5 min

Cybersecurity Is Everyone’s Business [by Jean-Christophe Mathieu, product and solution security officer, Siemens France]

Cyber risks - January 19, 2016

No one is immune to a cyber attack. Industrial facilities, which are becoming increasingly connected, must take this risk into account. They must do so not only by incorporating robust products, but also by training engineering and design departments, integrators, installers, users, and maintenance operators in best practice standards that strengthen cybersecurity.

A revolutionary wind is blowing through the industry. It is advocating for a fusion of the virtual and real worlds to give rise to a new generation of plants. The industry of the future is up and running. This concept is aimed at incorporating Internet technologies into plant manufacturing processes. It is characterised by the interconnection of production processes, machines and sites. All the links in the production and supply chains, i.e. the tools and work stations, exchange information. Computer-aided design and manufacturing (CAD-CAM) systems and simulation tools will be essential elements. So will tools dedicated to maintenance (CMMS), production management, scheduling (MES), supervision, product life-cycle management (PLM), integrated management (ERP), etc. — in short, all software and hardware elements that communicate to provide for greater flexibility in manufacturing and to enable variation of the quantities produced in real time while optimising energy consumption.

The task at hand, then, is to combine on-board device intelligence (sensors, actuators, PLCs, digital controls, robots, etc.) with software applications, in designing products, simulating their manufacturing process, producing them and even marketing them, relying on modern means of communication, specifically Ethernet and the Internet.

This increasingly important communication between hardware platforms and software applications exposes industrial systems to a growing risk: cyber threats, which, through attacks, may even lead to the physical destruction of the facility targeted. The structures in which complete isolation of production systems seemed possible not so long ago are now completely gone. It is essential that the needs expressed by end users to gain flexibility and productivity are be blocked on the pretext of security. On the contrary, these needs must be supported so that all exchanges are made securely and under supervision.

The organisation of the Siemens group has thus evolved to take into account the theme of cybersecurity throughout the life cycle of the group’s products and solutions. At present, each of the group’s divisions includes experts who circulate best practice standards to be adopted to significantly increase the level of security of the devices marketed. Interestingly, training in cybersecurity has become an essential point for teams in charge of product development. In order to verify the suitability of the efforts made, Siemens has already certified around 140 products from its line of industrial components via the Achilles platform. These products include Simatic-S7 1500 PLCs, industrial firewalls and communication couplers. Siemens also strives to follow the regulations established by the IEC-62443 standard, and it actively participates in the working group in charge of developing it. This international standard strives to offer an approach that encompasses all aspects of security for industrial systems.

In addition to this standard, and as a complement to it, the French National Information Systems Security Agency (ANSSI) promotes a top-level security certification (CSPN). Until recently, this certification only assessed security products intended for traditional information systems. However, this year, the ANSSI published protection profiles for PLCs, switches, wireless access points, supervision software, MES solutions, automation programming platforms and other industrial equipment. Users are thus offered new guarantees. These protection profiles identify the minimum safety features that must be incorporated into products and that will be tested for certification. Siemens has been participating actively from the outset in the different industrial systems cybersecurity working groups backed by the ANSSI, and now by the French Trade Association for Electrical Equipment, Automation and Related Services (Gimélec), the source of these protection profiles. A large number of these features are already available in the latest generations of products marketed by Siemens.

While the Siemens group pays a great deal of attention to cybersecurity, it is fully aware that optimally protecting devices from cyber risks requires collaborating closely with all organisations operating in the field of cybersecurity. Therefore, it is necessary to advance together while recognising that there is no such thing as zero risk. It is essential to note that more than 70% of cybersecurity rests on organisational matters and operational processes. Thus, even the smallest failure of one of the links in a long chain (product design, manufacturing, assembly, installation, use and maintenance) weakens the level of security of the whole. For example, a potentially certifiable PLC will not provide any guarantee if it is configured or used incorrectly. To ensure that the technical or organisational measures put in place correspond to the risk analysis, it is necessary for a facility to be accredited.

Training, then, takes on prime importance. In addition, the ANSSI has published several guides on industrial systems cybersecurity. These guides present the organisation to be implemented as well as the appropriate training. A one-day training session will raise awareness of cybersecurity among account managers and project managers. A more advanced three-day session will explain to technicians and engineers how to apprehend cybersecurity and incorporate it into their projects. Backup, exchange of digital documents, design, scheduling, set-up and so on are all points that must be discussed. The users of these systems, as well as the staff in charge of their maintenance, are equally concerned. Their awareness must be raised, and they must be trained in these subjects and strictly follow all instructions on managing passwords and backups, using USB sticks, etc.

Unlike functional security, which does not change as long as the initial installation is not modified, cybersecurity must constantly adapt to new risks and put novel defences in place. These two areas, which may seem contradictory, must undoubtedly be brought closer to achieve comprehensive security governance. In any case, regular audits that bring together information systems security experts and industrial equipment specialists must be carried out to assess whether a facility’s defences are sufficient against emerging threats. Operators of vital importance (OIVs) must, in particular, upgrade their information systems’ level of security in accordance with the new requirements of the ANSSI. The decrees for the cybersecurity side of the French Military Planning Law were published on 27 March 2015. The associated industry orders are expected to be published in the next few months. They specify the regulations to be followed in 12 specific fields of activity.

Send this to a friend