Digital Safety for the Energy Industry: Inside Siemens & TÜV SÜD’s cybersecurity partnership

By Bill Lydon, Contributing Editor, Automation.com
Cyber threats continue to be a prominent concern as the digitalization movement grows ever larger. Prior to announcement of a partnership, between TÜV SÜD and Siemens, which is intended to provide cybersecurity services to the energy sector, I was able to speak with John Tesoro, President and CEO of TÜV SÜD North America, and Leo Simonovich, Vice President and Global Head for Industrial Cyber and Digital Security at Siemens, and get their insights about this initiative, which will address some of these security concerns.
In our conversation, Leo Simonovich noted that attacks on industrial environments are exponentially increasing and unlike IT, where the primary concern is data loss, cyber-attacks targeting operations can lead to production shutdowns or worse. Simonovich described that the partnership will work to address the growing security challenges facing the energy industry today, which continue to get more sophisticated. “Attackers are hyper targeting energy companies that own, manage, and operate critical infrastructure including power plants, substations, pipelines, and refineries,” shared Simonovich, “Attackers are getting more sophisticated and brazen with attacks targeting safety systems for critical infrastructure.”
As an example, he cited a late 2017 attack in Saudi Arabia on the safety and communications systems, which compromised a petrochemical facility with a clear intent to cause a safety event and related damage. As Simonovich observed, “What was remarkable about that event was the ease with which the attackers traversed from IT to OT to safety systems.”
John Tesoro echoed Simonovich on how the Siemens & TÜV SÜD partnership will address some of the micro and macro cybersecurity and safety challenges facing the industry and threatening critical infrastructure. “The partnership draws from the core strengths of both companies to bring a holistic approach to cybersecurity for the energy industry,” emphasized Tesoro, “The partnership is founded around a common purpose and some common sense principles.” He shared his belief that this approach to traditional safety is successful and minimizes the impact of human error and, as such, can provide the same benefits when dealing with cybersecurity. To do this, Tesoro laid out five foundational cross discipline ideas:
- Understand Your Risk
- Build Your Defense with Deep Resiliency
- Gain Visibility & Situational Awareness
- See Something Say Something
- Continue Learning & Training
“At the center of safety and cybersecurity is a root cause analysis,” explained Tesoro, “So the operator understands what’s really happening and take action.”
As for what this partnership has already produced, Simonovich shared the development of several blueprints as guide for users and operators adding to the existing Siemens Secure Substation Blueprint, “Which,” as Simonovich explained, “Leveraged IEC 62243 best practices on how to stay ahead of attackers”. Relatedly, Siemens’ Secure Substation Automation Solution is certified by TÜV Süd Munich according IEC 62443-2-4 (Security program) and IEC 62443-3-3 (Security functions).
So which organization, Siemens or TUV SUD, will be the front facing group engaging users to sell and deliver the services? According to Simonovich, “It will be customer specific based on the relationships each organization have already.” Under this partnership, TÜV SÜD will offer digital assessments that incorporate Siemens as a provider of cybersecurity vulnerability assessments across the cyber asset management lifecycle. The digital assessments of industrial control systems in both the oil and gas and power generation sectors (nuclear applications excluded) will be vendor-agnostic, meaning they will not be limited to customers using products and technologies manufactured and supplied by Siemens.
Simonovich described the process of scaling up the efforts with cross training of Siemens and TÜV SÜD personnel. “TÜV SÜD’s role is consistent with the need for developing mandatory, independent third-party certification for critical infrastructure and solutions,” added Tesoro.
Safety Device Certification
Certification remains an issue, so I asked if there are cybersecurity certifications for devices that would be analogous to certified safety devices. Tesoro responded, that today, they have electrical and interoperability testing for traditional safety devices in order to test their function. “We are increasingly doing component level cybersecurity testing at the product level, a process that takes place in a lab,” shared Tesoro.
He explained that the next step is field deployment, “That automation equipment is deployed onto a factory floor and it’s connected in either a closed SCADA network or other industrial network and we know 80% of these networks have open doors to the public Internet,” described Tesoro, “That requires a system-level safety assessment and that is another step in the holistic approach which is core to our blueprint, and this follows that same trajectory that we do today on the physical side.”
Industrial Cybersecurity Challenges
It seems like the partnership will have a good handle on the number of industrial cybersecurity challenges facing the industry. TÜV Rheinland’s Cybersecurity Trends 2019 report has explored several of these challenges. These are some key points from the report:
- Trend 1: Cybersecurity has become a board-level issue
- Trend 2: Industrial cybersecurity is years behind mainstream IT security
- Trend 3: IoT cybersecurity faces a major standards challenge
- Trend 4: The pressure created by GDPR represents a turning point for consumer privacy
- Trend 5: The cybersecurity skills shortage will distort the labor market
- Trend 6: Threat detection and response depends on maturing Security Orchestration, Automation, and Response (SOAR)
- Trend 7: ‘Red team’ testing and agile security development are gaining greater mainstream acceptance
- Trend 8: Cybersecurity will define digital economy winners and losers
Related Articles
- CyberSecurity Strategy at Ford – IT & Automation Cooperation
- Cyber Security: Where Does the Reasoning Begin?
- Bill's Automation Perspective on Cybersecurity
- Industry Giants Driving Holistic Cyber Security Architecture for Edge Devices – Enterprise – Cloud
- Cybersecurity at the edge
- Addressing Global Cyberthreats: Insights on the cyberspace from General Michael Hayden
- Industrial Cybersecurity and International Defense - Inside Siemens Cybersecurity Charter of Trust
- Cybersecurity – An inside job
- Outsourcing Cyber Security Services

Check out our free e-newsletters
to read more great articles.
- Posted in:
- Article
- Related Portals:
- Advancing Automation using IIoT and Industry 4.0 Concepts, Cybersecurity, Factory Automation, HMI & Operator Interfaces, Industrial Computers, Machine Safety, Manufacturing Operations Management, Plant & Asset Management, Process Automation, Process Safety, SCADA & RTU, Systems Integration
MORE ARTICLES
-
Inside the Rise of 5G Industrial Automation Networking
By Bill Lydon, Automation.com
5G is starting to make the goal of wireless industrial automation a reality. Companies are already starting to... -
The Push and Pull of Composite Manufacturing
By Robert Glass, Exel Composites
From window and door manufacturers to the professional tree surgeon, weighing up material options usually comes... -
Augmented Intelligence
By Mark Howard, EU Automation
Augmented intelligence is one of the few technologies named on the Gartner Hype Cycle for Emerging Technologies,... -
PLC Programming Preference Survey: Insights & User Comments
By Bill Lydon, Automation.com
The PLCopen organization and Automation.com conducted a joint survey of PLC programming preferences. Here are some... -
Robots or Cobots: Which to Choose?
By Jonathan Wilkins, EU Automation
Today’s plant managers are faced with a dearth of automation technologies but it’s not always obvious what...
RELATED
-
Creoptix announces appointment of Line Stigen Raquet as Chief Executive Officer
Line Stigen Raquet joins Creoptix from Mettler Toledo, where she has most recently served as Vice President of Business Development Life Sciences.
-
Advancing Automation: Sensors & Instruments, Volume XXI
With so many new tools and capabilities, it can be hard to keep up with innovations. That’s why Automation.com remains committed to being the top...
-
B&R and ABB announce integration of robotics and automation solutions
With the ability to offer machine flexibility and precision, merging robotics with machine control into one unified architecture will enable...
-
ABB uses swimming robots to help Australian silicon company enhance transformer inspections
Simcoa Operations sought the expertise of the local ABB Transformer Service team in Australia to perform an internal inspection for one of their...
-
Sager Electronics announces UL508A certification of Power Solutions Center in Texas
UL 508A certification is an industrial control panel directive certifying an assembly meets the standards of electrical inspection.