Cyber Threat: Managed Services

Monday, December 9, 2013 @ 03:12 PM gHale


By Gregory Hale
Cyber security awareness in the manufacturing automation industry is coming to the forefront, but for the most part companies end up stalled in the awareness stage.

They just don’t know where to start, or even know the right questions to ask.

That is where Siemens is thinking their managed security services offering comes into play.

RELATED STORIES
NIST Cybersecurity Framework: What it Means
Attackers Dig in to Mining Companies
Management Seeing the Security Light
Data Breaches Go Undisclosed

“We have been tested like no other automation vendor of our size,” said Raj Batra, president of Industry Automation at Siemens during a security roundtable discussion conducted by Siemens in Geneva, IL, Friday. Batra was referring to the Stuxnet virus that attacked a Siemens system in 2010 and brought down a series of centrifuges at a nuclear enrichment site in Natanz, Iran. ISSSource reported the attack was a joint effort between the U.S. and Israel to slow down or halt the nuclear build up in Iran.

“These critical learnings have been very important to us,” Batra said. “We have gone from reactive to much more proactive and predictive. We handle all aspects of cyber security. It is not if, but when you will be attacked.”

That deep knowledge of security is the reason why Siemens is launching its managed security services program this week.

The program includes continuous protection where Siemens will assess, design, implement, and continuously monitor a cyber security solution tailored to the individual organization. Proactive defense where there is continuous monitoring and analysis of security and system status based on real-time global intelligence from Siemens’ Cyber Defense Center. A single source where the Siemens’ security services team will focus on security issues at hand so the manufacturer can deal with making product.

“Individual security measures were not enough,” said Galina Antova, global head of industrial security services at Siemens. “Customers have security challenges and need protection of their entire production site. We have evolved from cyber security for products to have a services program. We needed a holistic approach and that is why we need to use services. This is an evolution of cyber security in the industrial space.”

“From a (user’s) mindset if they are not following regulations, they ask ‘where do I start?’ They know they have to do something, but they are not sure what,” said Roger Hill, head of automation technology management at industrial security services at Siemens.

The managed security service applies a formal three-step approach to address specific aspects of industrial security. The three steps are: Assess, implement and operate and manage.

In addition, to focus on key security areas globally, Siemens has nine hubs within its security network: North America, UK, India, France, China, Russia, Brazil, Singapore, European Union.

“Protection of the critical infrastructure is more important today than ever before,” Batra said.

Understanding security is not the same for every company, this program is not a cookie-cutter initiative where all users get the same products and services, but rather it is a true integration program.

“You have to have an engineered solution, not a one sized fits all program,” Hill said.

While it is very easy to get lost in the fear mongering going on regarding security, there are some real issues facing manufacturers hit by a cyber incident, including:
• Unplanned downtime
• Loss of product or impaired quality
• Manipulation of data
• Unauthorized use of systems
• Employee death or injury

“Do our customers want to be in the business of security or do they want to focus on what they do the best and that is making product,” Batra said. “We are the experts in security; we believe we have the core competency in this space.”

There continues to be the open-ended question in the industry on who actually deals with security in the industrial environment. “This is still a very opaque landscape on who manages it,” Batra said. “Advanced manufacturing means there need to be advanced skills.”

It would be easy to say IT should handle security, after all they have more experience, but there are differences between the enterprise and the plant floor.

“With the enterprise it is the classic CIA model where confidentiality is most important, followed by integrity and availability. In the industrial space it is inverted,” Hill said. “It is AIC with availability being the most important followed by integrity and confidentiality. On the enterprise side they talk about Big Data, but on the industrial side of the house there is a small amount of data but it is very frequent. On the enterprise, they are protecting the data, on the industrial side we are protecting the equipment, the process.”

There are plenty of new and sophisticated threats out there, like advanced persistent threats (APTs). Hill said. “APTs are highly persistent attacks – they are guns for hire. There are dynamic and ever changing threats. No one is safe, we have to decide what to protect, but we also have to know what to do when we are attacked.”
As a way to protect the plant, there has to be a defense in depth program – the security onion.

“You are competing against attackers that are working on the edge,” Hills said. “You cannot compete against them.”

The difference with the new security paradigm is security is a constant cost and it needs continuous monitoring because the threat model changes frequently. “There needs to be a transition from static security to a continuous security program,” Hill said. That is where training comes in. “If we can continues changing behaviors, we will cut down on security issues.”

Technology in the automation environment has come a long way in the past decade. It has gotten to the point where communication and real time decision making can occur from the sensor to the boardroom. But the catch is attackers can get in an either upset the process or just plain steal vital information.

The benefits of the open architecture and communication far outweigh the negatives, but there needs to be a solid security plan in place to ensure that open-ended communication.

“Security is generally a way of life, it is not a one time measure,” Batra said. “Security is an enabler of the progress we are making today.”



Leave a Reply

You must be logged in to post a comment.