Siemens’ cybersecurity experts are taught to “think like a hacker” as a means to stay ahead of an ever-growing number of cyberattacks. Miri Schroeter finds out more about protecting businesses from cyber threats.
Attacks of any sort are a threat to people, businesses and sometimes entire countries. When it comes to cyberattacks, there are more every day. The Internet Security Alliance president and CEO Larry Clinton spoke about the surge in cyberattacks worldwide, at a conference, Command Control, in Germany in 2018. He said that five-million euros are stolen every two minutes through cyberattacks and 12,000 identities are stolen in the same period. Two-thousand new versions of malware are also created every two minutes.
With figures as staggering as that, companies such as Siemens are investing heavily in cybersecurity – including employing 25 white-hat-hackers who test the strength of Siemens’ security. Altogether, Siemens employs about 1,275 cybersecurity experts worldwide.
Siemens chief cybersecurity officer Natalia Oropeza said cyberattacks have now become more routine for companies than the theft of office supplies. “There has long been a regular market for hacker services. Attackers have no geographic boundaries. Each month there are about 1,000 hacker alarms at Siemens that are automatically reported by monitoring.” While Oropeza said that in general, they are not particularly critical incidents, customers need a provider that has secured its own environment and understands the threat.
While cyber threats may be dominating more headlines in recent times, Oropeza said it’s been a concern for many decades and Siemens already established its first IT security team in 1986. “It is not a new topic. In the 1980s, it was about connected products. In the 1990s, it was connected systems. And in the 2000s, the IoT (Internet of Things) was coming, with connected facilities, plants, sites being the focus. By 2020, we will have billions of devices that are connected. And security will be more important than ever. The growth is more than 30 per cent and it’s really getting into the steep part of the curve,” she said.
A hacker’s helping hand
Siemens is one of few companies to have its own “hacker department” at its research centre, said Oropeza. “That department regularly tests our weak points and determines whether unauthorised third parties are able to intrude into our network anywhere, so the gaps can be closed immediately. Siemens was the first company to integrate security in all phases of the product development lifecycle. But to be clear, there’s no 100 per cent security. Ultimately, it’s a bit like a rat race, always trying to be a step ahead of the hackers.”
Analyses from IT specialists suggest that cyber threats are only going to increase. Gartner reports the scope of cybersecurity threats is growing as 8.4 billion connected devices were used in 2017 – 31 per cent more than in 2016. This number is projected to reach 20.4 billion by 2020. McAfee reports that damages through cybersecurity threats were estimated above and beyond 500 billion euros in 2017, amounting to 1.6 per cent of the GDP for certain European countries.
“The attacks are becoming stronger and more massive and more damaging. Attacks on systems that control our homes, power grids, or industrial facilities can have disastrous consequences,” said Oropeza.
But, Siemens is well-prepared, she said. “All our experts must think outside the box. In the case of our white-hat-hackers, it is the focus on the attacker’s perspective – you take every step into consideration. We map the processes a hacker is using. It is part of the preliminary work to find out what is worth protecting, what less. Our cybersecurity experts also test our products and solutions for security issues.
“They need to think like an attacker, not like a defender and trigger the worst-case scenarios of a business application or an asset. For example, the shutdown of a hospital or stopping a factory from working. Our experts always look for the weakest link in a security chain. They have a broad expertise in web application hacking, reverse engineering, fuzzing, source code spot checks, concolic testing, embedded and hardware hacking as well as security scanning. Additionally, our colleagues have skills in deep and broad specialisation on attack technologies and attack patterns instead of security features – like firewall, authentication or security patching. Every white-hat-hacker always keeps in mind that hackers don’t break things, they just prove that things are already broken,” she said.
Siemens’ cybersecurity team builds a worldwide network across all business areas. “I am convinced, when it comes to cybersecurity, silo thinking is forbidden. Our aim is to secure our own infrastructure, our products as well as to secure the development of innovative cybersecurity offerings,” said Oropeza.
Siemens established the Charter of Trust for cybersecurity in February 2018. It’s aimed at three important objectives intended to make the digital world more secure. These objectives are protecting the data of individuals and companies, averting harm from people, companies and infrastructures, and establishing a reliable basis where confidence in a networked, digital world can take root and grow.
The Charter of Trust has 16 partners so far – AES, Airbus SE, Allianz Group, Atos, Cisco, Daimler AG, Dell, Enel, IBM, Munich Security Conference, NXP Semiconductors, SGS, Siemens AG, Deutsche Telekom, Total and Tüv Süd.
Siemens takes a collaborative approach as being the most effective approach. “We are convinced that cybersecurity can be improved only by working together, because in the Internet of Things, we’re all connected and in a certain sense, dependent on one another.
“The charter points out pathways toward cybersecurity, on which politics and companies alike must become active on a global basis,” said Oropeza.
The charter promotes moving forward with digitalisation, with cybersecurity in mind, but with a focus on growth. “Cybersecurity must be more than a seatbelt or an airbag, it’s got to be a basic, crucial factor integrated in all digitalisation efforts. If people and organisations can’t trust digital technologies, they will not accept or embrace the coming digital transformation. Digitalisation and cybersecurity must evolve hand in hand.”
The 16 partners of the Charter of Trust aim to protect the data of individuals and companies, averting harm from people, companies, and infrastructures. It also aims to establish a reliable basis where confidence in a networked, digital world can take root and grow.
Oropeza said in the end, it is about trust as the basis of every relationship. “We feel our customers value our leading position in digitalisation and cybersecurity.” With Siemens’ white-hat-hackers, hundreds of cybersecurity experts, and its collaboration with other companies and organisations, Siemens hopes to continuously strengthen security, and keep the hackers out.