Cybersecurity Governance

ISO 27001 is the international standard that describes best practices for an Information Security Management System (ISMS).

Achieving an accredited certification to ISO 27001 demonstrates that our organization is following information security best practice and provides an independent expert verification that information security is managed in line with international best practice and business objectives.
Cybersecurity Governance for Siemens is ISO 27001 certified since November 2017.
We have been certified according to the new standard ISO 27001:2022 since November 2023.

• Download certificate
• Learn more about System Certificates

We are passionate about enabling a resilient, data-driven Cybersecurity through a robust architecture to protect Siemens.

To accomplish this, we are implementing our Cybersecurity strategy in the project and using the newly created Enterprise Architecture service to map our strategic goals into a target architecture to guide all of Cybersecurity in their implementation effort.

The project’s main targets are: Streamlining resource utilization through automation & efficiency measures, enhancing visibility & transparency of cybersecurity risks across Siemens and leveraging data-driven decision-making for strengthening reactive & proactive risk mitigation.

Our project setup is structured in five workstreams:

• Concept & processes:

  Our objective is to describe and maintain the architecture process within Siemens Cybersecurity, making sure it is integrated with our strategy and portfolio. And to describe the building blocks of our data-driven cybersecurity architecture, including capabilities, applications, inputs, outputs, and dependencies.

• Governance:

  We aim to define how the cybersecurity data can be combined to enable automatic cybersecurity risk identification & assessment, empower decision-making for its mitigation, and increase policy compliance.

• Situational awareness:

  Our objective is to stand at the forefront and be the voice of the EA project, gathering user expectations and providing holistic risk posture to enhance daily operation of end-users.

• Security intelligence:

  We aim to implement an AI-supported and data-driven decision point that provides automatic Siemens cybersecurity risk identification and mitigation by empowering decision-making.

• Data:

  Workstream Data helps Cybersecurity adopt a data driven approach by establishing transparency of data, preventing data-duplication and providing guidance to teams for their data strategies.

The Cybersecurity Policy Framework is applicable to Siemens and its affiliated companies. In particular, it contains the cybersecurity requirements laid down in specific policies, standards, and baselines.

All policies are based on relevant industry standards like ISO 2700x or IEC 62443. To ensure compliance with other important standards, references to them are also managed. The list of relevant standards includes for example NIST 800-53, the Guidelines on ICT and security risk management from the EBA, and others.

Siemens products, solutions, and services contain a significant amount of software and IT-related components, which in many cases are used in the context of critical infrastructures and could become more exposed to cyberthreats. Regulatory and customer specific-security requirements are increasing and need to be addressed by Siemens.

To stay competitive and reliable, the Siemens-wide PSS Initiative was established in order to help ensure that the products, solutions and services we sell enable our customers to run their facilities in a secure environment.

For this purpose binding requirements for PSS and recommendations for implementation are in place. Continuous improvement and continuous learning are fundamental prerequisites for successful realization.

It is of vital importance to create common awareness and understanding among all employees regarding basic aspects of cybersecurity and provide dedicated specific training for cybersecurity-relevant roles. To respond to our customers expectations of state-of-the-art products, solutions and services from Siemens in terms of technology and security and to ensure the ability to deliver such quality by continually increasing awareness of cybersecurity in our company and enabling our employees to consider cybersecurity in every activity, step and process of the whole value chain, we have created several activities. For example:

• A mandatory global awareness campaign with the goal of providing all employees with information regarding general and important cybersecurity topics. These training sessions are web-based, barrier-free and multi-language. In addition, for a role-specific group, we have the “Driver’s License” training. This training is mandatory and enables the role-specific group to apply all Siemens IT/OT security guidelines. Upon successful completion the participants receive a certificate which is valid for two years.
• We also make available several, continually updated, training courses and learning opportunities for all Siemens employees. These can be accessed on a voluntary basis. This training is not only for basic knowledge but also for specific and specialized areas like Product and Solution Security.
• We believe that continuous learning is a key for success and so we continuously seek new ways to train and update our employees.

Always maintain an overview: To help achive this, we provide an internal cybersecurity platform called 'CyberMart' which gives a holistic view of cybersecurity data and processes at Siemens.

It enables informed and targeted business decisions by providing a

• platform for secure applications processing cyber security relevant information,
• secure data pool for cyber security relevant data as well as
• maturity and status reporting on security processes (e.g., asset protection, exception handling).

Part of this platform is a cybersecurity dashboard that gives an overview of the cybersecurity operational status as well as of strategic data points. This information is the basis for regular internal management reporting to the Siemens Management Board and the Siemens Supervisory Board.

The main goal of Cybersecurity Risk Management, which is part of Siemens Enterprise Risk Management (ERM), is to enable Siemens to obtain transparency regarding its cybersecurity risks and to adequately manage these to an acceptable level.
The Siemens Cybersecurity Risk Management framework is based on international standards (ISO/IEC 27005 and ISF IRAM2), considering all levels, from operational up to enterprise, and also using established ERM processes and roles.
The cybersecurity risks reported and managed up to ERM level are identified within the following processes and managed within the respective tools:

• Overall Cybersecurity Risk Management process
• Asset Classification and Protection process for IT and documents & information assets
• Threat and Risk Analysis for products, solutions and services
• Exception Handling process for temporary deviations from Siemens cybersecurity framework
• Cybersecurity Supplier Risk Management

Cybersecurity Supplier Risk Management:

The cybersecurity risks need to be managed along the entire supply chain. Siemens considers this topic holistically including IT, OT and PSS for procuring horizontal and vertical components, products and services. For this reason, the main activities for improving the cybersecurity level along the supply chain include:

• Transparency regarding the cybersecurity risk exposure along the supply chain
• Systematic risk management practices supported by 3rd party supplier assessments methodology, respective tools and templates for contractual cybersecurity requirements to suppliers
• Active participation within the Charter of Trust driving the 2nd principle: “Responsibility throughout the digital supply chain” as well as various expert communities
• Regular trainings and awareness campaigns for various target groups and use cases

What is an Information Security Incident?

An Information Security Incident is defined as: The direct or indirect compromise of confidentiality, integrity and or availability of information according to its classification (based on ISO27001 and NIST 800-61 rev2).Incident examples include, but are not limited to:

1. Successful attempts to gain unauthorized access to a system or its data
2. Disruption or denial of service
3. Unauthorized use of a system for the processing or storage of data
4. Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent

Incident Response

We perform in depth analysis of Cyber Security Incidents. To achieve this, we engage with business responsible, internal and external Incident reporters and stakeholders to coordinate response activities and ensure proper containment and initiation of remediation tasks. Furthermore, we provide Incident Project manager, supporting on organizational & communication aspects of severe and complex incidents.

Incident Handling Process

• Detect

  Compromise of confidentiality, integrity and/or availability of information.

• Respond

  Analyze attack and initiate counter measures.

• Remediate

  Contain: Limit malicious activity, Mitigate: Prevent further damage, Repair: Fix & prevent reoccuring

• Recover

  Restore integrity of affected systems to a non-degraded operational state.

Security threats force the industry to take action.

Attacks by cyber criminals who can manipulate entire value chains often result not only in production outages but also in considerable damage to your image. To protect your operational technology (OT) in the best way possible, it is required to get transparency about the risk exposure of your assets. This allows cybersecurity threats to be identified and eliminated before they cause significant damage.We provide more cybersecurity for your manufacturing processes. Our holistic approach is designed to identify procedural security gaps and technical vulnerabilities before they are exploited by bad actors.

More information

AI serves a crucial function in Siemens' cybersecurity endeavors. It dynamically identifies and counteracts security threats by detecting anomalies within our network and systems. This immediate action against security breaches helps curtail potential harm.

Moreover, AI boosts the effectiveness of our cybersecurity procedures by automating mundane tasks. This automation enables our security teams to concentrate on more intricate and pressing issues. Additionally, AI institutes customized security protocols based on user behavior analysis, fostering a precise security strategy for each division within Siemens.

Despite the advantages, it's important to note that AI can also be a tool for cyber attackers, enhancing the complexity of their malicious actions. These attackers might harness AI to automate their attacks, evade conventional security systems, or even simulate human behavior to escape detection.

Nonetheless, Siemens is well prepared for this intricate scenario. We've established stringent security protocols to ensure the safe and responsible application of AI. Our forward-thinking approach aids in maintaining the integrity of our systems and shielding us from potential risks, thus allowing us to exploit the advantages of AI in our cybersecurity operations.

The benefits Siemens derives from AI decisively outweigh the risks. Through meticulous implementation and ongoing surveillance, we minimize these risks and amplify the benefits of AI. Consequently, AI emerges as an invaluable instrument that substantially enhances our capability to ward off security threats.