Under the partnership, TÜV SÜD will offer digital assessments that incorporate Siemens as a provider of cybersecurity vulnerability assessments across the entire cyber asset management lifecycle. The digital assessments of industrial control systems in both the oil and gas and power generation sectors (nuclear applications excluded) will be vendor-agnostic, meaning they will not be limited to customers using products and technologies manufactured and supplied by Siemens.

Critical infrastructure in the energy sector continues to be a primary target for hackers. This new risk environment, with a record number of near-miss safety events at plants around the world, poses significant potential for damage to the health and safety of people, processes, plants and products. Cyber threats to the environment, finance and supply chains jeopardise the entire global economy. In this IoT-driven environment, where energy systems are increasingly connected, there is a heightened need for high- level trust and confidence in digital safety and security.

This is particularly relevant as cyberattacks are being executed more frequently, with higher levels of sophistication, and at a lower cost. Increased connectivity magnifies the threat surface in energy systems. From Shamoon to Industroyer, to WannaCry, the need for a holistic cybersecurity solution should incorporate resiliency, hygiene and security by design, say Siemens and TÜV SÜD.

“This is about reducing risk,” according to Leo Simonovich, vice president and global head for industrial cyber and digital security at Siemens. “Together, we will redefine an approach that will lead to reduction in the growing risks in the digital world, reducing risk in the physical world as well. Combining safety and security to address the human element – and strengthen trust – will provide an unprecedented view into risk,” Simonovich believes.

Charter of Trust

In addition to this activity, both companies are also driving the Charter of Trust, which emphasises the benefits of digitalisation but recognises the associated risks. Now with 16 members, the Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalisation. In addition to Siemens and TÜV SÜD, the signatories are: AES; Airbus; Allianz; Atos; Cisco; Daimler; Enel; Dell Technologies; Deutsche Telekom; IBM; Munich Security Conference; NXP; SGS; and Total. In addition, the German Federal Office for Information Security, the CCN National Cryptologic Center of Spain and Graz University of Technology in Austria have joined the Charter of Trust as associate members and in February 2019, Mitsubishi Heavy Industries signed a letter of intent to join the Charter, expanding its reach into Asia.

Focus on the supply chain

An area of early focus for the Charter of Trust has been security of supply chains. Third-party risks in supply chains, are becoming a more prevalent issue and are the source of 60% of cyberattacks, according to Accenture Strategy. Charter of Trust member companies have worked out baseline requirements and propose their implementation for making cybersecurity an absolute necessity throughout all digital supply chains. These requirements address all aspects of cybersecurity – including people, process and technology. Examples of these requirements include:

  • Data shall be protected from unauthorised access throughout the data lifecycle.
  • Appropriate level of identity and access control and monitoring, including third parties, shall be in place and enforced.
  • A process shall be in place to ensure that products and services are authentic and identifiable.
  • A minimum level of security education and training for employees shall be regularly deployed.

Charter of Trust members are establishing a risk-based methodology for implementing these requirements in their own supply chains, involving supply chain partners in the process. The Charter of Trust was the initiative of Joe Kaeser of Siemens, which is introducing binding cybersecurity requirements for suppliers, anchored in a separate, binding clause in all new contracts. The requirements apply primarily to suppliers of security-critical components such as software, processors and electronic components for certain types of control units. Existing suppliers who do not yet comply with the requirements are to implement them gradually. The aim is to eliminate vulnerabilities and malicious codes at suppliers – and thus in Siemens products as well.

In autumn 2018 Siemens strengthened its internal capacities for repelling hacker attacks and created a new cybersecurity unit, operating as a worldwide network, combining what were once separate areas. Siemens now sees itself as “the first major company to take a holistic approach to the topic of cybersecurity.” Not only does the new organization “investigate, analyse and repel hacker attacks”, says Siemens, it also “develops new cybersecurity services and teams up with the company’s business units to launch these services on the market.”

The company has also strengthened its network of cybersecurity managers “in every region and at every division.” They now report to Natalia Oropeza, Siemens’ chief cybersecurity officer. Siemens says it has been active in the field of cybersecurity for about 30 years, with its first cybersecurity team established back in 1986. The company currently has around 1275 employees worldwide working exclusively on cybersecurity.