THE ENERGY INDUSTRY TIMES - AUGUST 2017 security has long been important to Siemens, but Stuxnet really demonstrated the need to transform our cyber security operations, to build up our defenses even further.” Siemens is a diverse company with a broad geographic footprint, in 190 countries, with over 50 business units. “That global presence gives us visibility across our installed base. And, through our partnerships and participation with communities, we can quickly detect and understand what is happening around the globe.” Special Supplement certainly provide remediation measures, but they must take a step back and ask themselves: ‘What is my strategy?’” Simonovich advises customers to place IT-savvy employees at all levels of the organisation, from the boardroom to the plant operator. While companies are keen to take advantage of the value that digitalisation can bring, some are wary of the accompanying risk. It is therefore important to assure them that the products and systems they are introducing are inherently safe. According to Siemens, secure products are its foundation. Every product business line has a product security officer that looks at the full lifecycle, from design all the way through to disposal. “Our customers initially fear greater connectivity because they think this increases their risk, but in reality it provides them with insight,” said Simonovich. He says that on the OT side 70 per cent of attacks are due to insider threats and that the average number of days a piece of malware sits on the OT side ranges from 200-400 days. “Once connected, you can have visibility into what’s happening. If a piece of malware is brought into a power plant by a contractor, you can detect it. Connectivity equals insight, and that’s power.” Determining whether the cyber security measures that have been put in place are a success, however, is a moot point. Simonovich says, it is not a case of simply assuming that they must be working because the organisation has not suffered a breach. He said: “First it starts with looking at your risk appetite, assessing your residual risk and everything in between, and then figuring out how to build up your matrix. You can’t be fool proof; attacks will happen. The question is: understanding what the risk profile looks like and determining whether cyber risks have been minimised. That’s what we help our customers figure out – defining and controlling those which are technical, and those that are more to do with strategy and process.” As cyber threats change and the nature of cyber breaches evolve, staying on top of changing risks and types of attack is imperative. Today, attackers have no geographic boundaries. Simonovich believes that what energy companies need is an OT provider that has global coverage, and preferably one that has secured its own environment and understands the threat. Having experienced a cyber attack early on, Siemens shares its own experience with energy companies. “Cyber He stressed the importance of identifying an attack as soon as it takes place. While knowing who has launched an attack is useful, it is more important to understand the methods they used to get in, and put a strategy in place against those measures. Simonovich commented: “The reality of Wannacry is that basic cyber hygiene could have prevented much of the damage. That’s why the first thing we tell our customers is to focus on the fundamentals and then address the more advanced issues. But you have to do both.” He concluded: “There is no silver bullet that will protect anyone from a cyber attack. Security requires developing a strategy and sticking with it. It’s the journey not the destination.” Simonovich: most companies face 2-3 attacks a year The Ponemon study revealed that nearly 70 per cent of US oil and gas cyber managers said their operations have experienced at least one security compromise within the past year Connectivity equals insight: Once connected, operators can have visibility into what is happening
Energy Industry Times July 2017
To see the actual publication please follow the link above