I recently attended Infrastructure Week in Washington, DC, as a guest of Siemens, and witnessed the signing of the Charter of Trust by its latest cohort of business leaders from Cisco, Dell, Total, and TÜV SÜD.
At the event in the nation’s capital there were short remarks made by each of the signers, as well as some presentations and panel discussions. I also was able to speak with many senior level executives, and garner great insight into some of the challenges facing our modern society worldwide as we seek to simultaneously improve industrial efficiency and secure our infrastructure – and, yes, we discussed how the participating firms are collaborating to solve some of the seemingly daunting security problems sometimes created when utilities, industrial firms, and other businesses attempt to increase efficiency and modernize. Among the folks with whom I spoke were Joe Kaeser (Global CEO of Siemens), Barbara Humpton (incoming CEO of Siemens USA), Leo Simonovich (Vice President and Global Head of Industrial Cyber and Digital Security at Siemens), Michael Dell (CEO of Dell), and Axel Stepken (Chairman of the Board of Management of TÜV SÜD).
Here are some of the more striking points heard during the day’s conversations and presentations; each one of these is something that I believe my readers would want to learn about. Of course, some of these items I have discussed previously, but, they are all well worth repeating within the industrial context.
1. Industrial systems are a rapidly growing target – As many as one third of all cyberattacks today seem to be directed at industrial systems, a figure that represents a dramatic rise over the last couple years – estimates just two years ago were in single digits. Hackers understand, quite clearly, that targeting critical infrastructure, or inserting bugs into factory systems used to assemble cars and the electronic components within them, can easily inflict far more suffering than stealing credit card numbers.
2. Growth of the Industrial Internet of Things is making the risks even greater – Rapid adoption of industrial IoT systems is quickly increasing the risk of attacks inflicting serious damage.
3. Yet, security folks are not focused on industrial systems – Despite the aforementioned figures, a disproportionate focus of information security professionals and vendors is on information technology systems, not on operational technology (think Windows, Macs and iPhones, Linux, and Android vs. specialized control systems for turbines or hydroelectric power generation plants).
4. As a result, operators often ignore security protocols – Operators of industrial technology are often slow to install security patches and updates to the control systems under their management. Cyber threats to industrial control systems are ever-evolving, and while patches are an incredibly important element of a defense-in-depth approach to cybersecurity, industry frequently has difficulty keeping up with patch management, a problem that often results from a lack of sufficient experienced professionals internally, and/or the limited ability to regularly shut down systems in order to update them.
5. Often, no security blueprints even exist – Many energy-production facilities – which are prime targets for hackers seeking to inflict chaos or economic damage – do not have a security baseline; that is, they do not have a clear picture as to what a secure facility would look like, even after the release of standards such as The International Society of Automation (ISA)’s standard for industrial network and system security (Pub. 62443). The lack of clarify poses great problems: it is difficult, if not impossible, to properly secure a connected substation, for example, if you do not understand what makes a substation secure; furthermore, when it comes to substation security there is not a one-size fits all approach that can be easily replicated from location to location.
6. Digitalization is scaling faster than corresponding security controls – The fact that technology that improves efficiency and convenience is being created and deployed far faster than are the necessary corresponding security controls should alarm us – and, in fact, especially after a recent malware epidemic that plagued IoT equipment, industrial businesses are increasingly taking notice and acting. There is a clear realization developing that we, as a society, are constantly increasing our reliance on systems that are in growing danger of inflicting a growing amount of damage if compromised. Additionally, it is becoming increasingly clear that we cannot solve this problem with technology alone; significant improvements will only result if through collaborative efforts, such as the Charter of Trust.
7. Rogue states are a growing problem – Rogue states have dramatically improved their cyberwarfare capabilities within the last few years. The need to protect our utilities and other industrial equipment from electronic sabotage has never been greater; hostile nations were unlikely to be able to physically attack power plants in the USA at any point since have been power plants, for example, but now they can launch crippling attacks from halfway around the world from within the comfort and protection of their own homes and offices.
8. Many businesses are joining the Charter of Trust – Because Western governments have done woefully inadequate jobs of working to improve both domestic and global cybersecurity, and because the need to improve cybersecurity ASAP is far too urgent to continue waiting until they do, businesses are taking the lead – an effort for which they should be commended.
This post is sponsored by Siemens.