Event Recording

Let’s Think Zero Trust – for IT, OT and Products

Log in and watch the full video!

Over the past two years, Siemens has been on a mission to protect a global enterprise through the highest Zero Trust standards, and this journey is far from over.

In this session, program lead Thomas Müller-Lynch share his experiences on the road to Zero Trust readiness of all assets from IT and OT.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Thank you. Thank you. Yeah. Let's think to trust, just just for curiosity, has anybody listened to the, or has been to the European Identity Conference in May. In Berlin? Okay. Two or three at at least some of the things I'm going to repeat from there, because Peter, my, my partner and friend from Siemens, I was doing that session already with Peter originally. We wanted to do that again together, but for private reasons, Peter was not able to come here. But nevertheless, I mean, let's think zero trust and why do we believe from Siemens that this is our, this is the right slogan for it. And I like also to, to to, to highlight that we, when, whenever we talk about and, and think about zero trust, it's not only about it, we are intensively looking into ot in the OT space and also in the product space.
I don't wanna bother you too much on, on, I, I think everybody has, has heard at least the, the term zero trust. And Siemens doesn't have a different, really a different view on, on zero trust. Maybe the only thing where we believe that we might be a little bit special, it's that our scope is not only on the classical it, horizontal IT space, as it just said, we are going into the factories on the shop floor and revisit that whole architecture of zero trust and how can that be implemented in those areas. And the other exciting thing always for me is what about our products? How, how would you be able to, to implement zero trust in a product in a Siemens product, which we sell to customers?
Also, that one, very quick, I mean, why we are doing zero trust, obviously we have a quite complex infrastructure which needs to be managed. We have huge cloudification activities within Siemens. And as part of those cloudification activities indirectly, you also enter the zero trust areas if you, if you wanna adopt. Next, we have our, our pyramid security, which we have used for, for the last two decades. They, they're simply not fitting anymore to those things. And finally, all the maintenance effort with the end result that during all of that, you are still not at that security posture you would like to be. So this is our main, main drivers why we are running zero trust, by the way, I come to that in a minute. So Peter, who should be here together with myself and a different, and another colleague, I think neighbor from one of our business units, we are running the three of us, a zero trust program at Siemens. 200 people approximately working for us as part of that area of that whole program. And this is just people who are, let's say, directly attached to the program. If you really look into the product space and in the OT space and in the application owners where we have lots of, So those are not even counted because we expect something to do from their side.
Sir, trust building blocks. I'm natively, so I'm, I'm the identity guy at Siemens, so that's why I always appreciate that here. Identity comes more and more into the center of, of that whole architecture. We also include and want to include as part of the, the, the architecture, more realtime security signals as they appear to have proper access decisions. And obviously we would like to over time get rid of our or or change dramatically our network posture. So do we have CSOs here in this room? Is there any C No cso. Okay. Nevertheless, because that, that, that one is always, that one is always the, the interesting part. If you talk to Caesars and if you talk to people, so in the end why we are doing all of that, yes, we would like to be more, become more flexible, but in the end, it's obviously a cybersecurity thing, right?
We want to be, become better in terms of cybersecurity. We wanna be more clear and, and more future prepared for in terms of cybersecurity and what we are typically using as part of decisions inside Siemens together with cybersecurity, we are using that, that heat map here. And that heat map shows here on the, on the shows the, the cybersecurity risks. Once you start some activities independently, this is not made for zero trust. It's in, in general. We always use that. And then you do something and then the cybersecurity risk moves somewhere and hopefully it moves from the red part to the green part. So that's why we identified three main cybersecurity risks we would like to address with our zero trust activities. One of them is lateral movement. We would like to ensure that lateral movement is getting, is becoming close to impossible. And we identified there's, there's a by the way, this is, this is examples I, I'm not able to share every single detail here, but in the end it shows we are somewhere in the, in the area which where we can con cannot control everything.
And we would like to go at least in the yellow, close to green area. The second, the next one is we would like to ensure unauthorized access or that unauthorized access is, is not possible anymore. And third, we would like to ensure that exploitation of vulnerabilities are, can, can be prohibited while we are doing that, I mean lateral movements, oh, how we are doing it. Lateral movements. We invest lots of network segmentation, cke technology around this. The other one, the unauthorized access obviously all the IDP space, real time signals, device trust information compromised identity information, all of that comes into play. And obviously also exploitation form of vulnerabilities. If you now connect your application space and your infrastructure space to those PDP policy decision and policy enforcement points, you obviously are also able if this, if those are connected then to, to scanner systems and whatever, you are able to also ensure that vulnerable systems which showed up somewhere are not accessible by users, internal or external users un until those systems are are getting patched.
So we are also enforcing here, here our data quality on the one hand but also our, our security posture on the infrastructure, our zero trust journey. We started already in 2021 by a, we always called it a foundation work. So we thought about how can we approach zero trust. That came down also from, from our SSO and which was together with our cio. He henick is those are the management sponsors of that program. And they said, okay, let's start a zero trust journey. We did lots of foundation work, we looked at the new standards, we looked at lots of architecture stuff in the very beginning, in phase number one. And by the way, we have fiscal years, which end, end of September, 1st of October is then the next fiscal year for the ease of that. Not everybody knows our fiscal years. We had here calendar years.
In fact we are somewhere in between phase one and two currently. So we have all of our backend systems policy decision points. We are heavily using Microsoft technologies, but we are also using o for our external use cases, IDPs, we prepared our environment and things like those. And we also looked into already now into the factory an OT space, what to do there, including the factories and how to transform factories and OT space into, into zero trust. So we are somewhere in the middle and also have started heavily working on the application space. What comes next? We are extending all of that. So we believe that I would say from a technology perspective, an architecture perspective, we still see some wide spots where we still need to work on. But now it's really time for implementation. Getting things done, getting things into the field. And as you can imagine, I mean Siemens, 300,000 employees, I don't know we are present in every single country of this world is not always easy to get things down to the road and really globally distributed.
But finally we would like to become a a zero trust lighthouse. And then in 2024, maybe a little bit earlier, we would like to have really every single application covered with zero trust architecture. We would like to have every single a factory and OT environment being covered. And plus we also would like to get this, this architecture in auto, in our products. And that's why we also had slogans for those phases. So we started with the foundation, then one of the first slogans was let's rock zero trust. We need to get getting things done, but now we change to let's think zero trust because I personally, I don't want to want to continue with that whole program until I'm getting retired. So, so sometimes this program must be closed, but now the mindset must have been changed that all of our product development people at Siemens, that and whenever a new application is getting, getting developed or whatever, or a new product is getting developed that this mindset has been included in, in, in, in, out into our dna. Last but least I, I think parts of that I already showed in, in May this year we, we filled a power BI dashboard. Were lots of data sources coming from the program, coming from the businesses and where we measure our success.
That, and you, this is real time numbers, have some other screenshots where have blowed out some, some internal information. But the numbers, they are the real, real numbers. So we are currently tackling 7,100 applications at Siemens. All of that SAS on premise, whatever you can imagine that's in our application database. We have almost 1000 locations where we need to do something and go there and talk to the local people to change something. And we also started, and those numbers are quite a little bit lower, right? Obviously we have much more than 11 products at Siemens. So here it's the other way around. We started with develop me with the development teams of Siemens, how to implement zero trust there, but we were already successful in first real life products. So then we have sub dashboards where we can, you can then drill down the application space for example, that is this one here on the right hand side, bottom right hand side, you see several templates.
So we we categorized each and every application into a template and then asked the application owner to do something. Yeah. Is it either enabling device trust or is it enabling identity assurance level authentication, assurance level, all those things. Or is it simply because of the architecture that's not a modern web application to implement something around cki technology to have dedicated channels to those applications. And last light factories, we have approximately 115 factories around the world and obviously transforming a factor into zero trust. That's a different animal than transforming a single application. Yeah, you go there, you talk to them, zero trust, do you know about serial trust? We teach them what we believe, what they should do. And the first answer is typically, okay, why should I do that? I mean, I'm in, I get my money out of throughput, right? For sure. I also get my money not being attacked. But it's intense discussions obviously because there's lots of things which in first place they would maybe consider this as a, as a risk of not being productive anymore. We are also doing that with a team called Factory Transition Center. We go from factory to factory and and try to convince them doing things what we believe that they should do. Having said this, here are my contacts and the contact of Peter.
Yeah. Open for questions.
Thank you Thomas. Any questions from the audience?
It sounds very interesting and, and we are sort of in the same track or starting out on it, so we are one and a half year behind you or something, but, but you say going out to the actual factories, what, what are you doing there? Because you might be different, but we have a lot of of old systems that, you know, running on no names mentioned
Here. We are not different. We also have lots of old things there.
And then how do we get started on this and do encapsulate these and things like this. How do we actually do it in a production environment? Because in, in the office space it's fairly simple. It's more shut up and soly, this is how we do it. And, and in the production environment it's a different beast.
Well we have, again, very high level obviously those papers and those white papers, which we give to the factories where they need to run through is a little bit more complex. But in essence, we are doing four things. We ask them if not already hopefully implemented, have a ring fencing of the, of the factory itself. So I would say at almost all of the cases of our factories, we have eyeballs around them, but just to ensure in case there would be some which are flat into the, in the network. So please check this and if not implement. Second is as we have now have a ring fenced factory and a firewall factory, we would like to ensure that we go by using SUR trust architecture into that network. So dedicated control channels from outside to the, to the, to the factory, typically using C scale technology.
Third, we would like to monitor all, all network within the factory by also using several tools. And lastly, every single client, I'm not talking about legacy sensors or whatever, and every single client, and we have lots of them also in those environments, they go to the internet. So we implement a so-called client zone where every client goes to the internet and then comes back again inside via those CKE technologies. So that this is the four high level steps as a beginning. That's not what, what we would like to end up with, right? So we would like to segment further factory streets or how do you say projection lines. Sorry, we want segment those and we wanna really control in the end each and every single communication between machine to machine inside the factory. So any other questions? Yes.
How do get your user buy in to your concept? I think this is the hardest part, right? Because you know, you got so many factories and things like that. How do you explain to them these are good things to open up their access open internet and also, you know, is the zero trust is safe things to do. How do you actually go over that?
Honestly speaking, I mean maybe you should ask me in three years from now or three years from now, honestly speaking so far there is not too much pushback. I mean we, we have gone into that zero trust way some time ago by implementing Office 365 with zero trust policies. So typically end users they, they already use now and especially also now in Corona times they come from outside from home office via into the internal environment. Plus we are using conditional access policies, checking device trust information and things like that. That was a journey. It was a journey because now at the first time since many, many decades, every IT system in the background that was super static, but now immediate, now suddenly real time signals come into play and a client user is using, which was always compliant, now comes back from vacation after four weeks because he had a long vacation. Now the client is not patched anymore and he wants to access a critical application and cannot do that anymore. Before that client has been catched, patched. And this is something new. We, we, they know this already from Office 365. We have not unfortunately thousands of other applications, business applications yet transformed into that. But I believe, I mean, yeah, they, they will need to learn and we gonna manage it.
So CTA is a multi-year project. Yep. And how do you align that with, with other things? So you need some certain maturity from IM that might be programs for network segmentation or even other competing things like reorganization. I heard that happens at Siemens too or outsourcing to other countries. So how do, do we ever get this through over multiple years?
That's a challenge. I mean fortunately I can say that this program has one of the highest visibilities of our management board. So we have some other few things, but that's a handful. That's not more in the IT space obviously. So our Siemens board has more than the five things to do I guess. But if it comes to it, it's, it's, for it it's one hand or maximum two hands of programs and this is one of them. So we have a really a board visibility of that and whatever might come into the, into the way needs to either be moved away or gets a lower priority or whatever this is really has, has, has the hundred percent support of top down of our management. And that's, but it's not always easy. I mean we have cloudification programs, running apparel, we have factory digitalizations programs, running apparel. Obviously everybody has their own targets and yeah,
My question goes directly into direction of prioritization. Understood. The core team is made of 200 people. Yep. And how did you get the buy in of the, of the board actually and the cio? How did you get the, the budget? What was the main driver for the board and the CIO for starting with this?
Maybe we did a good job in convincing that this is the future.
No, how did you
Do that?
Well, I mean one of the main arguments was definitely our, our infrastructure is, is so complex and so big and we need to just to prepare for the future, we need to adopt zero trust in order to be able to, to be future ready if you want, right? But the other, and also from cybersecurity, the, the continuous raising risk of cybersecurity attacks also to be prepared for those. But third, we also convinced our board that this is not only for internal stuff, it's also really if we can do that in our products, that is also a differentiation, differentiation between to competitors. So if we are able to sell in the future, let's say, I dunno, trains, pls, which have an intrinsic zero trust model built in, that might be a different to other competitors. And I think that the, the, all the three things in, in, in parallel let them to the, to the support of the, of the Siemens board to push this forward. But yes, I mean it's a huge investment also. I mean, as you can imagine 200 central people and if I then count the 7,100 application owners, which we ask do something, if you calculate this, you have then not 200 people. I don't know, we have maybe 10,000 people doing something.
Actually. Is this a dotted line connection or is this, is this, are these part of the organ still of the organization? What, or
Is this a, the 7,000 or, or
The 200?
The 200, the 200 people? No, that, that's, that's, that's a global distributed team consisting of people from it, from cybersecurity, from business. So, but as we are reporting to the Siemens board and the Siemens board supports that we have a virtual team and, and it works.
Thank you.
I'm afraid we're a bit over time, so let's just thank Thomas for the presentation.

Stay Connected

KuppingerCole on social media

Related Videos


Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Webinar Recording

Effective IAM in the World of Modern Business IT

Digital Transformation promises lower costs, and increased speed and efficiency. But it also leads to a mix of on-prem and cloud-based IT infrastructure, and a proliferation of identities that need to be managed in a complex environment. Organizations adopting a Zero Trust approach to…

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

Event Recording

Cyber Warfare - A Reality Check

Cyber Warfare and Disinformation have been heavily weaponized since Russia´s full-scale Invasion of Ukraine and even before, aiming at destabilizing the free part of the world. It is the "synergy of the evil" between cyber warfare and MDM (Misinformation, Disinformation,…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00