecurity initiative has been, Rainer Zahner, global head of cybersecurity governance at the company said the company has long worked to trustworthy partner. Its holistic approach to cybersecurity helps to maintain that reputation. “Customers [continue to] trust us,” he said.