•Rolf, is it not a bit strange that we are in a situation that we cannot really distinguish by the tools if things are ‘right’ or ‘wrong’ but only by the context? Meaning should we not work on a next generation internet and new protocols instead of trying to do the impossible: securing a protocol that is insecure by default? (pass on the packet)
In my view complexity is the enemy of security, i.e. the more complex a system is the more difficult it is to protect it. For the challenges we face today and those in the future, we need new security paradigms, driven by the fact that systems are getting more open and more interconnected. Of course one could say that we need totally new systems and completely new infrastructures, both with built-in security. However, the real world is not that easy, particularly when one looks into the industrial world where products have much longer life-cycles than in the IT world. That means that particularly in the industrial world, in the future we’ll have to deal with a lot of legacy/brownfield equipment. That doesn’t mean that we shouldn’t start to think about and implement new approaches today to be more secure in the future, but it does means that we will continue to face challenges with brownfield in the years to come.
•How important is it to have even a temporary ‘closure’ of an online threat, even if you know that the next one is on its way?
Attacks have become quite fast and are changing quickly. However, not everybody is going to be hit by each threat or attack wave or campaign in the same manner. So, one could bury his head in the sand or try to implement tools and processes that he is not being hit by each and every wave in the same fashion. In my view it is key to implement a continuous improvement process, analyzing after each wave what went well and where to improve. Over time this will make one stronger, even if the cat and mouse game with attackers will not go away.
•What is a typical cause for celebration within your team, and how do you celebrate?
As we are covering a broad range of topics within cyber security, ranging from enabling an organization to manage security, developing security building blocks, integrating security into products and solutions, assessing the security level of products, processes and people, providing security intelligence and detecting and managing vulnerabilities and incidents, there are a couple of occasions to celebrate success. It could be an important invention to drive the current state-of-the-art in cybersecurity (as we are also doing R&D in cybersecurity), it could be that we successfully delivered security components and a security architecture to a product that is of great importance to Siemens or it could be that we successfully managed a major vulnerability or incident, which at the end resulted in no harm to Siemens (e.g. the WannaCry ransomware attack, which did not hit Siemens).
•Apart from having coding skills, what is the mindset you need to become a successful member of the Siemens cyber security team?
It depends on in which area somebody wants to work in. Some people are good at identifying issues and problems (e.g. by pentesting) while others are good a coming up with new approaches and innovations. There are also those who can provide a full security architecture to complex solutions (not only bits and pieces), while others can consult, teach and train (e.g. showing developers how to manage security or code in a secure fashion) and then there are people who are good at managing vulnerabilities and incidents.
•Siemens used to be fully B2B and was mainly selling large systems that could also exist away from the internet. How difficult was it to go to more consumer oriented appliances, for example Siemens Home Appliances?
Siemens is completely in the B2B business, i.e. is no longer producing mobile phones or home appliances (Bosch is only licensing the Siemens’ brand for this, i.e. a home appliance branded as “Siemens” is completely developed and produced by Bosch).
•What was the impact of the Stuxnet attack, and do you think it helped move cyber security up the boardroom agenda?
Stuxnet was somehow a wake-up call to push more onto product and solution security. It also showed that one cannot assume that “air-gapping” systems can protect them from being infected or attacked. IT security has a long tradition in Siemens (originating mainly from the telecommunications activities) and Siemens was one of the first companies setting up a CERT (cyber emergency response team) some 30 years ago and since then has given birth to many CERTs in other companies. Since Stuxnet, Siemens is running a company-wide product and solution security initiative together with a dedicated ProductCERT (today with have 3 CERTs: CorporateCERT, ProductCERT, CustomerCERT).
•I am a member of the dyne.org digital community. We have a beta out on dowse.eu that should bring transparency and enhance sharing of data, goods, resources, skills in a neighbourhood. What do you think of this?
Sharing is of great importance in my view, be it the sharing of security intelligence, the know-how of the latest threats and vulnerabilities and how to deal with them or sharing source code, which can be made more secure through joint effort than by individual effort. The exchange of know-how and people can help to overcome a lot of threats that we are currently facing.