Siemens Worldwide

Pictures of the Future



Mr. Sebastian Webel
Mr. Sebastian Webel


Mobile: +49 172-7169762

Werner-von-Siemens-Straße 1
80333 Munich

Pictures of the Future
The Magazine for Research and Innovation


Cybersecurity Made in China

The central control hall of a petrochemical company in northwest China's Xinjiang Uygur Autonomous Region. Cybercrime is a growing threat to China’s economy, and the government in Beijing has now taken notice.

Increasingly, cybercriminals in China are focusing on industrial facilities. The Industrial Security Lab operated by Siemens in Beijing and the Siemens China Cyber Defense Center in Suzhou help customers protect themselves against hacker attacks.

The online retail sector in China is booming. Shopping portals such as Alibaba, which is the world’s biggest online marketplace, generate vast revenues via payment systems such as Alipay. The problem is that criminals are never far away from where money is being made. Alibaba, Taobao, and other shopping services are frequently targeted by hackers who use phishing mails to try to access customer data, for example. One out of every five Internet users in China has been victimized by hackers.

Cybercrime is a growing threat to China’s economy, and the government in Beijing has now taken notice. President Xi Jinping has made IT security a top priority. The first measure that’s been taken involves placing strict regulations on the use of foreign IT products in sectors critical to China’s security, such as banking. The goal here is to close off potential points of entry for hackers and foreign intelligence services and strengthen the domestic cyber industry. As a result of these measures, China’s IT security market is expected to expand rapidly, according to U.S. market research company Technavio — from $2.11 billion in 2014 to $3.62 billion in 2019, with double-digit growth each year.

An Internet cafe in Wuhu City. One out of every five Internet users in China has been victimized by hackers. One reason: Chinese software and apps are often inadequately protected.

Outdated Process Control Technology

Hacker attacks against industrial facilities, such as chemical plants and power stations, aren’t the subject of much public attention in China, but they nevertheless pose a major threat. Chinese companies often link systems based on outdated technologies to office PCs or remote maintenance centers via the Internet, despite the fact that they were never designed for such a scenario. In other words, without protective measures, malware that infects an office computer can, for example, easily migrate to machine control systems that are networked via industrial Ethernet and Internet protocol.

The results of a survey of more than one hundred industrial companies conducted by Siemens in 2014 demonstrate the extent of the threat cybercrime poses to manufacturing companies in China. More than 80 percent of the companies reported having experienced a computer virus infection or some other type of attack. Some companies even reported that they had had to temporarily suspend production and had lost money as a result. Such incidents aren’t just a problem related to outdated technology; they’re also the result of a lack of awareness, according to Professor Wen Tang, Head of the Industrial Security Lab operated by Siemens Corporate Technology (CT) in Beijing. He reports that a manager at a large Chinese refinery actually told him that his company didn’t need to implement any cybersecurity measures because it had never been attacked.

IT security cannot offer one-hundred percent immunity against attacks. But it can make things so difficult for hackers that they might, in the best case, lose interest.
Siemens researchers at the Siemens Industrial Security Lab, which provides risk assessment services to identify security risks and offers solutions for closing them.

Illusion of Security

Things aren’t always better at companies that have in fact implemented initial security measures. Many of them simply purchase firewall and antivirus software and think they’re protected forever. Tang refers to this as “the illusion of security,” pointing out that “IT security is not something you attain in one fell swoop; it’s a continual process involving awareness, management, solutions and products.” Although those who continually pay attention to IT security cannot expect one hundred percent immunity against attacks, they can make things so difficult for hackers that the latter might, in the best case, lose interest.

Learning from Threats

As early as 2005, a CT internal lab led by Prof. Tang initiated a groundbreaking research program in industrial security. The work performed at the Industrial Security Lab changed. Whereas the focus in the past had been on research, the team now began more frequently visiting customers who used controllers from Siemens, or even from competitors. During these visits Siemens experts provided risk assessment services to identify security risks and offered solutions for closing them. Since 2014, the lab has also been assisting customers and government agencies – steps that have strengthened trust in Siemens as a local partner.

The lab itself has set up several demonstration installations, including a typical factory automation testbed infrastructure. Every once in a while, Tang will intentionally use the Lab’s Styx (Security Testing Systems for Protocol X) tool to launch a network attack in order to demonstrate to visitors how easy it is for hackers to shut down a controller if a company tries to cut corners on industrial security. The team also holds training sessions to teach customers how to improve their security posture with analytic software from Siemens.

Siemens' Industrial Security Lab demonstrates to visitors how easy it is for hackers to shut down a controller if a company tries to cut corners on IT security.

The lab is currently working on several projects. For example, Styx, which was developed in the lab, feeds a test system with millions of packets loaded with random data deliberately generated by security experts. This technique, which is known as fuzz testing, is designed to check if the system will be slowed down or even caused to crash. Styx offers a benefit in that it doesn’t need to have any knowledge of the system it tests, and it can find previously unknown errors that can then be quickly eliminated to improve the security quality of Siemens products. It doesn’t matter whether the control system under test is for a bottling facility or a power plant — this type of “black-box testing” works anywhere, and Styx has already been used to conduct ten million tests in 26 different industrial protocols.

Styx is used to test automation systems before they’re delivered to customers, as well as any existing system suspected of having a security risk. Janus is another software product developed by Siemens’  Industrial Security lab for use during ongoing industrial operations. Based on DPI (Deep Packet Inspection), Janus can detect and prevent illegal access to industrial automation networks and applications around the clock.  

Developed in China, Applied around the World

Styx and Janus were developed at Corporate Technology in Beijing. Why there and not some place else? “Because we’re close to our end customers, understand their problems by closely working with them, and can therefore develop the security tools and software they need,” Wen Tang explains.

Bernd Müller
Picture credits: from top: 1. picture dpa/picture alliance, 2. picture Imaginechina/Corbis