With a focus on protecting the critical infrastructure industries of utilities and oil and gas, the partnership combines control system knowledge and analytics with deep domain expertise and response.
It takes a village to raise a child. It also takes a village to protect your assets. In the energy industry—where use of digital technologies is growing to help boost revenues and efficiencies, and where cyber attacks have become a foregone conclusion—utilities and oil and gas companies need all the help they can get.
Siemens and PAS announced today that they are working together to provide fleet-wide, real-time monitoring for control systems in the energy industry. As partners, they will be able to provide the deep analytics required to identify and inventory proprietary assets, and also the visibility to detect and respond effectively to attacks across the operating environment.
Organizations in these industries already know they have a problem. In a Ponemon Institute study released earlier this year about the state of the U.S. oil and gas industry, 66 percent of respondents said that digitalization has significantly increased their cyber risks, and 68 percent said their organizations have had at least one security compromise in the past year resulting in the loss of confidential information or operations disruption. “Energy is the most attacked vertical by a factor of 2,” says Leo Simonovich, vice president for global cybersecurity at Siemens.
And yet cybersecurity in the U.S. oil and gas industry is not keeping pace with the growth of digitalization. Nearly as many as say they know they have a problem say their organization’s industrial control system (ICS) protection is not adequate (61 percent).
The discrepancy points to the core talent of most energy companies, according to Simonovich. “They don’t know how to get started. They don’t know what’s proven,” he says. “They get pitched by vendors who sell what sounds like to them are similar things.”
Customers see cybersecurity as a top three issue, Simonovich says. “They know they have a problem,” he adds. “What they’re looking to us for is a solution set.”
The situation can be made worse by traditional IT cybersecurity companies leaping into operations technology (OT) without the domain knowledge. “In OT, the challenge is that the IT solutions don’t often work,” Simonovich says. “Patch deployment, if not tested, can bring down a power plant or refinery, and can be very costly—or worse.”
Siemens and PAS both bring a long history of OT system understanding and domain expertise. With more than 165 years in industrial technology, Siemens has deep domain knowledge in operations cybersecurity, security lifecycle management, plant monitoring and incident response. PAS has more than two decades of experience focused on safety in process industries, and has in more recent years brought that expertise into the security realm with its Cyber Integrity offering for foundational inventory management.
But the Siemens-PAS partnership entails more technology than just the two companies, given that Siemens’ managed services already pull multiple providers together for its customers. “Siemens has done a very good job of pulling together certain best-of-breed providers,” says Eddie Habibi, founder and CEO of PAS, noting how helpful it is for customers to have a single point of contact to work with.
The OT space is very large, and the cybersecurity scene mimics the automation scene itself. “We haven’t come across one company that has all the pieces of the technology,” Habibi says. “It’s very similar to the automation space itself. In a typical plant, there are at least 30 different systems and 130 applications. In cyber, there are five to 10 different sets of applications and appliances. Again, not a single company can pull all of it together.”
“We see ourselves as the glue that can bring those different solutions together, be the trusted partner with our customers, as well as the navigator,” Simonovich says. “It’s in part a technology challenge, but it’s also a management challenge. There’s no silver bullet, but our vision and goal is to bring the best-of-breed technologies to customers in an integrated way.”
Energy customers first need to address the issue of transparency—understanding what they have, prioritizing those assets, hardening the environment, and being able to monitor it, Simonovich says. “PAS brings the years of control systems knowledge and analytics around its Cyber Integrity tool suite,” he says. “Siemens brings insights and domain know-how to help understand what a breach could mean.”
Critical infrastructure is an important cybersecurity concern for the U.S. government, Habibi notes. “Power generation, distribution and transmission, as well as oil and gas, are key components. Water utilities and roads too,” he adds.
With Simonovich heading up cybersecurity specifically for Siemens’ energy business, the partnership with PAS is focused at this point on the energy sector. “I’m responsible for the energy vertical, but this is really a horizontal problem,” Simonovich says. “This is a critical infrastructure challenge.”