By Bill Lydon, Editor, Automation.com
“The distinction between internal security and defense become increasingly blurred. From a defense perspective cyberspace has become a fifth domain of warfare equally with critical military operations land, sea, air, and space.” Elżbieta Bieńkowska, EU Commissioner
That was the driving sentiment at this February’s Munich Security Conference where Siemens and eight partners from industry signed the first joint charter for greater cybersecurity.
Over 450 high-profile and senior decision-makers as well as thought-leaders from around the world attended the Munich Security Conference, which encompasses a comprehensive range of security including traditional national, military security, economic, environmental, and human dimensions of security. Heads of state, ministers, leaders of international and non-governmental organizations, high-ranking industry representatives, media, academia, and civil society, came together to engage in an intensive debate. The MSC’s objective is to build trust and to contribute to the peaceful resolution of conflicts by sustaining a continuous, curated, and informal dialogue debate within the international security community, so it was a significant setting for the signing of the cybersecurity charter.
Initiated by Siemens, the Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization. In addition to Siemens and the Munich Security Conference (MSC), representatives from Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom also signed the Charter. The initiative was welcomed by Canadian foreign minister and G7 representative Chrystia Freeland as well as Elżbieta Bieńkowska, the EU Commissioner for Internal Market, Industry, Entrepreneurship and Small and Medium-sized Enterprises, who addressed the group at the ceremony before the charter signing:
“I very much welcome the presence of COOs and the leaders of so many important companies, the leaders of industries are one of the most important partners for us in discussions about our future defense activities. I very much welcome the initiative behind the Charter of Trust that will be signed today.” “Definitely it is the right message at the right time on the right issue, cybersecurity matters, and it is the responsibility of all of us. As we all know the security environment has dramatically changed over the past few years with more and more severe and complex threats often hybrid in their nature”
“The distinction between internal security and defense become increasingly blurred. From a defense perspective cyberspace has become a fifth domain of warfare equally with critical military operations land, sea, air, and space.”
Bieńkowska went further into detail surrounding the EU’s efforts for cyber resilience. This effort has been made through concrete actions including:
A proposal to transform European Union Agency for Network and Information Security (ENISA) into a EU cybersecurity agency able to prevent and respond to cyber-attacks in a more coordinated way. The agency will be able to conduct pan European cybersecurity exercises and will ensure a better sharing of intelligence.
Promoting the creation of a true Single Cybersecurity market with an EU-wide framework for cybersecurity certification.
Proposing a blueprint for responding faster and in a more coordinated way at the EU level to large scale cybersecurity incidents
Proposing to develop a network of cybersecurity competence centres with a European Cybersecurity research and competence centre. Its role will be to roll out the technologies and cyber-capacities needed to detect and counter cyber-attacks.
Establishing mainstream cybersecurity principles in all the key strategic sectors. Cybersecurity is a cross sectoral issue. And a weakness in one sector can have an important impact on others and the rest of the economy.
This first-of-its-kind global alliance is focused on answering a very important question: How do we secure critical infrastructure – from our factories to our power grids – in the digital age?
The signees included:
Deutsche Telekom (TMobile)
The Ten Principles of the Charter of Trust
The Charter contains ten principles to make the digital world more secure through three important goals: Protecting the data of individuals and companies; preventing damage to people, companies, and infrastructures; and creating a reliable foundation for instilling trust in a networked, digital world. These principles include
1. Ownership of cyber and IT security
Anchor the responsibility for cybersecurity at the highest governmental and business levels by designating specific ministries and CISOs. Establish clear measures and targets as well as the right mindset throughout organizations – “It is everyone’s task.”
2. Responsibility throughout the digital supply chain
Companies – and if necessary – governments must establish risk-based rules that ensure adequate protection across all IoT layers with clearly defined and mandatory requirements. Ensure confidentiality, authenticity, integrity, and availability by setting baseline standards, such as
Identity and access management: Connected devices must have secure identities and safeguarding measures that only allow authorized users and devices to use them.
Encryption: Connected devices must ensure confidentiality for data storage and transmission purposes wherever appropriate.
Continuous protection: Companies must offer updates, upgrades, and patches throughout a reasonable lifecycle for their products, systems, and services via a secure update mechanism.
3. Security by default
Adopt the highest appropriate level of security and data protection and ensure that it is preconfigured into the design of products, functionalities, processes, technologies, operations, architectures, and business models.
Serve as a trusted partner throughout a reasonable lifecycle, providing products, systems, and services as well as guidance based on the customer’s cybersecurity needs, impacts, and risks.
5. Innovation and co-creation
Combine domain knowhow and deepen a joint understanding between firms and policymakers of cybersecurity requirements and rules in order to continuously innovate and adapt cybersecurity measures to new threats; drive and encourage i.a. contractual Public Private Partnerships.
Include dedicated cybersecurity courses in school curricula – as degree courses in universities, professional education, and trainings – in order to lead the transformation of skills and job profiles needed for the future.
7. Certification for critical infrastructure and solutions
Companies – and if necessary – governments establish mandatory independent third-party certifications (based on future-proof definitions, where life and limb is at risk in particular) for critical infrastructure as well as critical IoT solutions.
8. Transparency and response
Participate in an industrial cybersecurity network in order to share new insights, information on incidents et al.; report incidents beyond today’s practice which is focusing on critical infrastructure.
9. Regulatory framework
Promote multilateral collaborations in regulation and standardization to set a level playing field matching the global reach of the WTO; inclusion of rules for cybersecurity into Free Trade Agreements (FTAs).
10. Joint initiatives
Drive joint initiatives, including all relevant stakeholders, in order to implement the above principles in the various parts of the digital world without undue delay.
“We hope more partners will join us to further strengthen our initiative.”
Siemens President and CEO Joe Kaeser
Bill’s Thoughts & Observations
Siemens has certainly elevated the industrial cybersecurity discussion and taken action with the Charter of Trust initiative.
I actually found the ninth principle of the charter regarding regulatory framework particularly interesting since it addresses the issue of harmonization of regulation and standardization to set: “a level playing field” matching the global reach of the World Trade Organization (WTO) and incorporation into Free Trade Agreements (FTAs). This is a tall order, but without this kind of cooperation, everyone does their own thing and multiple standards throughout the world proliferate, leaving open more loopholes to exploit.