Siemens Energy is a global technology leader, primarily focused on electrification, automation and digitalisation. It is one of the world’s largest producers of energy-efficient, resource-saving technologies and is a leading supplier of systems of power generation and transmission as well as renewables.
In 2017, Siemens Energy partnered with Tenable, the world’s first Cyber Exposure company, to help energy, utilities and oil and gas companies to close the industry readiness gap bridging IT and OT. With the risk of cyberattacks ever-increasing, Siemens Energy and Tenable collaborated to help customers gain a better understanding of where their OT assets may be vulnerable and delivered the service to allow companies to secure and protect their critical OT environment. Since the acquisition of Indegy in 2019, Tenable has extended its depth of OT expertise and intelligence, and breadth of OT-specific capabilities from vulnerability management to asset inventory, configuration management and threat detection. The recent launch of Tenable.OT 3.7 is testament to Tenable’s continued product innovation, providing customers with unmatched visibility and control to secure IT assets alongside OT systems and reduce their cyber risk in converged, modern environments.
“The energy sector is undergoing a digital revolution at an unprecedented rate driven by user demand for transparency and renewable energy. This all comes at a time when connectivity has become essential to continue operations as global and local travel has come to an abrupt halt” says Mex Martinot Vice President and Head of Asia, Industrial Cyber and Digital Security. “This rapid adoption of digital solutions and urgent need for connectivity to enable remote management and maintenance increases the exposure to the growing cyber threats and recent uptick in targeted attacks.” Considering the small number of countries in Asia with a strict cybersecurity mandate, many organisations do not have a mature cyber program in place yet.” Cybersecurity must be part and partial of the transformation as it continues to evolve.
Richard Bussiere is a Technical Director at Tenable APAC and has been with the organisation since 2013. Bussiere recognises the importance of his organisation’s partnership with Siemens Energy. “Technology and services work hand in glove. By partnering with a company such as Siemens Energy, we’re combining our leading OT security solutions with their domain expertise and operational know-how to maximise the customer experience. It’s important we have a symbiotic relationship with a company like Siemens Energy,” he affirms.
Mex recognises that in the case of his organisation, there is a need for a partner ecosystem to best drive a long term beneficial outcome for our customers. “Siemens Energy’s strategy is to deliver services tailored to our client’s needs and leverage best in breed technology vendors to achieve this goal,” he explains. “There is no point in reinventing the wheel when there are companies such as Tenable whose entire business is to perfect their technology and continue to innovate.” Siemens Energy frequently collaborates with Tenable to drive compliance and reduce potential production impact on the plant by harnessing technology to mitigate or resolve potential issues.
“Good partnerships don’t just come out of thin air, ” says Mex Martinot, Vice President and Head of Asia, Industrial Cyber and Digital Security. “A strategic alliance is carefully selected based on the suitability to meet the technical needs for Siemens Energy to deliver a service which meets our clients desired outcome. The technology also needs to be flexible for us to co-develop or tailor the tools to be adopted in Siemens Energy’s Cyber Security solutions; such as our Managed Detection & Response service. On the other hand, it’s important that the goal of both companies align and there is an eagerness to build a joint strategy. We found that Siemens Energy and Tenable are strategically aligned to jointly go to market complimenting the significant mutual presence in Asia. With Siemens Energy’s long-standing client relationships and deep understanding of the unique requirements, together with Tenable’ s leading technology, we can really help secure the rapid digital transformation the energy sector is going through in Asia.
“Digital transformation within critical infrastructure means that the days of fully air-gapped OT assets are largely gone to increase efficiency and efficacy. This is not without risk,” adds Bussiere. “The interconnectedness of digital infrastructure today means the security of IT directly impacts OT, and vice versa due to an expanded attack surface. Without a single, unified view into converged IT/OT environments, CISOs are basically being asked to defend their organisations blindfolded and with one arm tied behind their backs. It’s an inadequate cyber strategy, and it places the business at serious risk. A lot of the investments that Tenable has made over the past three to four years have revolved around enabling our customers to see and secure any digital asset on any computing platform to thrive in today’s digital economy.”
With a wide digital portfolio at its disposal, Siemens Energy has consolidated some of its services to ensure everything works as intended and allow its clients’ voices to be heard. “It’s important that we ask our customers: what are the key aspects that you’re hoping to achieve? Cyber is an important component,” says Martinot. “As the Energy sector is going through a digital revolution it’s
As you’re transforming your environment to become more digital, you automatically increase the vulnerability of the service, whereas, cyber is the component that allows you to carry on expanding. A lot of the digital transformation was around optimisation and being more efficient. We want less of a carbon footprint and have a lower operating cost which translates to less downtime and higher safety.”
A common misunderstanding is that simply implementing technology solutions will protect the environment from cyber threats. Though having technology in place is an integral part of defending from cyber-attacks, it also requires the right strategy, implementation, ongoing monitoring and continued optimisation by a cybersecurity specialist who can contextualise the indicators and take appropriate actions. Finding this niche specialised OT Cyber skill in Asia is not an easy feat. It’s well known that globally there is a growing gap in cyber talent due to the increasing demand for such skill. This is even more significant in the OT sector as this specialised skill is even harder to come by because it requires both OT and cyber experience. In Asia, we have noticed that the experienced OT cyber skilled individuals often move overseas for more lucrative opportunities. We address this gap ourselves by upscaling our DCS engineers through intensive training programs and shadowing our Cyber specialists on the job. A great example of this is the growing number of Tenable.OT implementation engineers being certified every year. Siemens Energy is also first in Asia with a Tenable.OT & Tenable.SC combined certification addressing the IT&OT convergence. This initiative gives us access to a growing pool of OT Cyber talent distributed across the countries in Asia. This allows us to fulfil our client’s skill gap at scale by leveraging our pool of OT Cyber specialists while delivering with a personal and local touch.
In his role, Bussiere has witnessed first-hand the trend in IT/OT convergence and how it has transformed. “In the past, OT environments were protected because they were isolated from everything else with strict controls to prevent any kind of external connections to the networks,” he says. “However, over time, the air gap has become defused. Industry 4.0 is bringing the worlds of IT and OT together at an accelerated rate. This results in more IT devices being connected to or living in OT environments, sometimes without the organisation, even knowing. However, the simple fact that these devices are being placed in the OT environment and are concurrently linked to external networks, and the internet is exposing the environment to significantly more risk than ever before.”
Bussiere points out the biggest threats impacting OT environments today is this convergence of IT and OT. “Within an OT environment, the lifecycle of equipment is significantly longer than within an IT environment,” he explains. “With IT, it’s usually around five years, while OT is often up to 30 years. There is also a reluctance to patch devices that live within an OT environment. This is because it may be disruptive, and there could be downtime. However, the risk is that you end up with a dangerous mix of obsolete software - including IT and OT - and this risk only increases as IT/OT convergence accelerates.” Bussiere explains what the OT environment currently looks like in 2020 and the latest trends of attacks against operational technology. “There’s a trend towards adversaries targeting IT devices resident within OT environments. Once ransomware hits workstations, plant operators are rendered blind to the operation of the plant and have to resort to a complete shutdown. This results in an expensive outage to the business. More attention should be paid to interconnected IT and OT devices to ensure they are secure. If you can’t patch them, then you must ensure there are compensating controls. It’s essential to have a detailed inventory of all asset types to gain deep situational awareness; otherwise, you’re never going to have any true idea of what the actual risk is.”
With the future in mind, Martinot believes that there is a need like never before to help the energy sector secure the digital revolution that is currently taking place. “we see a growing need for cybersecurity across Asia, where drivers like regulations are being overshadowed by tensions in the region and the associated exposure that comes with a rapid digital transformation adoption.
To enable a secure digital transformation, Siemens Energy often provides or acts as a cybersecurity team for small to medium-sized energy companies. In collaboration, the company co-develops a programme and identifies pain points, before tailoring the perfect roadmap to resilience. Fulfilling these demanding requirements can be a daunting task, especially for the smaller organisations who often don’t have the scale or resources to achieve this successfully. This is where our OT managed security services, specialised for the energy sector, help our clients protect, detect, and respond in a timely method.
Our services deliver clarity and focus on helping our customers make better decisions. Essential to achieving an actionable outcome starts with having clear visibility which is enabled by having the best in breed technologies such as Tenable.OT.
Looking at what the next step for OT could hold, Bussiere believes there is a lot more to come. “We’re only at the beginning of securing our operational technology environment,” he affirms. “They’ve previously been believed to have been secure by virtue of having isolation and air gaps. Monitoring and discovery have also become essential in OT environments. There are three things that operators of OT environments need to do right now. Firstly, it’s important to gain an understanding of both the IT and OT assets to learn what’s there and identify the assets that are there. Number two, it’s important to understand the communication patterns between the devices within an operational technology environment. This means which device is talking to which device and the identification of protocols they’re using and which ones may be malicious. Once I accomplish that, I’ve got myself at a level baseline where I’m at a point where I understand the place where things should be.
“This takes me onto the final point, which is to continuously monitor the configuration, inventory and protocols within the environment, which makes it possible to detect what shouldn’t be in that environment. An attack is essentially a deviation from normal. These three things are fundamental to keeping your operational technology environment secure. We’re only at the beginning, and there’s a lot more to accomplish. Over time, I think you’re going to see authentication and security models evolve to be a lot more secure than they currently are right now.”