Siemens: Security lifecycle plan a must

One of the most difficult aspects of cyber security lifecycle for ICS engineers is the maintain phase. Here are some tips to establish a good baseline before getting to the maintain level.


Sophisticated attackers remain a challenge for manufacturing automation security professionals, but staying one step ahead is a stronger approach than sitting back waiting to get hit.

"Protecting our control systems is more important now than ever before," said Jay Williams, business development for cyber security at Siemens during a webcast entitled Cyber Security for Industrial Control Systems. "The changing landscape for cyber threats is more dynamic than ever. CEOs now recognize the importance for a holistic approach to cyber security."

When it comes to security, the first real attack people remember these days is the Stuxnet attack in 2010 where the U.S. and Israel worked together to infiltrate the Natanz nuclear enrichment facility in Iran. They were able to infiltrate a system that showed workers the system was running normally, while centrifuges were cascading wildly out of control. However, in 2008 there was a pipeline blast in Turkey that fell under the cyber security radar a bit. The attack started through a video surveillance computer and attackers were able to get in and hit the control system, cause an over pressurization and explosion, Williams said. In addition, later on, in 2014, there was a spear phishing campaign that infiltrated a Chinese steel factory that resulted in massive damage. Also look at the Sony attack where the company is still not totally functioning.

Open environment

In the 1990s, there was no real need to worry about security, but the movement to more open, standard off the shelf technology that relied more on Ethernet and Internet connections allowed for a changing environment. The changes were very effective and allowed for greater business mobility, connectivity and productivity. The problem is the connectivity and open software opened manufacturers up for security breaches.

"There were lots of holes put into industrial control systems that weren't there in the 90s," said Ken Keiser, practice leader for plant security at Siemens.

The catch is now users are getting to the point where they understand the need for security, but they are just evolving to take it to the next level and create a lifecycle for cyber security that most plants have to go through. Keiser said the issue is most manufacturers have not even started that process yet.

Look at firewalls, anti-virus, whitelisting and patch management to name a few. "All of them have a similarity and that is management. You can't put it in and forget about it. You have to look at what risk you want and look at what risk you have. You need to know what you have and have a good baseline before you get to the maintain level. You need to establish a baseline." Keiser said.

These are areas to focus on to create a baseline:

  • Network assessment
  • Policies and procedures
  • Awareness training 
  • Technical security training
  • OS hardening: Group/local policy design and deployment
  • OS hardening: One-time validated patch deployment  
  • Anti-virus: One-time agent deployment
  • Whitelisting: One-time agent deployment
  • Perimeter protection: Design, implementation and integration
  • Segmentation/Zoning: Design and implementation

Once a plant goes through the assessment and implementation phases and reaches the maintain level, then the hard work begins.

"One of the most difficult aspects of cyber security lifecycle for ICS engineers is the maintain phase," Keiser said. That is because of the changing, dynamic landscape where a process may be running for two or three years straight, but a constant barrage of attacks could compromise the system and bring down the process.

Safety vs. security

While safety and security have similarities, they do also have differences.

"With safety you are working with a physical law of nature. Yes, you have to maintain and update safety systems, but the physics of the plant will not change," Keiser said. "With security, you have a very sophisticated adversary out there. There are people out there that want to get into your plant. The environment is changing constantly. You need to know what is happening on a real time basis. One thing you can do is look at logs on a daily basis where you have reports coming out."

Security is an entity unto itself and it can become very easy to end up bogged down in the minutiae of the bits and bytes. But it doesn't have to be that way. Once a lifecycle plan is down on paper and manufacturers get it up and running, it will start to evolve into a force that becomes very difficult to penetrate and the plant can stay up and running.

One of the things Keiser said people, "Have to remember is to understand the priority of the plant is to make product. You don't want to worry about security."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on the ISSSource website. Edited by Joy Chang, Digital Project Manager, CFE Media, 

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me