Cybersecurity is getting a lot more public coverage recently, with several well-known companies experiencing cyberattacks, notably Marks & Spencer, Co-op and Harrod’s to name a few. Therefore, it’s increasingly recognised as a priority for businesses across all sectors, including those in critical industries and infrastructure, where downtime carries huge costs, causes reputational damage and ultimately impacts bottom line.
Jerome Bull talked to Ben Caley, Product Manager for Industrial Communications and Cybersecurity at Siemens Digital Industries, who addressed several questions about industrial cybersecurity.
1. What is the cyber threat for industrial sector businesses and why has it evolved?
One of the interesting things about industrial cyber security as opposed to IT or information cyber security is that we’re in this rapidly changing landscape of industrial systems now. Historically, industrial systems that you might find in a factory, or a water treatment work, would have in the past been isolated from the outside world. They would have been standalone systems which did what they needed to do, but there was no historic requirement really for these systems to either talk to each other or to get data out of them.
That’s changed massively over the last few years and it’s a change which is going to continue. This change is the fact that we now want to get data out of our industrial assets, whether that’s for condition-based monitoring or return on investment calculations, or it might be for remote access. There are loads of good reasons that people want to get data in and out of their industrial assets.
But the challenge that this brings from a cyber security perspective is that every connection in or out of these industrial systems increases the attack surface; “it’s basically giving attackers more ways into our systems for cyber-attack”. Therefore, the trajectory of digitalisation/Industry 4.0, which can yield huge benefits for business, also brings risk. And our message at Siemens is, please don’t use cyber as a reason not to embrace digitalisation and new digital technologies, but make sure that cybersecurity is baked in from the start. Because if you do it from the start, you’ll end up with a system that’s not only got all those benefits, but will also be secure.
And there’s data that backs this up; the trend in the number of attacks specifically aimed at industrial systems and manufacturing is growing exponentially. The numbers are quite shocking. The latest numbers we’ve got access to are a few years old, but they suggest that over 60% of smart factories i.e. factories with some sort of connected asset have experienced some sort of cyber-attack. And over a third of all cyber-attacks are happening in manufacturing. This was a few years ago and that’s almost certainly going to be a higher number now.
2. What are the other cybersecurity trends or themes that you’re seeing across industrial sector markets?
As well as the digitalisation trend, which is making cybersecurity more and more of a challenge for lots of companies, we’ve also got trends around a skills shortage and skills gap. That’s something that leaders of all businesses need to be considering because we’ve got this perfect storm in the engineering world where it’s well known that there’s big skill shortages when it comes to industrial engineers and people who have the right knowledge to keep factories and other industrial plants going, but what we’re needing in the future is people with all of those skills, plus the knowledge of how to secure those systems and the knowledge of cybersecurity. Those people are hard to get hold of.
The other big trend we’re seeing is the shift in legislation, which is being rolled out across the globe. There’s a big focus on Europe now because they’re right in the middle of some brand-new legislation in the last few months and coming up over the next couple of years. But we are also going to see it in the UK. Whilst we’re a little bit behind some of the rest of the world, we have had announcements of cyber resilience legislation that’s going to impact the UK as well. And that’s making people think about cybersecurity in a fundamentally different way. A few years ago, it was thought of as a nice-to-have for most industrial businesses, and it was the more future-looking proactive businesses that were really engaging in the topic. With the legislation coming down the line, nobody is going to be able to escape it – everybody’s going to have to focus on cybersecurity just like they do with safety now. You wouldn’t imagine going into a factory or an industrial plant where safety wasn’t one of the top priorities of the Board. Well, that’s going to have to be the same with cybersecurity in the future. And that’s one of the reasons that all this legislation is coming into play.
Now, while those are some of the big macro trends in industrial cybersecurity, the impact of these trends is interesting. One of the biggest ones is ransomware; what we mean by ransomware is a type of attack where a system is basically rendered useless – somebody gets into your system, plants some malware and stops the system from functioning. For a lot of factories, this is their worst nightmare because things can’t flow out the end of the factory – i.e. conveyor belts stop working, robotic arms stop working and nothing can be produced anymore. Cyber attackers know that manufacturers are sensitive to that. They know that their business model is getting things out the door on time and, in a lot of cases, through 24/7 production. They know that this type of attack gets manufacturers where it hurts, so over 70% of ransomware attacks occur in manufacturing. And it’s not just because they know it’s where it hurts. We’re also, unfortunately, often using very old systems in manufacturing, and that makes companies even more vulnerable to this type of attack.
Another big trend we saw was off the back of COVID where industrial systems had an awful lot of remote access slapped on it so that people could do their engineering tasks from home and diagnose things when they couldn’t physically go into a factory. That was often done in a rush and a bit of a haphazard way, which means that these remote access systems are still live and are still working in a lot of industrial facilities. But they’re effectively punching holes straight through all the cyber defences because these remote access systems can tunnel through all the different layers to sensitive assets. In this respect the rush for remote access and the fact that it was done in this slightly panic-stricken state is also leading to a lot of unnecessary cyber incidents as well.
3. What are the key questions companies should be asking to understand and evaluate cyber risk across their operations and connected assets?
One of the first things you need to know is, will this legislation that’s coming around the corner affect you one way or another? Where you sit in a supply chain will be part of that answer. Whether you’re somebody who is operating an industrial plant or somebody who’s supplying machinery into that, or maybe somebody who’s supplying lower-level technology like PCs or software, for example.
Where you sit in that supply chain will affect whether this legislation will affect you, but also where your customers sit. If you’re supplying into Europe, you’ll have to look at European legislation, if you’re supplying into America, you’ll have to look at American legislation etc. The reason I say that’s one of the first things to look at is that it will set you on a certain path of how stringent your cybersecurity needs to be within your facility. So, legislation is one way to look at it.
Another way to look at it is to do with the risk of your business itself. You’re going to have to abide by international and local law, but also you should really be thinking of cybersecurity as a significant business risk, i.e. if you’ve got a factory that can’t produce anymore, what effect is that going to have on your bottom line? But there are lots of other risks to consider, things like, what would the reputational damage be of a cyber-attack, what could happen if your intellectual property was stolen, or the recipes were stolen out of your food and beverage plant? In some cases, businesses are holding intellectual property on behalf of third parties; maybe your customers are trusting you with sensitive data. What would be the impact of a cyber-attack affecting that as well? So, the first step is to understand what those risks are and that will help you inform how much you need to protect your plant, a little bit like you’d assess any sort of risk in business.
So, that would be the first step. Then you need to think about what you’re going to do to protect yourself. This is where you really need to understand your equipment and your facilities as step one you can’t protect something if you don’t know it’s there and in an awful lot of manufacturing and industrial plants, these facilities grow and evolve over many years. It’s shocking how often people don’t understand the equipment that they’ve got on their shop floor that’s making their plant work. The first thing we say is find out what your asset base is, do a full inventory of everything that you’ve got and then you can start making some smart decisions about where to put your effort. Because, if you start making assumptions about where your weak points are, you’ll quite often be looking in the wrong places. You really need to zoom out, look at what you’ve got, assess that risk, do an assessment. And then you can start to say OK where should my priorities be?
And that brings us on to the final point on this, doing an assessment up front and giving yourself a long ‘to do’ list is well and good, but cybersecurity absolutely must be a cyclical process where you’re building this into your day-to-day operations. Whilst you need to start with an assessment, that’s not going to be enough. It needs to then become business as usual afterwards as well.
4. What are the latest regulations or standards guiding industrial sector businesses from a cyber perspective?
There are regulations pretty much across the world at different levels of adoption, there are regulations happening in the US, something called NERC-CIP, there’s regulations happening in Asia and China. I’ll focus on the EU because it’s probably the most relevant for the UK now.
We’re a little bit behind the curve with our Cyber Resilience Bill in the UK. Our Cyber Resilience Bill was announced in The King’s Speech in 2024 and is currently out for consultation. So, it’s out with industry to get input on whether it should be edited or tweaked before it goes into legislation. Essentially, it’s on the way, but it’s still a bit up in the air as to when it’s going to land and what it’s going to look like when it’s finished.
But what we do know is the EU stuff and it’s looking like the UK Cyber Resilience Bill will be closely aligned with the EU. From our point of view that is a good thing because it means that the people working in the UK and trading with Europe are only really looking at aligning with one set of standards.
So, let’s have a look at the EU legislation then. There are three main bits of regulation which people should be aware of in the EU: the first one is something called NIS2 – this is aimed at people who are operating industrial assets, so manufacturing sites, for example, water treatment works and things like this. It’s called NIS2 because it’s the second iteration of a directive which has been around for a while, the NIS directive. This is all about how people who are running these industrial assets need to consider cybersecurity during that life cycle.
But if you’re supplying into those end users – i.e. you’re a machine builder or you’re a system integrator who’s in that supply chain – you will have obligations as well. Your end customers will be asking you to meet requirements so that they tick their box for this too. That went into law in October 24, so it’s live already, We’re currently in this grace period where it’s not biting everybody yet, but there’s a bit of a scramble in Europe to become compliant. It’s really, big topic for them now.
The second is all to do with machines – it’s called the EU Machinery Regulation, and it’s going to be most relevant to machine builders. People who build bits of packaged plant that then end up in a factory. The reason that they’re going to be so interested in these machine builders is nearly every machine builder will want to place a CE mark on that machine so that they can sell it in Europe and elsewhere. A CE mark is obviously a mark of quality and that you’ve hit all the correct safety standards. By placing a CE mark on that machine, the people buying it know that you’ve done all the right stuff. What is changing with this machinery regulation is that you won’t be able to CE mark a machine if you don’t also consider cybersecurity in the future.
And likewise, there’s a third piece of legislation called the Cyber Resilience Act, or the CRA. And that’s a very similar story. It’s more about individual components which then make up a system, but it’s all about CE marking again, that’s where it’s going to really hit home for people. All this legislation is out there, but really, if you’re a machine builder who wants to place a CE mark on a machine, this is going to be a showstopper. It’s all to do with the declarations of conformity, and it gets all quite technical. But for you to legally sell these machines in the EU and the UK (because we’re almost certain that CE is going to carry on living in the UK as well) this is going to be super, super critical.
So that there’s quite a lot and it’s quite complicated and quite dry and a little bit confusing sometimes. I’ve just gone into the detail of the EU stuff, as I mentioned as well, there’s also stuff going on across the globe.
What you really want is one way of aligning with all these different legislation and different requirements across the globe. For big companies like Siemens, that’s even more important because we operate in all these different regions, and we can’t have a factory in one region compliant with one regulation and another one in the other side of the world that’s not. What we’ve done is align on an international standard across all our factories and across all our products which is pointed at by all these different regulations.
The standard is an IEC standard – it’s called IEC 62443. If anybody’s going to take one thing away from all this talk of standards and regulations, have a look at IEC 62443 because it will align you on the big topics whether it’s the UK, the EU or elsewhere. We’ve gone all in on this standard at Siemens – we’ve designed our factories to it, we’ve designed our products to it, we’ve gone out and got certification. We very much think it’s the way to go.
If anybody’s wondering where to start with this big topic of regulations and standards, the first thing is to work out which regulations will be relevant to you, and, secondly, have a look at IEC 62443 because it’s probably going to make your life a lot easier.
5. What does industry need to do to adapt and adopt in the face of evolving cybersecurity landscape?
Cybersecurity needs to become part of day-to-day business, it’s important that the way security and industrial security is handled within a business isn’t treated differently to any other sort of risk management. If you’ve got a system that works, make this part of that system rather than having something off on its own, which is a little bit difficult and a little bit complicated, and therefore might get forgotten about.
You need people who are responsible for it, so you need that buy-in and responsibility at a senior level. You need Board level responsibility for this topic and when this regulation starts to bite, I think the Board will start thinking in this way in most companies because the size of the fines that you could potentially get are eye-watering, and you could potentially end up in court as well because of the safety implications. I’ve not mentioned this yet but one of the one of the biggest differences between industrial security and the cybersecurity of IT systems is the potential impact if somebody could lose their life or get very seriously hurt in an industrial accident because of a cyber-attack. The HSE and all the other relevant government bodies are very aware of this. If a safety incident were to happen on site, you will now get investigated from a cyber security point of view, as well as a health and safety point of view.
You need that buy-in at Board level, but you also need people within the business to understand their impact when it comes to cybersecurity. We always say there’s three important pillars to any secure system. It’s a bit like a three-legged stool, if you don’t have all three equal length and equal strength you’re going to topple over.
First is technology and this is where a lot of people are drawn to. To begin with, they like to throw technology at the problem as a kind of ‘silver bullet’. You need technology, you need anti-malware software, you need firewalls, you need surveillance systems etc. Loads of good stuff out there for that and it’s really important. But you also need the policies, processes, and business procedures to back that up. It needs to be built into day-to-day business. Driven by the people. Therefore, the three pillars are technology, people and processes.
And we often find that industrial security isn’t given the same weighting as information security. An awful lot of companies will get every employee to do some sort of cyber security training online once a year to make sure that they’re not clicking on phishing emails and their passwords are strong enough, which is all good. But nobody’s training the people on their factory floors to do the same stuff with those industrial assets. It’s just not thought about in the same way. Getting the people who are interacting with that industrial equipment, understanding what impact they could have on a cybersecurity level is really important because the people are often the weakest link in the chain. It’s sometimes malicious, but in most cases it’s not a malicious, it’s somebody not realising the impact of charging their phone on the side of a PC that’s on the factory floor.
6. What are the key leadership considerations when addressing cybersecurity? is it still seen as a ‘technical issue’?
It’s empowering people and making them aware of the impact they can have. For example, a shopfloor operator probably has no connection between what they do every day and the cyber security attack, but they could potentially be the weak link in that chain. Ensuring that everybody is aware and has their eyes open to the potential impact they could have is crucial.
And training is probably the place to start with that. It needs to end up in culture and business as usual. But starting off by opening people’s eyes through dedicated training is important.
It also needs to be a regular thing because cyber-attacks change, the way that the attackers target systems change over time. It’s not something that you can kind of throw in once every five years and tick a box. It’s something that you really do need to build into a learning programme for everybody every year.
Developing a culture of accountability at the top, but also at the engineering level and the operator level, is really, important.