Siemens launches automatic cyber response for industrial OT systems

The industrial controls and technology company says it's reimagining SOAR (security, orchestration, automation, response) in the industrial environment.

The threat of cyberattacks on manufacturing operational technology (OT) is becoming a serious concern for companies throughout the industrial sector.

Leaning on its experience in technical development and operational implementation design, Siemens developed SIBERprotect for critical infrastructure and OT systems at industrial companies, including power plants, water treatment facilities, discrete manufacturing enterprises, military depots, data centers and control stations.

Siemens says its new SIBERprotect brings the Security, Orchestration, Automation, Response (SOAR) concept to cyber-physical systems with an OT-friendly and OT-managed methodology.

SIBERprotect responds to limit the impact of a cyber attack within milliseconds. It identifies the infected production equipment groups or plant networks and enables full visibility and a fast initial response at the automation system level.

Siemens says this quick response can result in resumption of normal operations in less than a day. 

Working in conjunction with Siemens SCALANCE S industrial security appliances, SIBERprotect places OT into a safe, isolated condition.

It determines the credible identification of a cyber-attack through threat detection technology that includes intrusion detection systems, next generation firewalls, endpoint solutions, threat/risk intelligence and other attack or intrusion detection platforms, often enhanced with AI and machine learning capabilities.

The system then initiates a rule-based notification, network isolation and equipment management sequence to protect the selected equipment.  Rapid assessment and remediation can then be performed, vastly limiting the risk of additional malware contamination.  Work cells and equipment clusters that aren’t infected can continue operation, while SIBERprotect prevents recontamination during remediation. 

The system provides detailed situational awareness, alerting operators to the exact nature of the threat, where it was detected in the network and the criticality level so the response team can execute emergency measures to prevent worst-case scenarios.

Unlike a conventional system that merely sends messages to an SOC (Security Operations Center), the SIBERprotect system is linked directly to network firewalls, automation hardware and a prioritized system of alarms to facilitate isolation of equipment and jumpstart the cyber incident response.

Other key features include automatically activating emergency backup equipment, interfacing with legacy technology such as Ethernet hubs, recovering one segment or “restore all” functionality and isolation from the site IT network to prevent further attack.

“SIBERprotect represents the reimagining of how to do SOAR, where an alert was typically sent to an SOC, then reviewed by a security analyst and addressed 30 minutes to hours after initial detection.  Meanwhile, a virus could spread throughout a line or the entire plant,” said As Chuck Tommey, a digital connectivity executive with Siemens. “SIBERprotect is sending the alerts directly to a PLC for instant action, based upon a predetermined priority of status and threat levels. The PLC parses the messages for its criticality level and instantly responds.”

SIBERprotect is part of the overall “Defense in Depth” suite offered by Siemens in compliance with IEC 62443, the international standard for industrial cybersecurity.