Please use another Browser

It looks like you are using a browser that is not fully supported. Please note that there might be constraints on site display and usability. For the best experience we suggest that you download the newest version of a supported browser:

Internet Explorer, Chrome Browser, Firefox Browser, Safari Browser

Continue with the current browser

Stronger together

Security requires strong partners

Integrators, operators and manufacturers all contribute to IT security measures in the design and operation of automation processes and systems. Transparency among partners is essential here.

image

Transparency for machine manufacturers, integrators and operators

TÜV Süd certificate based on IEC 62443 gives integrators and operators transparent insight into the IT security measures and backs up Siemens Security in the process of developing automation products.

  • Security through design
  • Security inspection and validation test
  • Security update management

Protecting machines against cyber attacks

image

Protection against cyber attacks is growing more and more important for industrial companies. That’s why this aspect must be considered right at the development stage for new machines, and observed throughout the entire life cycle. 

 

It is essential in this regard to perform regular PDCA (“plan-do-check-act”) cycles, as prescribed in standard IEC 62443. During the specification, design and development stages, manufacturers concentrate on potential points of attack and draft protection mechanisms. Then, in the marketing phase, they actively look after protecting their products with information and updates. 

Implementing the requirements of the IT Security Act

image

Since 2015, operators of critical infrastructure facilities have been required to fulfill the requirements of the new IT Security Act. The focus is on maintaining operations in the event of an attack, and the PDCA cycles are coordinated with this requirement.

 

On the one hand, operators must determine the requirements for laying out the automation solution, and on the other they must define the measures that they themselves will have to implement. These include limited access to critical parts of the automation solution, for example. 

Existing regulations on industrial cyber security

The new IT Security Act took effect in Germany on July 25, 2015. Under the act, key operators of critical infrastructures are required in future to report any IT security incidents to the German Federal Office for Information Security (BSI) and implement minimum IT security standards. Who this includes was determined, among other things, by the BSI with the help of a measurement table.

image

German IT Security act ("IT Sicherheitsgesetz") – are you affected?

A total of seven industries (sectors) and around 700 systems are covered by the IT Security Act.

 

In addition to information technology and telecommunications in the strictest sense, the energy, food, finance, insurance, healthcare and water industries are required to meet minimum IT security standards and report incidents to the BSI.

 

The German government applies the 500,000 rule as the basis for determining which groups are covered by the act: If 500,000 or more citizens are dependent on a service, the accompanying system falls under the reporting requirement. What these people consume is converted into a threshold.

 

Part 1 of the BSI Kritis (Critical Infrastructure Protection) Regulation took effect in May 2016.

Deadlines will apply from that point on, in other words:

Operators of critical infrastructures in the areas of energy, water, food, information technology and telecommunications will have to meet their reporting requirements to the BSI from November 2016 and observe the new industry-specific minimum IT security standards from May 2018.

 

Increased security requirements – what factors should you be aware of?

A strong partner – how can Siemens help you?

Knowing what form protection must take

image

System integrators are often trail-blazers when a company’s IT security has to be improved. They work closely with the operator to establish the protection strategy that will meet the specified protection goals. The focus for the integrators is on implementing the automation solution at a functional level. 

 

That’s why the PDCA solutions are mainly built around multiple functional and organizational measures, and include efficiency checks for the protection measures, training for employees, documentation, and maintenance of the protective measures. Security – e.g. of recipes or passwords – must still be guaranteed when an automation solution is being dismantled.