Siemens US chief cybersecurity officer Helen Negre discusses how the organization is focusing on zero trust to ensure the security of internal systems across its different lines of business.
adoption of zero trust
Siemens has been working to be on top of vulnerabilities found in its products, but more importantly, to ensure the security of its internal operations. The manufacturing giant that works across several different lines of business, including industrial, smart infrastructure, health care, financial services, is protecting its systems by focusing on three main areas: zero trust, supply chain, and legacy systems.
Siemens has grown exponentially through acquisitions in its 166 years and employs more than 300,000 people. acquisitions mean systems integrations and can often bring cybersecurity risks.
βWeβre a company of companies,β Helen Negre, who recently took on the role of chief cybersecurity officer for Siemens US, tells CSO. That means that itβs difficult to create a single cybersecurity strategy for the entire company, she explains.
Itβs not an easy time to be a cybersecurity officer, and Siemens is in the crosshairs of advanced attackers because itβs so heavily involved in the critical infrastructure space. βIf you name a critical infrastructure, we probably have something to do with it,β Negre tells CSO. βAnd with the current political landscape and cyber landscape, we see activityβ¦we have billions of events per day that we have to manage.β
What zero trust means to Siemens
Siemens isnβt alone when it comes to putting zero trust at the top of its cybersecurity agenda. According to Forrester, 83% of global large enterprises have committed to the adoption of zero trust. A 2022 survey from Okta found that 55% of organizations already have a zero-trust initiative in place, and 97% plan to have one in the next 12 to 18 months.
At Siemens, zero trust means micro segmentation, perimeter security, strict identity management, and strict policy enforcement.
Siemens is taking a three-tier approach to zero trust. The first stage is education, roadmap creation, identifying the applications and assets that need to be secured, and coming up with a shared definition of what zero trust looks like for each organization within the company.
βPart of it has been a cultural mindset,β Negre says. βThat includes getting people at every level of the organization to understand what zero trust is, why itβs important, and how it reduces risk and coming up with a roadmap with concrete milestones for each one of our organizations.β
The goal was to create a zero-trust framework together with the individual business lines. βSo itβs not cybersecurity coming to the organization and saying, βYou must do this and you have this amount of time to do it.ββ
This first stage of the transition to zero trust is now complete, she says. Siemens is now moving through the second stage and into the third.
That second stage involves tackling all the βlow hanging fruitβ of the zero trust roadmap, focusing on projects that will be implemented within six to 12 months.
Then, the third stage would involve longer-term projects. Some of Siemensβ business lines are in heavily regulated industries. βIt might require a more slow and deliberate transformation,β Negre says. And then there are the sites with legacy devices that will need significant investment before theyβve been fully transitioned to zero trust.
The hardship of securing legacy hardware
In industrial and health care settings itβs common to find older hardware that wasnβt designed to function in a connected world β and certainly isnβt up to supporting zero-trust principles.
βIn manufacturing environments, the lifecycle for equipment is quite long. If you have a brownfield project in an industry that hasnβt changed much in 40 years, what youβre inheriting, especially in acquisitions, might be something your father or grandfather could recognize,β Negre says.
She said that 1% to 2% of Siemensβ factories are the most modern, up-to-date smart factories built around cybersecurity principles. Another 1% to 2% are relics of the past. The rest are somewhere in between.
Whether itβs working with internal business units, or external customers, βwe have to meet them where they are,β says Negre. βAnd sometimes thatβs an older machine that has worked perfectly well for 30 years. How do we go ahead and provide connectivity, do it safely, and transform this into zero trust?β
If itβs a manufacturing environment, the machines might be running all the time and canβt be shut down to be patched. On top of that, some of this equipment has bespoke software, she says, custom built for that particular location. Putting a security wrapper around this equipment is only a stop-gap measure. βWe donβt rely solely on that,β she says.
Even if the security wrapper has connectivity and a firewall, that alone isnβt considered to be sufficient to meet Siemensβ internal standards. βYouβd have to meet our password and authentication standards, our micro segmentation standards.β
The best option is to rip and replace, which is what Siemens is doing over time. But, at the end of the day, everything has to go to zero trust, she says. βIf you donβt want to run this machine like our grandparents did, then we need to have connectivity β but we have to add it safely.β
Supply chain security
Securing internal systems and legacy equipment is only half of the cybersecurity battle. Siemensβ zero trust strategy also extends to all of its suppliers. According to Bulletproofβs 2022 cyber security industry report, 40% of cyber threats are now occurring indirectly through the supply chain. βWe do deal with vendors who are not ready for zero trust,β says Negre. βWhether itβs an application thatβs not there yet, or a SaaS solution thatβs not there yet.β
In fact, Siemens has an entirely separate initiative on supply chain security, of which zero trust is just a part of it. βAnd a lot of it is about identifying which vendors meet our state-of-the-art cybersecurity criteria,β she says.
If they donβt meet the criteria Negre says they are putting all the vendors into categories and having honest conversations with their internal businesses. βThis particular vendor, this particular supplier, may be too risky for the organization and we might have to find an alternative.β
There isnβt any one factor that makes a vendor too risky, she says. βWe evaluate technology holistically, based on a number of criteria including global cybersecurity standards, publicly accessible information of their vulnerabilities and recent cyber incidents,β she says. Vendors are also scored on their security posture in such areas as physical, endpoint and cloud security.
Having alternatives is also particularly helpful when it comes to critical infrastructure and single-source suppliers. βThatβs become a pain point in a lot of ways recently. Thereβs a push to find some diversity in the landscape β not just from a cybersecurity perspective, but an availability perspective.β
Another key aspect of supply chain security is requiring vendors to provide software bills of materials. There are regulatory requirements for SBOMs in some of Siemensβ businesses. In addition, the company has deep ties to Europe, and the upcoming Cyber Resilience Act (CRA) will require SBOMs for most critical infrastructure.
βAnd sometimes we have products designed here and sold in Europe, or designed there and sold here, so we have to make sure we have all our dependencies defined as much as possible,β Negre adds.
Readying for new regulations and strategies worldwide
Europeβs CRA is only one of the regulatory changes that Siemens is keeping an eye on. In the United States, there have been several new cybersecurity initiatives, most recently the new National Cybersecurity Strategy.
Also in March, the Transportation Security Administration released a directive requiring increased cybersecurity in the aviation industry. βItβs a dynamic place. Weβre figuring out exactly how it applies to our world and doing advocacy as much as possible with our partners to hopefully have practical cybersecurity legislation that can be implemented not just by large organizations like ourselves, but organizations below the cyber poverty line.β Those other organizations could be Siemensβ vendors, or external customers, she says.
Siemens is also committed to working with government organizations and Information Sharing and Analysis Centers (ISAC), she says, not just in the US, but around the world. βThe key takeaway for us as an organization is that we build relationships. In every country where we have a presence we probably have a relationship with the government in a way that enables us to share intelligence and get an idea of what is the threat specifically for that country.β
The company primarily works through public-private intelligence sharing groups such as the various ISACs. βWe also work with government bodies such as CISA, NIST, the FBI and many more to share expertise, receive insight, and ensure we meet all regulatory requirements,β she says. This also helps create a safer cybersecurity ecosystem for all businesses.
Siemens cybersecurity team considers future threats
There are also major technological changes coming down the line. One of them, quantum computing, which some expect to have the potential to make all current encryption obsolete. Itβs a real threat, says Negre, but not necessarily an imminent one.
βThe quantum computing thing has been on the horizon for ten years β and theyβve said itβs going to happen any day now,β she says. βThe computers that are actually able to act in this space are quite limited. The algorithms havenβt been produced yet. Everybody should be preparing for this, but itβs not necessarily number one on your agenda.β
Another trend thatβs here today is that of artificial intelligence. Siemens has its own AI research and data scientists. βIt does help us work more efficiently,β she says. βIf youβre not using it in your cyber program, maybe you should evaluate it β maybe in automation or in remediation. What can be done using AI that can replace some of this manual effort, so you key experts can be free to work on the big stuff?β
With over a billion events a day, Siemens has had to build its own solutions β but also works with outside vendors to integrate their solutions into its environment. βSome of our businesses have gone pretty public in the way theyβre using AI to auto remediate tickets and to drive some of our cybersecurity innovation,β she says. βWe are looking at all versions of AI and finding out the best way to use it in our organization.β
