Cybersecurity

The birth of a cybersecurity standard

The Charter of Trust begins the process in Europe

By Mike Bacidore, chief editor

Industry 4.0 was born in July 2010, one of the 10 “Future Projects” identified by the German government as part of its High-Tech Strategy 2020.

Predictions sometimes bear fruit. Three years ago, at NIWeek in Austin, Texas, IBM’s IoT director, Greg Gorman, famously said, “Security isn’t a problem. It’s an engineering solution waiting to be done.”

I’m sorry if I raised your hopes, but that’s not the prediction. However, it was during that same roundtable discussion that Gorman warned his IIoT compatriots to avoid setting cybersecurity standards too early because “we still have a lot to learn.”

Yes, the Industrial Internet of Things (IIoT), an American construct, was a mere infant, just learning to crawl. However, its older cousin, Industry 4.0, was born in July 2010, one of the 10 “Future Projects” identified by the German government as part of its High-Tech Strategy 2020. If standards for cybersecurity were going to be set, they would come from Germany.

Yes, that’s the prediction. And Siemens has delivered.

“We are not alone in the world,” explained Eva Schulz-Kamm, Siemens’ global head of government affairs, who spoke about cybersecurity in Munich. “This is why we created the Charter of Trust.”

Launched by Siemens at the Munich Security Conference earlier this year, the Charter of Trust is now signed by 16 companies (Figure 1). It contains guidance that addresses 10 principles, including:

  1. ownership of cyber- and IT security

  2. responsibility throughout the digital supply chain

  3. security by default

  4. user-centricity

  5. innovation and co-creation

  6. education

  7. certification for critical infrasctructure and solutions

  8. transparency and response

  9. regulatory framework

  10. joint initiatives.

Siemens, the170-year-old, $94-billion technology giant, which employs almost 400,000 people globally, paved the way for Enel electricity company, IBM, Munich Security Conference, NXP, AES power distribution, Airbus, Allianz, Atos IT services, Cisco, Daimler, Dell Technologies, SGS testing laboratories, Deutsche Telekom, Total oil and gas company and TUV.

“We started doing cybersecurity in 1986,” explained Schulz-Kamm. “The Internet was not widely known at that time. And MindSphere is currently connected to 1 million devices. There is no ‘smart’ without ‘cybersecure.’ Siemens takes it very seriously. Digitalization and cybersecurity are two sides of the same coin.”

Siemens has identified the three parts of cybersecurity as:

  1. protect society of cyber threats and risks

  2. increase trust in digital solutions and provide competitive advantage

  3. accelerate customer’s digital transformation and boost digital business.

“The nucleus of the Charter of Trust came from my team,” explained Schulz-Kamm. “My team works with governments all over the globe. Cybersecurity is a top-priority topic. It’s the first initiative of its kind worldwide, and we’ve requested France to include cybersecurity as a topic for 2019 G7.”

The Charter of Trust has the potential to be developed into a global standard for cybersecurity.

“Effective cybersecurity is a precondition for an open, fair and successful digital future,” said Schulz-Kamm. “By adhering to and promoting our principles, we are creating a foundation of trust for all.”

Siemens has 1,275 cybersecurity experts across all business areas, explained Rainer Zahner, global head of cybersecrutity governance at Siemens. “Our products in the future will deal with data,” he said. “The holistic approach is internal cybersecurity, products and solutions security, and security customer services.”

Long-term cybersecurity research is being done by Siemens on:

  • self-securing systems design

  • security validation for digital twin

  • next-generation patching

  • security for cooperative autonomous systems

  • post-quantum cryptography

  • homomorphic encryption

  • automated forensics and malware analysis

  • secure cloud-based real-time control

  • supply-chain security.

Siemens is also able to offer services to help with digital-enterprise security. “Because Siemens uses IEC 62443 to build its products and solutions, our portfolio is aligned with IEC 62443 risk management and methodology,” explained Harry Brian, CISSP, U.S. manager, industrial security services, Siemens.

The four core elements to Siemens’ digital enterprise security include:

  • industrial software and automation portfolio

  • industrial services

  • industrial communication

  • industrial security.

IEC/ISA 62443 puts responsibility on the supplier, the tem integrator and also the asset owner. The product supplier develops; the system integrator designs and deploys; and the asset owner operates.

Siemens’ three portfolio elements include security assessment, security implementation and security management.

Assessment includes industrial security assessment and IEC 62443 assessment. Implementation includes security awareness training, next-generation firewall, Windows patch installation, application whitelisting, anti-virus installation, industrial anomaly detection and industrial security monitoring. Management includes security vulnerability information, patch management, industrial security monitoring and remote incident handling.

ALSO READ: Expect end-user cybersecurity