Siemens invited a couple of writers to the Cincinnati area headquarters of PLM and a Cyber Security Center of Excellence to witness an internal presentation to Siemens employees. The presentation included both an overview of cyber security and the Siemens response plus Siemens’ plans to build a sizable business in the area. I was there along with safety and security writer Greg Hale.
Eric Spiegel, President and CEO, Siemens USA, kicked off the day with a presentation on the importance of cyber security and Siemens’ intent to build the business. In fact, Spiegel noted, “We want to grow the cyber security services in the US at 2x market speed. Cyber was a small part of our business, but we see much potential for growth.”
Spiegel related, “I was at a White House meeting in the situation room, had a chance to meet the President. He talked to me directly about the need to protect critical infrastructure.” Spiegel continued that hacking is top of mind in this area. Recognizing Siemens’ own strategies in the area, he continued, “If digitalization is important for the future of manufacturing, then cyber security is also important. Attacks on critical manufacturing are becoming more frequent and intense. Two-thirds of CEOs rank cyber security as one of the top two things on their agenda. In response, we have 50 differentiated service offerings in cyber today.”
Cyber Security Golden Nuggets
Joanna Burkey, U.S. CISO, moderated the first panel discussion which was more technical in nature. She suggested to look for what she called “Golden Nuggets”, that is, places where a risk-based approach suggests vulnerabilities. For example, she noted, one is source code.
Siemens began the effort to uncover these golden nuggets and then decided to take what it learned to its customers. When Siemens goes out to a customer to consult on cyber risks, it follows a process that includes mapping IT assets (for example, SAP, end points, encryption), developing an asset classification system, designing an holistic protection process coordinating with business, IT, and vendors.
Siemens has identified about 700 of these golden nuggets and is in the process of mitigating 121 of them. It expects the number to grow to about 1,000.
Rolf Reinema, Head of Technology Field, added that protecting Intellectual Property goes beyond hardware and software, but it also includes algorithms. In process industries, these might be called recipes residing in a processor. “OT attacks are complex. Having so much legacy equipment creates vulnerabilities.” Then he left us with this sobering thought, “If a hacker shows they can attack, they’ll ask for a substantial deposit of bitcoins so that they won’t carry out the attack.” Think of the blackmail you could be open to.
Udo Wirtz, Head of Technology Field, calls the Internet the new company Intranet. “We are shining a light in a cave, we now can see some of the problems where five years ago not so much.” Wirtz also addressed phishing attacks. These attacks are still an important problem tricking people into clicking on what looks like a legitimate link which instead gives the hacker access to user accounts and even administrative rights. “So they are phishing all of us,” he concluded.
In March the FBI came to Siemens and GE and said that both had been contacted by Facebook. It seems that someone was “friending” employees on Facebook and building an innocuous relationship. Then they sent a link that turned out to be malicious. “It used to be stupid to click on a link. But today the messages are so sophisticated that it is hard to tell legitimate from phishing.”
Growing Cyber Security as a Business
The next session was a Marketing Panel addressing how Siemens will move cyber from internal to a customer service. Rajiv Sivaraman, VP and Head of Plant Security Services, said that given the development of digital manufacturing, cyber is high on the enterprise list. Siemens is laying foundations for taking customers on a journey to awareness. Answering the question about scaling the business, Sivaraman noted a progression of going from consulting and “hand-holding” to ultimately scaling to managed services. Siemens is also checking out partners for both C-Level and operations level consulting.
Ken Geisler, VP of Strategy & Markets, Energy Management Digital Grid, reported grid suppliers do have compliance requirements. As they grow many more points of access, e.g., smart meters on homes, there is growing concern for cyber security. Cyber is a huge potential market with many competitors.
Judy Marks, Executive Vice President, Global Solutions, Dresser-Rand, A Siemens Business, says that with the oil & gas market it’s all about business and enterprise risk. Especially with the exposure of offshore facilities. They also have the challenge of operating in a heterogeneous environment. Siemens, through acquisitions, is now a leading service provider to O&G and plans to leverage that into growing the cyber business.
In his first year at Siemens, Leo Simonovich, Director, Global Cyber Strategy, said operations is the new frontier for attacks. Of all attacks, 30% are targeting of coming from OT. Customers are turning to Siemens “because we understand that environment. We can secure the technology stack.” Another sobering thought, your chances of an attack? 100%.
Jeremy Bryant, Head of PD PA secure networking solution business, added that customers (and Siemens) need to be worried about inside-out attacks as well as outside-in.
Overall, a profitable day in Cincinnati to learn what Siemens was up to. Several of the majors have some type of cyber division or initiative. Siemens appears to be ahead of that pack right now. As a user, you should be happy that suppliers are developing solutions to help in the battle.
