Event Recording

Zero Trust at Siemens: Where the impossible and the doable shake hands

Log in and watch the full video!

Two years ago, Siemens started a still going on process to change its security architecture to Zero Trust. Not an easy task for a company that big, widespread, and divers in products.

In this session program leads Thomas Müller-Lynch and Peter Stoll are talking about what they mean when talking about Zero Trust at Siemens, what everyone can learn from the approach Siemens is taking, and what they are planning as their next steps.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Thanks for having us. So this is the last session before lunch, right? So let let's, let's start with the, with some kind of an interactive, we're starting doing something in the zero trust area. Ah, lots of people. I would've assumed that. So last European identity conference, I was part of it. And lots of people were talking about zero trust for Siemens. We started one and a half years ago with the zero trust program. And now we would like to share with you a little bit what, what we achieved so far. And also we're, according to the title were the doable and the UN undoable Maha hands. What is our vision? I mean, zero trust. As you can see it here, the vision of Siemens is at least the first part of our vision is not quite different to, to all the others. I mean, it's this holistic cybersecurity approach. You cannot buy a product, you cannot buy a software and just install it. And then they, then you're done. That's not happening. It's, it's an approach we wanna get rid of finally of our intranet or at least would like to remove that as, as, as, as,
To its full extent as possible. And we do that by not trusting by default and having as many as possible high quality signals, users, devices, locations. But I think the main difference now at Siemens is that we are not only looking into those typical, what we always call horizontal use cases. There's a natural user. He has an, he has a device wants to access a modern web application. Then you are doing all of that. So this is not our vision and not our target. We wanna go beyond, we wanna go into the OT areas in all of our factories and we have 116, 117 or so hundred 20, 220 of them. And we also want to go into our products and here going into factories, going into products. It becomes interesting. And we would like to talk a little bit about this today and our challenges on that.
And I think let's start just to recap, a couple of things that you saw there and they, a lot of previous speaker mentioned them. So it's not trusting if you're in a network any longer. Yeah. Okay. The internet is not the, the, the parameter. We are stay still in that situation that we trust. If you are in the internet, right? The next one, every access must be authorized tricky. We will talk about identities a little later. What does it mean? Especially if you see that whole scope, it OT and products. What does it mean to say? It has to be authenticated authorized and has to be known as an identity. Next one, simpler zero trust policies. There are a lot, what is the reaction? And again, mention products. We have trains. And so the train is not able to center information to the strength portion.
Does it mean we stop the train? Should it still run? What is the policy behind that? And so the policies might differ and again, there might, might be different rules, but the same principles, huh? Civil trust. So all network traffic search should, shall be end to end encrypted. Yeah. It's still there. Right? We expect it now. And the last one is, and I want to change it a bit. It's lock all security, relevant communication, full stop. It's not focused on network. It's focused on a PDP on a P P and all the topics that we have. It's focused on the systems. We need to have all, we need to have all to judge if the system and the user and the bot and the product is trustworthy enough to communicate. So think beyond network. And that's why I want to change it and say, stop here.
How does it look like in Siemens? And I think we showed that so-called few model a couple of times. So, and I flipped through that because let's mention me so that what we miss here, and that's our first version of that. We miss the products and the factories and all things above. So you can stack that it's concentrating on the it, on the it butt devices are there. So that one request that has to be trustworth enough to communicate with that one that provide the data. At the end, we are talking about identities, talking about data services, application, whatever, but also that one that want to provide data service that has to be trustworthy enough to provide the data. Of course, it's a two phase model. And if you see the doable, I think we will talk about that. The request is pretty simple. They want IM want to something, whatever, have to access attributes, and apply for access.
Quite clear. The whole model is also based on criticality. So IM admin and want to administer is totally different in the approach of civil trust than I am a user. And I want to read some information or change it or manipulate it. So that's why you always have to see really in detail. I want to monitor, I want a secure connection. I want a simple one trust to edit one. It's really totally different. Okay. And we have to cover it all. We have to cover it all with policies. We have to cover it, always the ideas. Are they secure enough or not? What does secure enough mean in that cases? And also, I think we have a couple often, that's mentioned that in that area, couple of static called static information. So that's my identity. I authorized with my ID card, with my, whatever you took token, something else.
So, or by user user ID and password, that's the level of trust for that identity and the authentication also for the systems. There's a totally different one for the bots, for the machines, for the applications, for the trains, for the cars, whatever you want to need. So it's totally different. And we have to do that and we have to monitor that that's a static portion and we have a dynamic portion so that the car that the person have well in the last couple of days, month, it's the user idea or the account information available in the dark net. So is it known or not known? Are we under tech liked it very much because I think in the two days political saturation, some companies are less and some companies are more under attack. We have to take that in circumstances and say at the moment, yes, we are on the tech. Nobody is allowed to access critical data, right change. And it has to be access by access decision no longer, pretty simple. I log in, in the morning and log out in the evening. It's connection by connection.
And here you,
If you go just back, so, and here again, you see the, the difference. So you do not have only those user application access. We go into the factories, we go into our factory lines and if the sensor would like to talk to some database in the factory, also here, we try to apply zero trust principles. And not just assuming that as part of the network and the pyramid design of the factory, that every communication, what flows between those pieces is just allowed because of the network. And here, I mean, we also, I think we kind talk in, in a minute about it. I mean, we have real time requirements in factories, you know? So, so there are fast, fast speed lines available as well. So we, where you need to decide in, on a millisecond area, whether, whether going rest left or right. And then it becomes interesting if you talk to providers and hyperscalers and whatever, how to do that in those scenarios. Okay,
Go ahead. Yeah,
Yeah, yeah. Okay.
Then let's do it. I think now let's put some meter at the point. What do we have to do as program leads of civil trust? We always have to have our head in the sky. We are thinking in a five year, 10 year, 15 year approach. Are you still a journey? Are you
Still there in 15 years?
Yeah. I'm, I'm not there in 15 years, but anyhow, maybe you, so I think from my perspective, we have to think ahead. So civil trust is a journey. It's not there. We could not implement it by tomorrow. I think 220 factories to, to enable for civil trust will take time. And the products, if you see the life cycle of products, it takes time. So ahead in the sky feed on the ground. And that's what we want to show you now, business partner, access, civil trust, pretty simple. Right? So I give you the right to go to my machines. I say, here have identity. Yes I have on, are you trustworthy? Sure. I'm trustworthy. No problem. Right. How could you verify that? So from the, from a principle it's simpler from a two days implementation, we are far away, far away. So there are either you manage the identities by yourself, which is crazy, right?
Because how should I do that? Or you have agreements with a business partner like we have with BMW or cupping or some, something like that, companies to say, if you go in my system and order something you have to pay for, I don't care if it's a valid identity or not. If you say to me, I am the identity provider you have to do. So. And then current implementation of a lot of systems is their trustworthy or not trustworthy. Does it fit to our thinking of always verify? Does it fits to our idea of different types of data they have to access? No. So simply that's what we are pushing in that. And Hey, Microsoft, we are pushing them also to go in that direction to be a bit more, bit more specific on the part so I can trust up to level or something else. So it's up to me to decide that Thomas
And also, what, what does that mean? Business partner access with things like device trust.
I mean, it's easy to implement device trust in the internal environment. I can enforce that. I can use, I dunno, things like in tune and whatever to, to, to, to get a device or compliance that of a, of a device. But what do I do? We initially we started with a black white scenario. So, so if there are external partners and they want to access some critical information and the policy is for critical information, you need to have a compliant device. That's the general policy, but now what do you do in those scenarios? Where on the one hand you have those internal scenarios where you, where you easily can enforce that. But on, on the other hand hand, you have external partners who still want to have for whatever reason and scenario have really have access to very critical data. And how do you enforce that device trust? I mean, I can give them a virtual client or something like that. That's the easy part, but how would I do that without that? So easily bring your own identity, bring your own device, but yeah. Would you allow, if I ask you, so I'd like to see your intern policy, I'd like to see in, in your system before you can access with your device. So typically ANSYS, no. So why should some excellent company allow Siemens to, to look into your systems, but then really in the, in the real implementation it becomes,
Yeah. A bit interesting, bit more crazy. You allow me to install one of my agents on your system so that I can verify that you are trustworthy. I don't think so. In most cases, Thomas
OT and it differences. I, I already touched it. So as long as you are in the it space, and specifically, if you are in the it web application space, the majority, we are not done yet with all of the application, but the, the, the way is quite straightforward. If you go into the OT areas, you have completely different mindset. First of all, if you talk to the factory people, if you go to them and said, okay, let's, let's implement zero trust in your factory. So the first thing you're gonna, this guy will tell you, so why should I do that? I'm paid more or less by throughput. Well, security and complexity. And, and we have good reasons, but first of all, it's, it always starts like this. And second, I mean, you have sometimes real time really requirements. So it, you need to this decide very, very fast.
You typically do not have an open internet connection in the factories where you might want to use some of let's say systems, which are out on the internet, although we would like to, to go there. But as a federal, a matter of fact, today, you do not have this, this network to there. And yeah, you have all kinds of devices. You do not have those modern devices, which we all know here on our laptops and our mobile phones. You have, I dunno, 15 year old sensors somewhere. So how would you, what you, what you would you do with those? So you can isolate them. First of all, you can make those pieces smaller and smaller, but in the end, those are challenges in really having a full scope, implementation of zero trust in the factories.
Good. And that's why it, OT convert ends at some time hits the ground, right? The ground, not the sky. Let me sum up the two it's identity and containerization, I think identity for all pretty simple, right? Who has identities on the production machines, who has identities on the product bit? So we starting to right, but that's really identity for all. And the mantra is no, no entity without identity. That's what we called into Siemens is that's not simple. It's far beyond simple. It's simple for human beings because we are used to do that since decades, right. Thomas decades. Right. I'm not, but 40 devices. It devices. Yeah. Okay. Coming up with the in tune and something else for service. Yeah. You know, there are some service for applications. Do you have identities for applications, for services, for data? No.
Anyway, the typical answer for, for lots of those, not non-modern stuff, it's certificates, let's bring certificates on those devices, but then you, you quite soon reach things like what's the lifetime of those certificates. How do you revoke them in case of, and how do you insert, let's say this kind of realtime data and, and realtime activities, which you typically know from the, from the human use cases.
Yeah. And I think that's why I think products. Yeah. We put some identities on it, but no identity, life cycle, ization sympathy or trust it's mentioned in a previous talks a lot. Everything has to be in a container. Every application, every PC, every factory device, every something in theory. Okay. In, in bring it to implementation a hell of work. So in Siemens we have about, I don't know, 10,000 applications, every, every application should be in a container. We have about 220 factories, which means more or less 1200, 1500 additional container and, and segments and something else. So it's a journey. If, if you, in mind,
If you even stop on the factory level, sure.
You go inside the factory, I might, the typical scenario is not that within the factory, every single device and every single century is talking to each other. Right. So they're also within the factory, you have those boundaries or you have those containers typically talking to each other and would, what would I like to do? I would like put them in one container where there's another container beside next to it. And I'd like to ensure that every communication which flows in that container, that's good. And I, I also controlled access to this container if there's some, some, some data, I dunno, center in the factory, but what, but I would like to make sure that container a is not necessarily able to talk to container B. And if that would happen, some alarms clock should
Go up. And so we start to put production lines in our container. So we have non zero trust areas in our container and zero trust areas between that, which is also not easy. So keep in mind, we have machine to mean machine communication, application, application communication, which is not solved in most cases yet. So we are on the way. Okay. Keep that in mind. And even, I think we will to talk to our products a little later. So
It's up to you though. Again, modern web applications and legacy applications. You could also replace the word applications. So the legacy applications by legacy systems. I mean, if you, if you take those modern web protocols, as I said done, if you talk about how to do a remote maintenance to a machine in the factory that is different and how do you would, how do you want to protect this typically network? So can we talk about partners? And, and, and I think so, right? Sure. So one of our partners is CCAL different partner is Microsoft. We have ping, we have zero in, in, in our systems or in our environment. And typically if you go into those legacy network stuff, you end up in a, in a CKI solution, remote maintenance, we are working on those things where we then are trying to from the outside world, from an user on the internet, do some remote maintenance Viac scale on those machines. That's one of the concrete solutions which we are working on and also have in place already.
Good situation awareness. So remember the fuse picture, we talked about this dynamic stuff. Situational awareness sounds also easy, and we have a lot of things implemented in the it right. Detection agents on clients, on server, vulnerability, management, identity protection, whatever you want to have. It's their bringing that to applications and say, is the application good? Is it misbehave or not? It's not so easy. Especially I have very, we have some, some financial applications, which the quarterly footprint is totally different from the yearly, from the monthly. And you have to really take into account all the data to analyze is the application misbehavior or not. So is it trustworthy at the moment or not? Besides the basic stuff, like is the server secure and patched and something else the last two, and let's put it together because we are running out of time and we, we are not able to go to lunch. So Thomas
SUSE, across all platforms, we at Siemens, we have lots of developers working on Linux, for example, how to integrate those in a, in a, in a quite seamless, or to provide them also seamless experience as we do it for, for our windows environment. Not an easy topic. I can tell you without just leaving them behind or finding some, some, I don't know, exceptional processes and things like this. So this is just one single example of where we are currently struggling with and extensively working with partners like Microsoft to get this done. And finally also, I mean, we touched it already, zero trust in products. If you think through those scenarios, the new generation of a Siemens strain, I C, which you might come here, came here to Berlin, that the goal is to, to have them zero trust enabled. How does the train communicate insight from, from the control center upfront in the train with its systems in the backend, but also to train itself to, to the, to the system of Cheban in the backend.
Yeah. And so
How is that going or how is our smart infrastructure stuff in the buildings? How do they talk to, to the systems somewhere on, on, on the building data center, if you want. So how can we ensure that this fire sensor talking to the system is really the one who's supposed to be, or whether that has been, I dunno, hacked
That's one aspect and keep in mind, digitalization is all of that. And that's why we think we could not stop, stop with it and have it in products. Also, first I like preemptive maintenance. You have to be sure that the car or the train gives you the data that you need, and they are not man in the middle that falsifies the data and give you the only option that you be on every train station and to some maintenance, because that's against the money, right? So that's really life scenarios,
Just, you don't need to see read all of that. I just would like to give you a glimpse. So we would like to give you a glimpse, how we measure our zero trust implementation at Siemens. We have, we have a dashboard, we have all, we have teams working together with us on what do we do on the application side? What do we do on the locations, simple, complex factory locations. What do we do with the products? And as you can see already at the numbers, yeah. On the left hand side, you see the big numbers with the applications on the right hand side products. Obviously Siemens has more than eight products, but as we are starting specifically working, working also in those areas, so the numbers are low, but it's a clear target from the Siemens board to transform Siemens into a, what we call zero trust company. Maybe it's little bit buzzword, but yep. That's
It. And, and for you. So we are around today and tomorrow open for any question, happy to talk because we can discuss and talk for month in between after one and a half year, to be honest. And now we are happy to receive question. Remember, it's your lunch break?

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

Webinar Recording

A Winning Strategy for Consumer Identity & Access Management

Success in digital business depends largely on meeting customers’ ever-increasing expectations of convenience and security at every touchpoint. Finding the best strategy to achieve the optimal balance between security and convenience without compromising on either is crucial, but can…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00