Raising the Bar for Hackers

Things are running smoothly in the plant. A robot moves car bodies to the next work station, where assembly workers are waiting, and the IT officer has informed the production manager that the robot control system is completely secured against hacker attacks. "We’ve got effective passwords, secure encryption, and an impervious firewall," he announces. As it turns out, he’s wrong. A hacker has just entered the system by using a Google search to find the production control home page. He tries out a couple of simple passwords, but to no avail. Then he launches what’s known as an SQL injection. Instead of using a password, he copies into the entry mask a short piece of program code and manipulates the database, which contains security-related information. He is thus able to open the lock without using a key, as it were. Now things begin to move quickly. The hacker has found his way into the production line control system. He issues a command to stop a robot, which then proceeds to open its gripping arm, causing a heavy body shell component to fall directly on top of a worker.

Murmuring can now be heard in the auditorium as the lights go on, and the 300 people at an in-house Siemens fair in February 2007 are completely shocked at how easily Dr. Konstantin Knorr has been able to shut down a factory production system. They’re relieved, though, that the robot is only a prop and the "injured" worker merely a plastic figure. "Still, it gets their attention," says Knorr, who uses this demonstration to make his colleagues more security conscious. Knorr is one of approximately 70 people at Siemens Corporate Technology (CT) in Munich who provide advice on security issues to various Siemens units. Those who work in this area need not be former hackers or ex-cons; they only need to be in possession of a college degree "and have a well-developed sense of morality," according to Dr. Johann Fichtner, head of the CERT (Siemens’ Computer Emergency Response Team) Center.

The goal of such CT demonstrations is to raise security awareness among people who work with IT systems, and support secure planning measures for future Siemens products. Security requirements have risen dramatically in recent years—and not just at Siemens. Whereas control systems for production lines and power plants used to be completely isolated from the outside world and employ specialized software, they now often run on standard software like Windows and utilize off-the-shelf databases. More importantly, however, they are increasingly being linked to the Internet for remote maintenance and other services. The risk of external attack is therefore greater than ever before. In addition, tax depreciation periods for factories, power plants, and hospitals are now longer, which means IT systems are not replaced every three-to-five years as is the case with office PCs. As a result, the latest security updates are not always available.

Robust IT Systems for Power Distribution. Just how important cyber-security can be is demonstrated by a system failure that occurred at the Davis-Besse nuclear power plant in Ohio on January 25, 2003, when the Slammer worm entered the facility’s IT network through the Internet and shut down parts of it for nearly five hours. Fortunately, nothing happened because the plant happened to be shut off for repairs at the time. Whoever launched the attack took advantage of a security hole in a database that Microsoft had actually offered an update for six months earlier. But unfortunately, the software programmers in charge of security at the plant didn’t know about that.

To prevent such an event from happening with software from Siemens, the company’s Corporate Technology department, which Fichtner’s team is a part of, offers sophisticated solutions for all Siemens operations. One such system is being used at Siemens Power Transmission and Distribution’s (PTD) Energy Automation unit in Nuremberg, where Bernd Nartmann serves as a product manager whose responsibilities include security issues. Two years ago, Nartmann asked CERT to look for weak spots in the product portfolio through which hackers might enter the system. This examination was necessitated by the fact that the unit’s customers (in most cases major power supply companies) were increasingly utilizing public communication networks to collect data and issue switching commands. Some components, such as switching and fuse modules for high-voltage facilities, are more than 30 years old, but "back then nobody could have known they would someday be controlled through the Internet," Nartmann points out. Working together with specialists from CERT, automation experts succeeded in significantly enhancing the security of all the products, thereby enabling them to meet security standards.

Retrofitting such solutions can be extremely expensive, however. "That’s why we now look at security as early as the product development stage," says Dr. Stephan Lechner, head of the IT Security Center at Corporate Technology. "We analyze the system architecture of planned products and search for security risks." The center does this by simulating entire systems as abstract mathematical models and then running mathematical and logical processes on them that can reveal security deficiencies. "The results show us where we need to take action," Lechner explains.

The advice of security experts at Corporate Technology is increasingly in demand for product development and component procurement processes. "Security is a sensitive issue, which is why it’s very important to have a relationship of trust," says Nartmann. "But you also need to have in-depth knowledge of the entire IT security landscape. Siemens is clearly the leader here, as demonstrated by the great demand from customers."
                                                                                                                Bernd Müller