Siemens & TÜV Rheinland A strong Relationship in Cyber Security Siemens & TÜV Rheinland A strong Partnership Frank Kuempel, The Hague, NL - Mai 11 th 2017 Unrestricted
Siemens & TÜV Rheinland A strong Relationship in Cyber Security Siemens & TÜV Rheinland A strong Partnership Frank Kuempel, The Hague, NL - Mai 11th 2017
Unrestricted
At Home on all continents.
Frank Kuempel, The Hague Mai 11th 2017 2
Key figures 2015
Sales in millions of euros 1,881
Foreign portion (%) 50.6
EBIT (%) 5.4
Employees 19,630
Foreign portion 11,587
Locations:
500 Over
in 69 countries
Sales by business streams.
3
27%
24% 24%
10%
8% 7%
Industry Service
Products
Mobility
Academy & Life Care
ICT & Business Solutions
Systems
Frank Kuempel, The Hague Mai 11th 2017
Solution Expertise. Information and IT Security.
5
Objectives and strategy
Management and planning
Design and implementation
Operations Audit 1 2 3 4 5
Business requirements
Strategy
Management processes
Management of information security
Data protection and data security
IT risk management according to ISO 31000 and 27005
ISMS, BCM, and GRC tool selection/ introduction
Secure architectures and processes for networks, data centers, mobile devices
Application security
Security in operations
Operations (MSS) and support of IT security solutions
APT – Computer Security Incident Response Team (CSIRT)
Security audits
Certification of processes and services
Industry solutions, individual concepts, professional consulting, and strong in implementation. !
list of abbreviations ISMS = Information Security Management System BCM = Business Continuity Management GRC = Governance, Risk and Compliance APT = Advanced Persistent Threat – targeted cyber attack MSS = Managed Security Services
Frank Kuempel, The Hague Mai 11th 2017
Cyber Security Strategy - Theory vs. Reality
6
In theory there should be
well defined and documented bus. processes well defined and documented RACI documented IT related network diagrams (plans) Policies and Procedures (operational and IT) trained IT staff Incident Management Process Change Management Process Risk Management Audit (organizational, technical)
Awareness about IT threads and vulnerabilities Reporting on a regular basis Technical/organizational measures based on risk-
treatment plans
What we find in Customer Situations
There’s just one process e.g. “Produce Energy” Responsibilities (IT) not defined or unclear Just sketches Operational procedures but no IT related procedures trained IT staff but not educated to demands on OT Rarely defined to demands of OT Rarely defined to demands of OT No risk based approach Audit limited to safety or quality mgmnt. (work and/or
environmental) (IT) Awareness/education organized by myself Rarely defined, not risk driven Adhoc measures (often not planned, technically driven)
Frank Kuempel, The Hague Mai 11th 2017
7
Secure Power
Generation
Secure Power Trans-
mission
Secure Power Distri-bution
Secure Control Center
Business Require-ments
Business Strategy
Stake-holder
Regulation
Supply-Chain
Liabilities
Cyber Security Strategy – Key Influencer
THREADS VULNEARBILITIES
Frank Kuempel, The Hague Mai 11th 2017
Cyber Security Strategy – Taking Measures
8
Organizational Measures
Technical Measures
Frank Kuempel, The Hague Mai 11th 2017
Cyber Security Strategy – Governance of Organizational and Technical Security
9
Organizational Measures
Technical Measures
Frank Kuempel, The Hague Mai 11th 2017
Cyber Security Strategy – Constant Improvement & Securing the Business
10
Organizational Measures
Technical Measures
Frank Kuempel, The Hague Mai 11th 2017
Cyber Security Consulting – How we Support our Customers
11
Organizational Measures
Technical Measures
Analyze the Environment • Identifying internal / external
factors / drivers / business needs / Requirements
• Identify / Analyze As-Is • Identify GAPS
Frank Kuempel, The Hague Mai 11th 2017
Cyber Security Consulting – How we Support our Customers
12
Organizational Measures
Technical Measures
Plan for Actions • Cyber Security Governance • Policiies & Procedure • Security Processes • Risk Management • Security Devices and Technology • Reporting
Analyze the Environment • Identifying internal / external
factors / drivers / business needs / Requirements
• Identify / Analyze As-Is • Identify GAPS
Frank Kuempel, The Hague Mai 11th 2017
Cyber Security Consulting – How we Support our Customers
13
Organizational Measures
Technical Measures
Plan for Actions • Cyber Security Governance • Policiies & Procedure • Security Processes • Risk Management • Security Devices and Technology • Reporting
Analyze the Environment • Identifying internal / external
factors / drivers / business needs / Requirements
• Identify / Analyze As-Is • Identify GAPS
Build lines of Defense • Develop Processes /Policies /
Procedures / Methodologies • Enable & Educate Employees • Create Awareness
Frank Kuempel, The Hague Mai 11th 2017
Cyber Security Consulting – How we Support our Customers
14
Organizational Measures
Technical Measures
Plan for Actions • Cyber Security Governance • Policiies & Procedure • Security Processes • Risk Management • Security Devices and Technology • Reporting
Analyze the Environment • Identifying internal / external
factors / drivers / business needs / Requirements
• Identify / Analyze As-Is • Identify GAPS
Build lines of Defense • Develop Processes /Policies /
Procedures / Methodologies • Enable & Educate Employees • Create Awareness
Run & operate the Strategy • Assess Risk • Evaluate Measures • Monitor & Improve • Audit, PEN-Testing & Network
Scanning • Increase Awareness
Frank Kuempel, The Hague Mai 11th 2017
15
Thank you for your attention
Frank Kuempel Principal Consultant, Information Security & Data Protection TÜV Rheinland i-sec GmbH Am Grauen Stein 51105 Köln Tel: +49 221 56783 281 Cell: +49 151 1679 1782 [email protected] www.tuv.com/informationsecurity
Frank Kuempel, The Hague Mai 11th 2017