Siemens focuses on zero trust, legacy hardware, supply chain challenges to ensure cybersecurity of internal systems

Siemens has been working to be on top of vulnerabilities found in its products, but more importantly, to ensure the security of its internal operations. The manufacturing giant that works across several different lines of business, including industrial, smart infrastructure, health care, financial services, is protecting its systems by focusing on three main areas: zero trust, supply chain, and legacy systems.

Siemens has grown exponentially through acquisitions in its 166 years and employs more than 300,000 people. Acquisitions mean systems integrations and can often bring cybersecurity risks.

“We’re a company of companies,” Helen Negre, who recently took on the role of chief cybersecurity officer for Siemens US, tells CSO. That means that it’s difficult to create a single cybersecurity strategy for the entire company, she explains.

Helen Negre, Siemens

It’s not an easy time to be a cybersecurity officer, and Siemens is in the crosshairs of advanced attackers because it’s so heavily involved in the critical infrastructure space. “If you name a critical infrastructure, we probably have something to do with it,” Negre tells CSO. “And with the current political landscape and cyber landscape, we see activity…we have billions of events per day that we have to manage.”

What zero trust means to Siemens

Siemens isn’t alone when it comes to putting zero trust at the top of its cybersecurity agenda. According to Forrester, 83% of global large enterprises have committed to the adoption of zero trust. A 2022 survey from Okta found that 55% of organizations already have a zero-trust initiative in place, and 97% plan to have one in the next 12 to 18 months.

At Siemens, zero trust means micro segmentation, perimeter security, strict identity management, and strict policy enforcement.

Siemens is taking a three-tier approach to zero trust. The first stage is education, roadmap creation, identifying the applications and assets that need to be secured, and coming up with a shared definition of what zero trust looks like for each organization within the company.

“Part of it has been a cultural mindset,” Negre says. “That includes getting people at every level of the organization to understand what zero trust is, why it’s important, and how it reduces risk and coming up with a roadmap with concrete milestones for each one of our organizations.”

The goal was to create a zero-trust framework together with the individual business lines. “So it’s not cybersecurity coming to the organization and saying, ‘You must do this and you have this amount of time to do it.’”

This first stage of the transition to zero trust is now complete, she says. Siemens is now moving through the second stage and into the third.

That second stage involves tackling all the “low hanging fruit” of the zero trust roadmap, focusing on projects that will be implemented within six to 12 months.

Then, the third stage would involve longer-term projects. Some of Siemens’ business lines are in heavily regulated industries. “It might require a more slow and deliberate transformation,” Negre says. And then there are the sites with legacy devices that will need significant investment before they’ve been fully transitioned to zero trust.

The hardship of securing legacy hardware

In industrial and health care settings it’s common to find older hardware that wasn’t designed to function in a connected world — and certainly isn’t up to supporting zero-trust principles.

“In manufacturing environments, the lifecycle for equipment is quite long. If you have a brownfield project in an industry that hasn’t changed much in 40 years, what you’re inheriting, especially in acquisitions, might be something your father or grandfather could recognize,” Negre says.

She said that 1% to 2% of Siemens’ factories are the most modern, up-to-date smart factories built around cybersecurity principles. Another 1% to 2% are relics of the past. The rest are somewhere in between.

Whether it’s working with internal business units, or external customers, “we have to meet them where they are,” says Negre. “And sometimes that’s an older machine that has worked perfectly well for 30 years. How do we go ahead and provide connectivity, do it safely, and transform this into zero trust?”

If it’s a manufacturing environment, the machines might be running all the time and can’t be shut down to be patched. On top of that, some of this equipment has bespoke software, she says, custom built for that particular location. Putting a security wrapper around this equipment is only a stop-gap measure. “We don’t rely solely on that,” she says.

Even if the security wrapper has connectivity and a firewall, that alone isn’t considered to be sufficient to meet Siemens’ internal standards. “You’d have to meet our password and authentication standards, our micro segmentation standards.”

The best option is to rip and replace, which is what Siemens is doing over time. But, at the end of the day, everything has to go to zero trust, she says. “If you don’t want to run this machine like our grandparents did, then we need to have connectivity — but we have to add it safely.”

Supply chain security

Securing internal systems and legacy equipment is only half of the cybersecurity battle. Siemens’ zero trust strategy also extends to all of its suppliers. According to Bulletproof’s 2022 cyber security industry report, 40% of cyber threats are now occurring indirectly through the supply chain. “We do deal with vendors who are not ready for zero trust,” says Negre. “Whether it’s an application that’s not there yet, or a SaaS solution that’s not there yet.”

In fact, Siemens has an entirely separate initiative on supply chain security, of which zero trust is just a part of it. “And a lot of it is about identifying which vendors meet our state-of-the-art cybersecurity criteria,” she says.

If they don’t meet the criteria Negre says they are putting all the vendors into categories and having honest conversations with their internal businesses. “This particular vendor, this particular supplier, may be too risky for the organization and we might have to find an alternative.”

There isn’t any one factor that makes a vendor too risky, she says. “We evaluate technology holistically, based on a number of criteria including global cybersecurity standards, publicly accessible information of their vulnerabilities and recent cyber incidents,” she says. Vendors are also scored on their security posture in such areas as physical, endpoint and cloud security.

Having alternatives is also particularly helpful when it comes to critical infrastructure and single-source suppliers. “That’s become a pain point in a lot of ways recently. There’s a push to find some diversity in the landscape — not just from a cybersecurity perspective, but an availability perspective.”

Another key aspect of supply chain security is requiring vendors to provide software bills of materials. There are regulatory requirements for SBOMs in some of Siemens’ businesses. In addition, the company has deep ties to Europe, and the upcoming Cyber Resilience Act (CRA) will require SBOMs for most critical infrastructure.

“And sometimes we have products designed here and sold in Europe, or designed there and sold here, so we have to make sure we have all our dependencies defined as much as possible,” Negre adds.

Readying for new regulations and strategies worldwide

Europe’s CRA is only one of the regulatory changes that Siemens is keeping an eye on. In the United States, there have been several new cybersecurity initiatives, most recently the new National Cybersecurity Strategy.

Also in March, the Transportation Security Administration released a directive requiring increased cybersecurity in the aviation industry. “It’s a dynamic place. We’re figuring out exactly how it applies to our world and doing advocacy as much as possible with our partners to hopefully have practical cybersecurity legislation that can be implemented not just by large organizations like ourselves, but organizations below the cyber poverty line.” Those other organizations could be Siemens’ vendors, or external customers, she says.

Siemens is also committed to working with government organizations and Information Sharing and Analysis Centers (ISAC), she says, not just in the US, but around the world. “The key takeaway for us as an organization is that we build relationships. In every country where we have a presence we probably have a relationship with the government in a way that enables us to share intelligence and get an idea of what is the threat specifically for that country.”

The company primarily works through public-private intelligence sharing groups such as the various ISACs. “We also work with government bodies such as CISA, NIST, the FBI and many more to share expertise, receive insight, and ensure we meet all regulatory requirements,” she says. This also helps create a safer cybersecurity ecosystem for all businesses.

Siemens cybersecurity team considers future threats

There are also major technological changes coming down the line. One of them, quantum computing, which some expect to have the potential to make all current encryption obsolete. It’s a real threat, says Negre, but not necessarily an imminent one.

“The quantum computing thing has been on the horizon for ten years — and they’ve said it’s going to happen any day now,” she says. “The computers that are actually able to act in this space are quite limited. The algorithms haven’t been produced yet. Everybody should be preparing for this, but it’s not necessarily number one on your agenda.”

Another trend that’s here today is that of artificial intelligence. Siemens has its own AI research and data scientists. “It does help us work more efficiently,” she says. “If you’re not using it in your cyber program, maybe you should evaluate it — maybe in automation or in remediation. What can be done using AI that can replace some of this manual effort, so you key experts can be free to work on the big stuff?”

With over a billion events a day, Siemens has had to build its own solutions — but also works with outside vendors to integrate their solutions into its environment. “Some of our businesses have gone pretty public in the way they’re using AI to auto remediate tickets and to drive some of our cybersecurity innovation,” she says. “We are looking at all versions of AI and finding out the best way to use it in our organization.”