A managed security service model in the physical security space is not a new concept. Physical security vendors and systems integrators have found that migrating services to either a cloud-based option or enhancing their customer service and value-added proposition can be a game-changer and a differentiator that increases revenue and ensures a loyal customer base.
Large security solutions providers like Tyco have been helping their customers improve their operating efficiencies through a suite of web-enabled commercial security services for some time. The managed security service helps clients manage everything from physical card access control and video surveillance, to alert notifications that can quickly spread emergency messaging via mobile devices.
But as the lines between physical and logical security systems continue to blur, IT-centric security vendors and integrators are now finding that managed security services might be a viable approach to addressing their client’s cyber security threats.
Siemens announced this week that it’s Industrial Security Services group is launching a Managed Security Service offering in the U.S that is aimed at providing continuous protection to manufacturing and industrial production environments. The offering includes assessment of security posture, implementation of recommended security measures and transitions into ongoing defense against rapidly evolving cyber security threats in Industrial Control System environments. The new program will first be introduced in the U.S. followed by Europe and Asia.
What makes the Siemens managed security services (MSS) unique is the fact that the initiative is being spearheaded by its Industrial Security Services group which is targeting the specific security requirements found in the manufacturing vertical market space. The cyber security needs of an Industrial Control System (ICS) environment differ from the enterprise requirements of corporate IT. In a production environment, availability is a key security goal. To ensure uninterrupted production and maximized uptime requires comprehensive protection of the people, processes and equipment.
The impacts of a successful attack can be serious, and include health, safety and ICS environmental impacts along with manipulation of data, IP theft, sabotage of production and plant downtime.
The goal of this new Siemens MSS approach is to offer its customers a holistic plan that will be more comprehensive and better able to integrate into an organization’s ongoing security and operations life cycle.
“Manufacturing is clamoring for best practices in this space. Cyber security has now grabbed the undivided attention of the C-Suite in almost every organization,” says Raj Batra, president of Siemens Industry Automation division. “With that C-level focus, the rest of the enterprise quickly follows suit, but they need help, and that’s where vendors like Siemens come in. Shareholders now expect that there be a mediation plan in place for mitigating risk.”
Batra explains that the challenges faced by operators of critical infrastructure facilities have become more complex and potentially more destructive. The threats are across the board, ranging from insider threats from disaffected employees and terrorists to domestic hackers and infiltration by nation states seeking proprietary data.
With these myriad threats come a wide range of impacts that might include:
• Unplanned downtime
• Loss of product or impaired quality
• Manipulation of data
• Unauthorized use of systems
• Employee death or injury
• Environmental damage
• Loss of intellectual property
• Damage to brand image
• Financial loss
When it comes to addressing the cyber security threats faced by many owner/operators in the industrial and manufacturing sectors, the challenges are even greater. Most are ill-equipped to deal with security issues, much less the barrage of new regulations that are testing their aging control systems and outdated corporate cultures that, in many instances, still foster partisan departmental silos and non-existent security budgets.
“We have to be able to eliminate the reactive break-and-fix solutions most of these companies live by and replace it with a proactive information-gathering approach,” Rai says, pointing out that better intel makes for better solutions and end results. “There is a wide chasm between what the security needs are in the manufacturing space and management’s approach to mitigating their risk.”
According to Raj, Siemens will take a three-pronged approach to help their clients coordinate their risk strategies in conjunction with its new managed security services unit. The Siemens team will provide the initial assessment and help the client understand their liabilities and develop a security roadmap. This process will begin with a comprehensive vulnerability assessment, followed by a gap analysis, threat assessment and a risk analysis.
Once the assessments have been completed and a plan of attack established, Siemens will work with the organization on implementing a holistic cyber security plan, which will include training, the development of security policies and procedures, and finally the implementation of appropriate security technology. But it is the third stage of the plan that Raj and his team are expecting to be the differentiating factor, as the MSS unit will look to ensure success by providing a continuous proactive strategy for management and operations. Real-time threat intelligence will be coming to the client through dashboards and alerts to expedite both incident detection and remediation.
“The goal here is to protect the life cycle of the manufacturer’s equipment. The manufacturing community is going up against threats from hackers and corporate espionage that they just aren’t prepared to address,” concludes Raj. “Mitigating these ongoing cyber security threats requires you to continually monitor your program –not just periodically upgrade your software and hardware. This is not the core competency of manufacturers. So the approach here will be to let our clients do what they do best and let Siemens worry about not only our installed solutions, but plans to protect their entire manufacturing process.”
Roger Hill, R&D manager for the Industrial Security Services division, further illustrates the stark contrast between threats faced by enterprise organizations and their manufacturing counterparts when noting that this MSS solution was exclusively created to meet the specific needs of the industrial controls market.
“Manufacturing is about protecting information, equipment and the process. It is about creating a safe solution that protects the redundancy, the uninterrupted process and the safe operation of the plant,” explains Hill. “For manufacturers, it is all about the up time!”
