Looking through the
industrial cyber portal
Every power project has different requirements and components
that change the prerequisites for cyber security. At the same time,
cyber security needs to change over the lifetime of a project, making
it tricky to maintain a holistic overview of projects around the world.
Siemens Energy has therefore developed an industrial cyber
security portal that simplies the integration of cyber security into
each of its projects, with the aim of delivering products and solutions
that are inherently cyber secure. Junior Isles
denition in alignment with business
units’ offerings and manufacturing, it
also enables understandable and opti-
mised implementation of cyber secu-
rity in processes, technology and
To address these issues, the company
recently launched what it calls its In-
dustrial Cybersecurity Portal (ICS
The portal is designed to simplify
security by providing specic func-
tion modules within a central reposi-
tory. Tasks and outcomes are stored
centrally so they can be evaluated and
documented. This will help provide
transparency for the central ICS team
and the business units themselves.
Stensletten said: “It is designed to
serve as a ‘one-stop-shop’ for ad-
dressing all cyber security needs of
any given project. Helping all our
Siemens Energy business units work-
ing with our portfolio, the ICS portal
provides transparency, for example,
on relevant security requirements for
their assets as well as guidance on
related vulnerabilities and their miti-
gation. Featuring automation capa-
bilities, and the ability to contextual-
ise, visualise, and structure the
project data, it has never been easier
to integrate and maintain cyber secu-
rity in the design of our products and
The types of risks that a project
might face could range from a vul-
nerability in an individual compo-
nent delivered to a customer, to a
solution from a sub-supplier that
does not meet the security require-
ments of the customer.
“To remain a trusted partner for our
customers, our portfolio must become
secure by design to protect adequately
against cyber threats, meeting global
regulatory requirements and stan-
dards. To achieve this goal broadly
and holistically can be a huge chal-
lenge. It requires a simplication of
security and the ability to integrate
cyber security into existing business
hile digitalisation is seen as
a key pillar of the energy
transition, the growth of
devices connected to the industrial
internet poses a real threat. Certainly,
it is a major concern for executives.
According to PwC’s 25th Annual
Global CEO Survey, 44 per cent of
energy, utilities and resources CEOs
ranked cyber threats as a “top three”
concern. And of all sectors, energy is
among the most targeted.
According to the X-Force Threat
Intelligence Index 2022, the energy
sector ranked as the fourth most af-
fected sector in 2021, with 8.2 per
cent of all observed attacks, behind
the manufacturing industry, the nan-
cial sector, and the professional ser-
vices sector. The war in Ukraine has
no doubt heightened that threat. In
April, for instance, Ukraine’s Com-
puter Emergency Response Team
announced that it had successfully
repelled a series of cyber attacks on
the country’s power grid.
In the past, hacking energy infra-
structure would usually require cyber
criminals to have an on-site deploy-
ment to successfully hack the opera-
tional technology needed to run a
network or plant. With increasing
digitalisation, and as information
technology (IT) and operational
technology (OT) converge, this is no
longer the case.
Today, utilities, factories, etc., typi-
cally use IT systems connected to OT
networks to operate their digital
equipment. This makes it easier than
ever for cyber criminals whether
nations (cyber warfare) or individuals
to not only inltrate the IT of a
company, but also the attached OT
operated via those IT systems. To
keep the critical infrastructure secure,
providers of energy technology
equipment nowadays have to provide
state-of-the-art cybersecurity solu-
tions including secure products that
meet all legal requirements.
Commenting on the challenges its
customers are facing and what it can
do as a company, Bernhard Mehlig,
Industrial Cybersecurity Consultant,
Siemens Energy, said: “Companies
that provide us with electricity, natu-
ral gas for heating or oil for transport,
operate complex manufacturing and
production sites that use digital solu-
tions to make their operations more
efcient and protable. These are at
risk from various types of hackers.
The companies that we provide solu-
tions to are becoming more and more
aware of this. So it is important for us
to focus on what we can do to ensure
our customers achieve a secure opera-
tion of the products and solutions we
Rune Stensletten, Head of Industrial
Cybersecurity Ofce (ICS Ofce),
Siemens Energy, added: “The indus-
trial products and solutions we pro-
vide to our customers cannot be pro-
tected in the same way as IT
infrastructure. Trying to secure these
systems is a highly complex task. So
what we are doing is trying to collect
and dene best practice and guidance
centrally and provide it to our internal
business partners. The purpose of our
industrial cyber security team is to
support our businesses involved in
the execution of customer projects
and product development.”
Although each business unit of Sie-
mens Energy has its own industrial
cyber security community, which
oversees cyber security for products
and solutions coming out of the spe-
cic business unit, the central ICS
Ofce coordinates all the various ef-
forts. This includes cyber resilience
of Siemens Energy’s various manu-
facturing and production sites as well
as the security of products and solu-
tions provided to its customers.
Such an approach enables each
business unit’s ICS community to
bring their expertise to customer
projects, answering all questions and
meeting the needs of the customer.
But in an environment that is changing
quickly there has to be a coordinated
way of managing this community of
ICS experts and bringing them up to
speed with the latest requirements for
each product and solution. This is
where the central ICS team comes in.
A good example is the differing and
evolving cyber legislation in the re-
gions Siemens Energy is operating in.
In the EU, the recently introduced
Cyber Resilience Act (CRA) requires
each project in the energy industry to
meet certain criteria. Cyber security
therefore is a business enabler and
market access requirement in many
countries, as technology providers are
not able in some parts of the world to
conduct business without complying
with existing legislation. Further,
customers themselves might have
specic requirements that can be a
deciding factor in selecting an equip-
ment supplier.
Executing projects worldwide is al-
ready a complex task; and cyber secu-
rity adds yet another layer of com-
plexity that has to be addressed. As
Mehlig put it: “There are already a lot
of moving parts and a lot of resources
and deliverables have to be aligned.
Cyber security adds to that. And if
you look at the specic cyber security
task there is a sequence that has to be
followed and tasks have to be execut-
ed iteratively. You have to have all
your ducks in a row.
“This presents challenges for tech-
nology companies, from both a cen-
tral point of view and in a customer
project context to keep track of risks
originating from cyber security is-
sues, e.g. non-compliance to cyber
requirements or security vulnerabili-
ties in products or solutions. Essen-
tially, one needs enough transparency
when it comes to cyber risk to act
According to Siemens Energy, hav-
ing the tools to keep track throughout
its cyber community is therefore key.
Having this ability not only drives
horizontal cyber security portfolio
Mehlig: “Essentially, one needs enough transparency when it
comes to cyber risk to act appropriately.”
Special Supplement: Cyber security
Stensletten says the portal is designed to serve as a ‘one-stop-
shop’ to address all cyber security needs of any given project
tasks and workow. The supplier
module says that when you are buying
things from 3rd parties, you want to
make sure that these vendors are se-
cure and know how to develop secure
products and solutions that meet our
customer requirements.”
“There are certain activities that
should be best practice, depending on
the state, or the time in the lifecycle of
the project,” added Mehlig. “So, we
want to create a module for every ac-
tivity; i.e. specic modules for certain
activities that occur during a particular
timeframe in the project lifecycle.
“This simplies security. A person
that is focused on a specic activity
can feed in the data to the portal,
which stores it in the context of the
project. This makes it easier for the
project team to assess certain out-
comes and react accordingly.”
Stensletten noted: “Bernhard and I
have worked in cyber security in the
business units for many years and
we’ve been talking about having this
tool for at least ve or six years. Now
as part of this central team, we nally
have the means to be able to do this.
By doing this we are not only helping
the business unit we came from but
the entire company, when it comes to
dealing with cyber security.”
In developing the portal, the central
ICS team has collaborated closely
with cyber security communities
working on projects. “This is impor-
tant to build the functionalities that
are relevant to them in their business
area,” said Stensletten. “But we are
also thinking long term because we
know that if we do all of our cyber
security due diligence as part of our
project execution, it also makes it
possible to use these services for our
end customers.
“By doing vulnerability manage-
ment in-house, we ensure the elimi-
nation of all vulnerabilities before
handing over to customers, and we
are also monitoring solutions during
the warranty phase. Further, we can
provide this as an end service to
customers after the warranty. ”
This, he says, not only provides
them with information on upcoming
vulnerabilities but also gives them
access to experts that actually devel-
oped the product or solution, who can
advise on how to address the issue.
Stensletten added: “Going into the
project phase, there are a number of
different roles. There are engineers,
technical project managers, etc., and
we are introducing a role that is re-
sponsible for cyber security in proj-
ects to ensure that the activities that
have been dened are actually being
followed kind of like a quality
[control] function. There is also an
ICS expert, who will help with the
technical implementation and veri-
cation of requirements, etc.
“The idea is that the tool will guide
you through all the cyber security
activities, allow you to customise ac-
cording to the project’s cyber security
risks and introduce cyber security
activities for different roles in the
Siemens Energy also plans to create
a dashboard where it can collect key
performance indicators (KPIs), gen-
erate queries and create reports on, for
example, projects that have reached a
certain stage.
Mehlig explained: “This is impor-
tant for us centrally and for the port-
folio. We can, for example, look at all
projects in a certain area and see how
many components have been sold
there, what their current status or risk
assessment score is, etc. This would
allow us to make detailed evaluation
reports based on data entered, and try
to gure the risks or hotspots in terms
of cyber security risks.”
“It could also show where the or-
ganisation is lagging. For example,
we can nd out where, say, vulnerabil-
ity mitigation is taking very long. The
portal will allow the organisation to
monitor itself in order to learn and
In addition to further developing
the tool, the ICS team’s next steps
will be to reap the rewards of its
work by raising awareness of the
portal internally and making its use
inside the company more wide-
spread. The overall goal is to sim-
plify the integration of projects, ulti-
mately beneting Siemens Energy
customers, who can rely on a unied
process that ensures implementation
of cyber security before the solution
is handed over.
Stensletten summed up: “We have
been a small group, currently working
on the development of the portal’s
functionality and verifying that the
technology is working. Now we will
introduce it to the whole company by
implementing the module for the ini-
tial risk assessment, and will build the
core functionality as we get more
people to start using this tool.”
Special Supplement: Cyber security
processes. The ICS portal is a tool that
covers the whole lifecycle of cyber
security for our customers’ projects,”
said Mehlig.
The portal will have a number of
modules to support both Siemens
Energy and its customers. With the
rst release of the ICS Portal it is al-
ready possible to:
n Dene the ‘project context’ by add-
ing project information, (security)
zone hierarchy; asset denitions; soft-
ware/hardware components;
n Evaluate standards and require-
ments by the mapping of requirements
between different standards;
n Perform vulnerability monitoring.
In the next iteration, the ICS team
plans to introduce other functions like
risk assessment to give an indication
of the type of cyber security that
should be planned for project execu-
tion; vulnerability management in
assets and components; secure sup-
plier cyber security evaluation; and
project security activities guidance.
Stensletten explained: “The vulner-
ability management module, for ex-
ample, will contain a full list of all
assets and components involved in
the project and will allow tracking of
Cyber security in industrial
projects is a key concern
Siemens Energy’s industrial
cyber security experts came
together for an on-site event
in Berlin during September
last year
Transforming the entire energy system requires
all of us to change how we do business, invest,
govern, consume, and even live.
we can’t do it alone
Siemens Energy is a trademark licensed by Siemens AG.
Anzeige_Honestly_ENG_290x380mm_220921.indd 1Anzeige_Honestly_ENG_290x380mm_220921.indd 1 21.09.22 10:3221.09.22 10:32