fundamentals? Have you transformed their security environment? We then look at how to begin monitoring and detection – smartly, aligned with the business objectives and priorities. By monitoring in blocks, based on where the risk is and the customer’s assets prioritisation, we can come up with a smart strategy for connectivity, monitoring and response. Simonovich noted: “Technology will not solve the problem on its own. A holistic approach designs the right kind of strategy that technology supports. In a world where you have a decentralised operating model, in which asset owners rely on third parties to provide their operation and their IT, the weakest link can be the cause of a major incident. We look to play a critical role in helping to ‘lift the middle’ and address weak points head on.” “Lifting the middle” is becoming an increasingly important business, especially given the increasing prevalence of distributed energy. “Our customers know that cyber security is a major imperative and that they need to be proactive,” said Simonovich. “They know we are here to help them in times of need. But it is important for them to be proactive in building up their defence measures. We can Special Supplement Simonovich noted, the Ukraine attacks affected different parts of the value chain. “To be able to detect an attack that is happening in the utility environment, you have to know what is normal, which is based on how your assets are performing. You have to be able to do security analytics at the asset level, the SCADA level and the network level. When you can do all three at the same time, you have true insight. At Siemens, we know this from experience,” he said. “Global companies are looking for 24/7 coverage, including OT dedicated monitoring,” Simonovich noted. “You can’t simply drop IT solutions into the OT environment. The protocols are not standard. Engineering specifically for OT means you can follow customer needs and deploy tools – everything from intelligence, to network monitoring to anomaly detection – in order to quickly detect and stop attacks from happening.” He added: “Combining the asset-level data with network-level data means customers can gain deep insights into the behaviour of their assets across the value chain as well as down the technology stack.” In a move to bring cutting-edge cyber defence for OT to electric utilities and the oil and gas industry, Siemens recently entered into a strategic partnership with Darktrace, a leading machine learning company for cyber security. Both companies bring specific expertise to the partnership. As an industrial technology provider, Siemens has an inherent and holistic understanding of how to manage business risk by minimising cyber risks in complex operating environments. It brings deep domain know-how and solutions for OT cyber, including security program design, security lifecycle management, plant security monitoring, and incident response. Leveraging advances in machine learning and probabilistic mathematics, Darktrace’s Industrial Immune System platform can detect and remediate in-progress cyber threats at their nascent stages. By learning the ‘pattern of life’ for every network, device, and user across both OT and IT networks, the companies claim the Artificial Intelligence (AI) algorithms can identify and automatically take action against emerging attacks that other tools miss. Simonovich commented: “We’re very excited about teaming with Darktrace. Together we can help detect attacks like Wannacry well in advance and stop them.” In addition to delivering cuttingedge technology, Simonovich says utilities want “first line of defence measures”. The industry, he says, is facing a perfect storm: although digitally connected, it has not yet addressed many fundamentals. “Customers are looking for partners to help them navigate along their cyber journey – build a strategy that addresses foundational issues such as cyber asset management, vulnerability management and monitoring solutions.” When building a cyber security programme, the first step is usually to assess where the utility or organisation is on the maturity curve. Simonovich explained: “The first thing I ask a customer is: Do you have a strategy? Have you dealt with the THE ENERGY INDUSTRY TIMES - AUGUST 2017 It is critical to think about what data needs to travel where A more proactive approach A shift in the approach to cyber security is taking place in the power generation sector, particularly as more sophisticated cyber threats are uncovered. While traditional cyber security offerings based on a collect-and-report model are still in use, more proactive approaches to information gathering, usage and reporting are also being deployed to enable advanced analytic capabilities and interactive reporting. In addition, these new approaches allow for tailoring the exact scope of the data gathering and analysis to meet the needs of the customer. The drivers for these changes are primarily the same, regardless of the region where the power generation assets are operated. Regulations and standards, as well as a desire for more tailored cyber security solutions were the common requirements for the new concepts. For example, in the US, this change is partially driven by the newer industry standards, such as those set forth by the North American Electric Reliability Corporation (NERC) with the Critical Infrastructure Protection (CIP) V6 rule. Prior revisions of standards like NERC’s focused more heavily on becoming compliant as an end goal, whereas newer revisions consider compliance the starting point, and focus on staying compliant. But regardless of whether the customer follows CIP, VGB PowerTech, National Institute of Standards and Technology (NIST), National Electronic Security Authority of the United Arab Emirates (NESA), or other industry standards: the old way of doing things is based around the idea of ‘getting to compliance’, whereas the new requirement is focused on ‘living in compliance’. To address this new paradigm, Siemens has developed its cyber security offerings to the energy industry in a central monitoring, alerting and reporting system concept called Cyber Security Center (CSC). Using industry standard tools and processes, the Siemens Cyber Security Center meets the requirements of a modern cyber monitoring system by combining Security Configuration Change Management (SCCM), Security Intrusion Event Monitoring (SIEM), a Network Intrusion Detection System (NIDS) and an advanced dashboard. In addition to creating a “single-pane-of-glass” view of the cyber solution, the CSC also provides the ability to review the gathered information in a variety of channels. The central dashboard resides within the DCS itself. It can be made visible within the SPPA-T3000 control system’s workbench as a standard HMI graphic. And, it can be accessed from both the plant DMZ and the customer OT/IT security teams via the corporate network, all controlled by the customer’s security staff. A major US utility customer was the first to deploy the CSC solution in the US market. Their cyber analysts met with Siemens during the Customer Factory Acceptance Test and spent several days going over the product in great detail, resulting in a number of customisations to the dashboards and reporting capabilities to meet their specific internal requirements. Later, during site integration and testing, the utility’s resident site security engineer spent several more days testing and evaluating the product using actual data being generated by the power plant. Further customisations were made to fine-tune the output. At the end of the project, the entire solution was copied off and merged into a template so that it could be installed by the utility on future projects. The utility’s cyber experts are required to monitor and review daily the logs generated by the CSC, and any incidents are captured, reported on and mitigated as quickly as possible. Their approach to making the CSC dashboard directly visible to their resident site security engineer guarantees that they can do their job without having to constantly walk out to the DCS and review the logs locally. Additionally, in the event they are off-site or working remotely for any reason, these same dashboards can be accessed from any location. This tailored approach is central to the product development strategy for Siemens’ cyber offerings, not only for the current portfolio, but for the future as well. Each iteration of the CSC is representative of a phased approach whereby each phase builds upon the last to enrich the value of the offering. For example, Phase 1 was simply designed to meet the requirements of the regulatory market; Phase 2 updated offerings to be more flexible in meeting each customer’s individual requirements; and Phase 3 extends the solutions beyond the Siemens products to meet all of the customers’ needs in the OT cyber space. To do this Siemens is partnering with a number of top-tier technology providers to create a vendor-agnostic, solution-specific cyber offering that customers can deploy across their entire fleet, regardless of vendors or specific products. Tackling headache-inducing topics such as cyber asset management, network intrusion detection, vulnerability auditing and reporting, and multi-tiered risk assessments, Siemens is acting as the integrator and solution provider for these technologies, as well as providing a Managed Security Services offering to help customers who need assistance in the OT Cyber environment.
Energy Industry Times July 2017
To see the actual publication please follow the link above