Exclusive: Revealing the Siemens approach to cybersecurity

International Security Journal sits down with Alina Matyukhina, PhD, Cybersecurity Manager at Siemens Smart Infrastructure to discuss the evolving cybersecurity landscape and the upcoming Siemens webcast series.

What are the biggest cybersecurity challenges facing businesses at the moment?

Back in the days, closed doors used to offer enough security against outside threats to businesses located within a building. But with the adoption of the Internet of Things (IoT), this physical protection is not enough anymore. Buildings have become smarter and are equipped nowadays with connected control systems for air-conditioning, lighting, intelligent electricity meters, e-charging station monitoring as well as surveillance systems.

Since IoT devices can be easily added to any network, building systems are no longer isolated physically or virtually. In fact, Internet-connected devices can be accessed and controlled from anywhere in the world. They can communicate with each other and with an organisation’s IT systems, making them part of the larger enterprise-wide network. But the higher the connectivity, the higher the security concerns on the part of IT departments.

With building devices communicating over the Internet, many IT leaders fear that hackers may attack an organisation through its building systems and devices. This fear is justified, as most of the current building technologies are using a communication protocol created long before information technology (IT) and operational technology (OT) came together. Studies have shown that 57% of IoT devices are vulnerable to medium or high-severity attacks. Cyberattacks have already harmed several businesses, including critical infrastructure such as hospitals, data centres and hotels.

How can businesses best mitigate against cyberattacks?

There are several ways to best mitigate against cyberattacks, but to start with, every business should integrate a cybersecurity culture. People are at the heart of a successful and effective cybersecurity strategy. Investing in continuous training and awareness will help safeguard organisations against cyberattacks.

Employees who are involved in security-related processes should be adequately trained and there should be clear guidance about who to contact with internal questions or problems. But the right know-how is also important: businesses need to be clear about internal roles and responsibilities in this area and to develop a clear set of security messages about how incidents should be dealt with. Any suspected incident should be treated as real until proven to be a false alarm.

Every business needs a guide setting out how security incidents should be resolved in a timely manner. They must ensure that they’ve done everything possible to mitigate the risk of a breach. It is vital that businesses are transparent about incidents, informing customers and other required stakeholders when they find vulnerabilities. In the event of a problem, corporate communications are as important as fixing the technical defect, because cyberattacks may damage a business’ reputation and erode customers’ trust.

How is Siemens helping businesses to enhance their cybersecurity?

Siemens is supporting several businesses right from the beginning of their cybersecurity journey and over the entire lifecycle of their buildings. Every new generation product we develop is secure-by-design. This means, we implement cybersecurity in the initial design of products. External security experts perform afterwards threat and risk assessments throughout the lifecycle of the product, in order to identify and mitigate potential risks. This starts early in the product development process and repeats for every significant update.

Before releasing a new product, we ask independent third-party organisations to test our products for potential vulnerabilities. Our customers will always get a product with the latest security measures and updates in place. What’s more, our product development lifecycle was recently certified by independent certification audits from TÜV SÜD with the standard IEC62443 maturity level 3. It proves that the product development process is fully compliant to IEC 62443-4-1.

This standard includes security-relevant requirements such as capabilities and expertise, security of third-party components, process and quality assurance, secure architecture and design and issue handling as well as security updates, patches and secure development environment. With this standard we show that our security-related activities are adequately planned, documented and executed through the whole product’s lifecycle and that our products are following international standards for secure product development.

What will the Siemens webcast series be discussing?

Cybersecurity is essential for keeping critical infrastructure and communities operating as intended. Although the number of cyberattacks is increasing, building owners are still not prepared for the worst-case scenario. We will discuss why our holistic approach to cybersecurity is essential for every business’ success.

In what ways will the cybersecurity landscape evolve over the next five years?

Firstly, there will be a natively secure OT network: We will move from securing OT networks with costly additional means such as VPNs, firewalls to a more built-in security directly into standardised OT network protocols provided by the manufacturer. BACnet Secure Connect (BACnet/SC), as one of the most popular open source protocols, will be integrated in new products.

BACnet/SC is the most recent extension of the popular open-source communication protocol Building Automation and Control Network (BACnet), which enables data traffic between devices of different manufacturers in buildings. It incorporates the same technology that is used to secure online banking. It makes the communication through building networks just as secure as an online bank transfer and therefore greatly minimises the risk that this data communication could be manipulated. For example, somebody could sabotage the air-conditioner of a data centre and cause the entire server farm to stop working. That’s why we at Smart Infrastructure have increasingly started to implement this protocol for our products and systems.

Secondly, there will be zero touch onboarding: In the future, we will see more and more IoT- devices equipped with some form of zero-touch onboarding. This technology will require no configuration by the installer to bring the device into an operational state, saving building engineers a lot of development time and expensive security engineering expertise.

And thirdly, OT transparency for IT stakeholders: OT network transparency to IT-departments will become a new norm, as the lack of network visibility (and OT network complexity in general) can bring serious security issues. We will see more solutions which provide end-to-end cybersecurity monitoring down to the IoT level as a part of operations monitoring.

How can people find out more information about the series?

To get more information about the series, please go to https://sie.ag/3EVesCg and register for the event. Afterwards you will get access to a more detailed webpage and to every episode of the webcast. If you should have further questions, my team and I are always there to assist. Please feel free to contact us or have a look on our website https://new.siemens.com/global/en/products/buildings/cybersecurity-for-smart-buildings.html. We are looking forward to getting in contact with you.