Digital Safety for the Energy Industry: Inside Siemens & TÜV SÜD’s cybersecurity partnership

By Bill Lydon, Contributing Editor, Automation.com

Cyber threats continue to be a prominent concern as the digitalization movement grows ever larger. Prior to announcement of a partnership, between TÜV SÜD and Siemens, which is intended to provide cybersecurity services to the energy sector, I was able to speak with John Tesoro, President and CEO of TÜV SÜD North America, and Leo Simonovich, Vice President and Global Head for Industrial Cyber and Digital Security at Siemens, and get their insights about this initiative, which will address some of these security concerns.

In our conversation, Leo Simonovich noted that attacks on industrial environments are exponentially increasing and unlike IT, where the primary concern is data loss, cyber-attacks targeting operations can lead to production shutdowns or worse.  Simonovich described that the partnership will work to address the growing security challenges facing the energy industry today, which continue to get more sophisticated.  “Attackers are hyper targeting energy companies that own, manage, and operate critical infrastructure including power plants, substations, pipelines, and refineries,” shared Simonovich, “Attackers are getting more sophisticated and brazen with attacks targeting safety systems for critical infrastructure.” 

As an example, he cited a late 2017 attack in Saudi Arabia on the safety and communications systems, which compromised a petrochemical facility with a clear intent to cause a safety event and related damage. As Simonovich observed, “What was remarkable about that event was the ease with which the attackers traversed from IT to OT to safety systems.” 

John Tesoro echoed Simonovich on how the Siemens & TÜV SÜD partnership will address some of the micro and macro cybersecurity and safety challenges facing the industry and threatening critical infrastructure.  “The partnership draws from the core strengths of both companies to bring a holistic approach to cybersecurity for the energy industry,” emphasized Tesoro, “The partnership is founded around a common purpose and some common sense principles.”  He shared his belief that this approach to traditional safety is successful and minimizes the impact of human error and, as such, can provide the same benefits when dealing with cybersecurity.   To do this, Tesoro laid out five foundational cross discipline ideas:

1. Understand Your Risk
2. Build Your Defense with Deep Resiliency
3. Gain Visibility & Situational Awareness
4. See Something Say Something
5. Continue Learning & Training

“At the center of safety and cybersecurity is a root cause analysis,” explained Tesoro, “So the operator understands what’s really happening and take action.”

As for what this partnership has already produced, Simonovich shared the development of several blueprints as guide for users and operators adding to the existing Siemens Secure Substation Blueprint, “Which,” as Simonovich explained, “Leveraged IEC 62243 best practices on how to stay ahead of attackers”.  Relatedly, Siemens’ Secure Substation Automation Solution is certified by TÜV Süd Munich according IEC 62443-2-4 (Security program) and IEC 62443-3-3 (Security functions).

So which organization, Siemens or  TUV SUD, will be the front facing group engaging users to sell and deliver the services?   According to Simonovich, “It will be customer specific based on the relationships each organization have already.”  Under this partnership, TÜV SÜD will offer digital assessments that incorporate Siemens as a provider of cybersecurity vulnerability assessments across the cyber asset management lifecycle.  The digital assessments of industrial control systems in both the oil and gas and power generation sectors (nuclear applications excluded) will be vendor-agnostic, meaning they will not be limited to customers using products and technologies manufactured and supplied by Siemens. 

Simonovich described the process of scaling up the efforts with cross training of Siemens and TÜV SÜD personnel.   “TÜV SÜD’s role is consistent with the need for developing mandatory, independent third-party certification for critical infrastructure and solutions,” added Tesoro.

Safety Device Certification

Certification remains an issue, so I asked if there are cybersecurity certifications for devices that would be analogous to certified safety devices.  Tesoro responded, that today, they have electrical and interoperability testing for traditional safety devices in order to test their function.   “We are increasingly doing component level cybersecurity testing at the product level, a process that takes place in a lab,” shared Tesoro.

He explained that the next step is field deployment, “That automation equipment is deployed onto a factory floor and it’s connected in either a closed SCADA network or other industrial network and we know 80% of these networks have open doors to the public Internet,” described Tesoro, “That requires a system-level safety assessment and that is another step in the holistic approach which is core to our blueprint, and this follows that same trajectory that we do today on the physical side.”

Industrial Cybersecurity Challenges

It seems like the partnership will have a good handle on the number of industrial cybersecurity challenges facing the industry. TÜV Rheinland’s Cybersecurity Trends 2019 report has explored several of these challenges.  These are some key points from the report:

• Trend 1: Cybersecurity has become a board-level issue
• Trend 2: Industrial cybersecurity is years behind mainstream IT security
• Trend 3: IoT cybersecurity faces a major standards challenge
• Trend 4: The pressure created by GDPR represents a turning point for consumer privacy
• Trend 5: The cybersecurity skills shortage will distort the labor market
• Trend 6: Threat detection and response depends on maturing Security Orchestration, Automation, and Response (SOAR)
• Trend 7: ‘Red team’ testing and agile security development are gaining greater mainstream acceptance
• Trend 8: Cybersecurity will define digital economy winners and losers

Related Articles

• CyberSecurity Strategy at Ford – IT & Automation Cooperation
• Cyber Security: Where Does the Reasoning Begin?
• Bill's Automation Perspective on Cybersecurity
• Industry Giants Driving Holistic Cyber Security Architecture for Edge Devices – Enterprise – Cloud
• Cybersecurity at the edge
• Addressing Global Cyberthreats: Insights on the cyberspace from General Michael Hayden
• Industrial Cybersecurity and International Defense - Inside Siemens Cybersecurity Charter of Trust
• Cybersecurity – An inside job
• Outsourcing Cyber Security Services

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now