SIBERprotect Protects Industrial OT Systems with Innovative Cyber Response Solution
May 22, 2024
A cyber-attack can happen within a millisecond. Defend your operation just as fast with SIBERprotect: an automated, intelligent solution for your industrial OT operation.
By Krystie Johnston
Siemens recently introduced SIBERprotect, an automated, intelligent solution that defends critical infrastructure and OT systems in industrial settings from cyberattacks. This advanced, automatic, response to cyber-attacks can limit the impact of these threats by isolating and quarantining affected equipment and processes. Chuck Tommey, a digital connectivity executive with Siemens, discusses why OT systems need protection from cyberattacks and how SIBERprotect is the solution to defend your operation.
Tommey has worked in the industrial automation industry for 30 years in various control engineering positions; about half of that time using Siemens equipment such as PLCs (programmable logic controllers), HMIs (human machine interfaces), and other related equipment. He recently earned a cybersecurity master’s degree from Utica University. He also has experience piloting C-141’s for the United States Air Force Reserve and C-130’s for the North Carolina Air National Guard.
“For the last five years at Siemens, I have been concentrating on network architecture and cybersecurity from a digitalization perspective. Looking at what clients need to do to have a good, stable, resilient, and secure platform. And be able to implement these innovative software-type applications that are trying to get data from the plant floor. To start, we must have a network in place – and in a lot more places, touching a lot more equipment than ever before – and that is really what is driving the cybersecurity part of it,” says Tommey.
The need for cybersecurity
Today, industries are leveraging the capabilities of Industry 4.0. Also called the fourth industrial revolution, it is the integration of intelligent, digital devices into manufacturing facilities and industrial processes. It is being driven by advanced technologies such as the industrial internet of things (IIoT), artificial intelligence (AI), robotics, and automation which produce large amounts of data. And it is precisely this data and its inherent connectivity that leaves businesses vulnerable to cyberattacks.
Over the last three decades Tommey has seen the trend towards getting more data from machines, systems, controls, and sensors on the factory floor with the goal of enhancing these processes by making them more efficient, improving quality, and making faster, more accurate decisions. He says that this direct connection with the machinery on the floor has been the goal for the last 30 plus years – and it is working. Predictive maintenance, efficient use of inventory, efficient assembly, just-in-time delivery, and improved traceability are all results of this massive undertaking.
“All these things require data, and they require accurate data,” says Tommey. “We are connecting more and more things on the plant floor to get that data automatically and accurately. And that opens us up to what we call ‘a larger attack surface.’ Because the malcontents out there, the bad guys if you will, are learning how to hold us ransom.”
Cyberattacks are present, and they present a real threat to businesses across industries. These attacks use malware, ransomware, viruses, or similar means to infect these connected systems and often cause significant losses for companies. Not just monetary losses are reported, these attacks can degrade product quality, integrity, and reputation, increasing liability and risk for companies that are attacked. It has become evident that this data is a double-edged sword.
“We really have this balancing point,” says Tommey. “On the one hand, we need that data, and we can use it to make our operations more efficient. So, we must have it. Then on the other hand, we have these people that realize, ‘You need that data. If we can keep you from getting that data, or shut you down, then we can extract money from you.’ This is where we are now from a cyber perspective,” says Tommey.
Finding the balance between data and security
This dilemma is also piquing the attention of various regulatory bodies such as financial institutions and environmental agencies. Tommey points out that the US Securities and Exchange Commission or SEC is taking an interest in cybersecurity for financial reasons. And the Environmental Protection Agency or EPA is involved in cyber too, because if controls became compromised there could be consequences to the quality of air or drinking water. It is like no industry is exempt from this danger.
“And then we just have things like espionage,” says Tommey, “where foreign countries, foreign companies, are looking to find out how we are doing things well in different industries. And it is not just in the US, it is around the world. Anybody that has a special process or capability, people want to know how that works. And if you have this way in through electronic means, it makes it a lot easier and a lot safer for them to do that. There is a myriad of reasons why we really need to take cybersecurity seriously in our factories and production floors around the world.”
In recent years, attacks on operational technology (OT) have increased. Why? The internet was invented in the early 1980’s and it became increasingly popular with each generation. As it matured, so did an understanding of the applications it could be used for. Tommey presents a brief overview of publicly documented cases of OT cyberattacks, starting with one of the first examples from 17 years ago.
The Aurora Experiment or Aurora Generator Test in 2007 conducted by the Idaho National Laboratory demonstrated how a cyberattack could destroy physical components of the electric grid. The experiment used a computer program to rapidly open and close the diesel generator’s circuit breakers out of phase from the rest of the grid, subjecting the mega-watt sized generator to intense mechanical stresses which destroyed it within minutes. “This was the first big wakeup call that made us realize we really do need to be concerned about how we allow access, and who has access, and what they have access to,” says Tommey.
In 2010, Stuxnet was an example of a nation state attacking another nation state, where a cyberattack on an Iranian centrifuge achieved a cyber physical result. “These were two early kinds of ‘uh-ohs!’ that made us realize, we have some issues here that we need to figure out how to shore up,” says Tommey.
And in 2017, there was an attack called “NotPetya,” that has been called “the most destructive and costly cyber-attack in history.” It impacted more than 2,300 organizations in more than 100 countries, with an estimated loss of between $10 and $11 billion dollars to date. These examples may sound like a Hollywood Movie, suspenseful and far from reality, but cyberattacks are a potential threat that must be taken seriously.
Tommey knows that not every cyberattack is going to damage power plants or cost a company billions of dollars, but he cautions that many operations are at risk from cyberattacks, be it monetary, contractual, or reputational risks. And there are ways that they can protect themselves. The first step to protecting against these threats is to look at what a company’s vulnerabilities are.
So, what can be done to protect against cyberattacks?
“When we talk to a new customer, or even an existing customer about cybersecurity, we know that those big issues out there exist. But there are a lot of little issues too. What we want to look at is what the risk is to the company. There are multiple levels of risk. The best way to approach it, for any company, is to try and identify first what all those risks might be, and then quantify what the impact will be,” he says.
For businesses that do not have a risk management process or could use support, Siemens can help navigate through this process because they understand this topic inside and out. The 176-year-old company has been at the forefront of electrification, automation and most recently, digitalization. With over 100 manufacturing facilities worldwide using Siemens’ equipment that must be protected from cyber threats, they make a good partner. “We are doing that, 24/7/365, around the world. We have a lot of experience protecting our own facilities,” says Tommey.
Siemens has a portfolio of products and solutions at their fingertips that they can recommend to customers to make their facilities more impenetrable from cyberattacks, but Tommey cautions that the most important thing is to have a plan.
“A lot of companies, especially the larger ones, have a risk management process. It starts at the board level and usually flows down from there. Cybersecurity should be considered just another risk to the company. Where you get into trouble, or start having more difficulties is, a lot of smaller companies that do not have boards or that level of management may not have that risk process in place. But we can come in and help either way and help them understand where those risks are, what they might look like to their specific company, and then help them create a plan to address them,” says Tommey.
A closer look at SIBERprotect
SIBERprotect is an exciting concept because it is Siemens’ first cyber-physical solution available for OT that is easy to use. Developed to meet the need for a rapid, real-time response to an operational cyberattack, it not only alerts you of a threat, but also automatically responds to it, dramatically limiting the impact of the attack. It can do anything from alert the industrial site and let the site make the decision about how to respond, to isolate and quarantine the equipment, allowing operations to continue.
“There are a few things that are quite different and unique when it comes to SIBERprotect versus what else is available in the IT (Information Technology) world. In the IT world, they have this concept called SOAR (Security, Orchestration, Automation and Response). When you try and put this concept into the OT environment – if it is done the way IT has always done it – then it really looks like a black box to the OT people,” explains Tommey.
To provide a bit of context, IT networks store, process, and transmit data while ensuring its security and integrity, whereas OT networks monitor and control the physical machinery and industrial processes in real time, ensuring operational safety and reliability. Often, when IT is responsible for OT security, it can take hours or even days from the initial detection until an incident response is initiated. In today’s threat landscape that is much too long, ransomware could have spread throughout the whole plant. Communication between IT and OT is notoriously known to be challenging.
“We turned this around with SIBERprotect. Now the alerts that are generated can still go to IT, and they can still have their processes and follow up on their end, but we are sending those same alerts immediately to a local PLC at the factory, on the floor. The operators receive an immediate alert that says, ‘Something is amiss.’ And we tell them exactly what has been detected, where it is in the plant based on the IP address, and what the severity is that has been assigned by the detection system,” says Tommey.
“And that is an important thing too, is that we have some detection software ourselves at Siemens, but we will work with any industry standard threat detection software; an intrusion detection system, a next generation firewall, a SIEM (Security Information and Event Management) system,” explains Tommey.
“Any of these things can detect what are either signature-based detection systems, like your antivirus type, that looks like a piece of malware that is flowing across the wire, or an anomaly-based detection systems which will flag that can be investigated to make sure it is not something wrong,” he continues.
“Each of these systems will send what we call SYSlog message, a common industry standard format, and once processed inside the PLC, it can parse what the alert is to determine what the severity is and identify where it is based on the IP address. This information is then immediately available to the operators in the plant. With SIBERprotect, operators now get immediate notification, versus what could be hours to days using the traditional kind of IT way,” explains Tommey.
“The second thing, which is even more interesting and good for the OT side, in our opinion, is that we can do something about it. We can react to that detection. Using, in our case, Siemens security appliances that have a firewall, we can implement two different firewall rule sets, one for normal operations and one for what we would call ‘quarantine status.’ So, if we want to completely cut off access to an area, or we want to leave one protocol available so that they can still run the plant – but not all the additional protocols that would normally be required to maintain the plant and monitor things – we have those two sets predefined,” says Tommey.
“And this is done within a second or two of the initial detection. Which, in a ransomware infestation, can be the difference between one or two machines being encrypted and the whole plant being encrypted. We may get it to the point where your recovery is down to a day or less versus – and you may even be able to maintain operations during that time in in other areas of the plant or maybe as a whole – the whole plant going down for weeks to a month to reinstall and requalify all the lines,” says Tommey.
“The two main ideas behind SIBERprotect are immediate notification and immediate action. A third idea that is also interesting is that when you detect a threat the IT way, it is only about the data they see across the network. When we do it with SIBERprotect on the OT side, with the PLC as your decision engine, we can monitor the process and change our response in relation to the status of the process or the manufacturing machine.
There are lots of things that we can do from a controller’s perspective that the IT side typically would never know how to do, or even really think about doing. That is why we say it is a very OT-centric or OT-friendly way to implement an intrusion prevention system,” he adds.
SIBERprotect is a new concept from Siemens that protects a machine or process at the device level, at the speed of the machine. It revolutionizes the ability for operational technology to detect and respond to an incoming cybersecurity threat by providing flexibility in how it responds. And it works with industry standard threat detection software, making it as simple as possible to implement into existing facilities today.
