In 2018, Siemens took the first major step in initiating global cybersecurity standards for Industry 4.0 by launching the Charter of Trust at the Munich Security Conference. Now also signed by Enel electricity company, IBM, Munich Security Conference, NXP, AES power distribution, Airbus, Allianz, Atos IT services, Cisco, Daimler, Dell Technologies, SGS testing laboratories, Deutsche Telekom, Total oil-and-gas company and TUV, the Charter of Trust provides guidance that addresses 10 principles, including:
-
ownership of cyber- and IT security
-
responsibility throughout the digital supply chain
-
security by default
-
user-centricity
-
innovation and co-creation
-
education
-
certification for critical infrasctructure and solutions
-
transparency and response
-
regulatory framework
-
joint initiatives.
Siemens along with others signers, including IBM, NXP and TUV, hosted presentations in late 2018 to explain their roles in the Charter of Trust. The long-awaited and much-needed step toward “cyberstandardization” comes at a time when data continues to grow exponentially. “A lot of data will be created, transferred and stored,” explains Franz Köbinger, marketing manager, industrial security, Siemens. “Digitalization has a lot of advantages. But it’s easier for malware to come into systems. In 2016, attacks from the Internet caused more than 500 billion euros in damages. We want to convince our customers to use the advantages of digitalization. Industrial security is a prerequisite for digitalization. It is necessary.”
Data has a value, so users are motivated to secure it, explains Köbinger, who laid out four key components, including:
-
industrial security—protection goals and value-added aspects
-
availability—increased plant availability through prevention or reduction of faults caused by attacks or malware
-
integrity—protection of system and data integrity to avoid malfunctions, production errors and downtimes
-
confidentiality—protection of confidential data and information, as well as intellectual property (Figure 1).
Figure 1: Data has a value, so users are motivated to secure it.
(Source: Siemens)
“Our concept is based on a holistic defense-in-depth concept,” says Köbinger. “A wall is a single defense layer. It’s easy to overbear. Just one successful attack can be enough. Defense-in-depth includes multiple independent security layers. It’s hard to overbear. An attacker needs to invest tremendous time, efforts and know-how to have a chance for success.”
Siemens’ defense-in-depth industrial security concept is based on IEC 62443, which breaks it down into three layers:
-
plant security: physical access protection, processes and guidelines, holistic security monitoring
-
network security: cell protection and perimeter network, firewalls and VPN
-
system integrity: system hardening, patch management, detection of attacks, authentication and access protection.
To address these, Siemens’ Industrial Security Services are designed to be comprehensive, modular and scalable. The service can be utilized by assess, implement and manage security.
Security assessment includes industrial security assessment; IEC 62443 assessment; ISO 27001 assessment; risk and vulnerability assessment; active asset inventory scan; and vulnerability detection scan.
Security implementation covers security awareness training; industrial security consulting; automation firewall; application whitelisting; antivirus; industrial anomaly detection; and industrial security monitoring solutions.
Securuity management is the security vulnerability manager; patch management; industrial security monitoring; and remote incident handling.
Partners in cyber crimefighting
Along with Siemens, the other signers of the Charter of Trust are focused on maintaining the security of the growing amount of data.
“We signed the Charter of Trust with three important objectives,” says Jonathan Sage, government and regulatory affairs, IBM, who spoke at the IBM Watson IoT Center in Munich, which opened in February 2017, thanks to a $3 billion investment over four years (Figure 2). “We chose Munich because of the industrial sector,” says Sherri Thomas, director and head of Watson IoT Center. “We have been nonstop with clients since we opened.” The center has welcomed 24,000 visitors, and, earlier this year, it opened the 12th IBM Cloud Garage at Watson IoT Center.
Figure 2: The IBM Watson IoT Center in Munich opened in February 2017, thanks to a $3 billion investment over four years. It has welcomed 24,000 visitors, and, earlier this year, it opened the 12th IBM Cloud Garage.
IBM’s three Charter-of-Trust objectives include:
-
engage with policy makes to collaborate, educate and raise awareness in cybersecurity
-
raise the bar in cybersecurity with tangible measure and results
-
create a reliable foundation on which confidence in a networked, digital world can take root and grow.
“IoT is not all of cybersecurity,” explains Sage. “It’s a scenario where you are connecting cloud or middleware to a thing that does something. Effective cybersecurity is a precondition for an open, fair an successful digital future.”
Of the 10 principles, Sage finds three of them especially pertinent to IBM’s pursuits.
“We think Principle 1, ownership of cyber and IT security, is extremely important,” he says. “We anchored cyber right at the heart of the organization. We believe we’re already walking the talk. It’s the heart of what we do. For Principle 6, education, we have a veterans cyber training program—training them in our I2 suite to become analysts. We have mandatory cyber training for all employees and a mobile cyber range for almost real-life scenarios for executive training. Every IBMer has to pass a cyber course.”
Principle 2 pertains to responsibility throughout the digital supply chain. “A lot resides in the supply chain,” explains Sage. “There are physical things, but also data. We’re establishing a set of risk-based rules across all IoT layers with clearly defined and mandatory requirements. To ensure confidentiality, authenticity, integrity and availability we’ve set 17 baseline requirements that all of the companies in the charter have signed up to. By doing this, suppliers have one set of requirements to follow with Charter of Trust members.”
One of the more interesting use cases explained at the IBM Watson IoT Center in Munich was fully homomorphic encryption. Dave Braines, IBM research UK, CTO, emerging technology, describes it as analyzing data while it remains secure and private.
“Fully homomorphic encryption lets you do computations on encrypted data,” he says. “It allows you to leave your data encrypted but still perform the computation. With oblivious query, you can perform the computation without seeing the data. It’s delegating the processing of data without giving away access to it.”
Another partner for the Charter of Trust is NXP Automotive. “We were one of the early partners,” says Lars Reger, CTO, NXP, which has operations across 33 countries. With more than 30,000 employees, NXP is approaching $10 billion and has 9,000 patent families.
“Our target markets are automotive, industrial & IoT, mobile, communication and infrastructure,” says Reger. “We are not a cloud-computing company. NXP’s portfolio sits from the edge to the node. The four technology pillars driving NXP are sensing, connectivity, processing and safety & security. For example, for autonomous robots, I need better sensing systems. All of the failures have been in the sensing system.”
With more autonomous systems of all kinds making decisions for us, we need to be confident in those systems, explains Wolfgang Steinbauer, head of competence center, crypto and security, NXP. “The integrity of the data needs to be there,” he says. “We need to be able to trust the device. We need to control access to those devices. These devices can be out in the field 10-15 years.”
You cannot stop attacks, Steinbauer says. “Protect the system over the lifetime. Learn from attacks. Prevent security attacks. Recover from attacks,” he explains. “We use the connectivity to update our devices throughout the lifetime, from cloud services via secure encrypted communication to defense-in-depth with adaptive learning, trusted execution and authentication, tamper-resistant storage and hardware root of trust.”