Computer virus Stuxnet began making headlines in June 2010. Thought to have been in development since at least 2005, the malware was different from other viruses: it was transported via contaminated USB drives, so it didn’t need the internet to spread. And while most viruses try to cause the greatest amount of destruction in the shortest amount of time, Stuxnet played the long game. Every move it made was designed to keep itself under the radar, so by the time anyone noticed that something was wrong, it would be too late.
First, it infected Microsoft Windows machines and networks, repeatedly replicating itself. But Stuxnet wasn’t designed to steal bank account details, send spam emails or wreak havoc on personal computers.
It was specifically created to infiltrate SCADA systems, software that corporations all over the globe use to run industrial control equipment. Its target soon became clear: Iran’s nuclear facility in Natanz, where international authorities suspected the country was working on its secret nuclear weapons program.
Stuxnet was programmed to manipulate the valves on the nuclear plant’s centrifuges to dramatically increase the pressure inside of them — and the malware was so stealthy that the people working in the plant could do very little to stop it. In fact, they didn’t even know the outages and disruptions were caused by a computer virus. The crippling attack reportedly set the Iranians back by months, if not years.
A new political playground
“It was a real wake up call,” says Rolf Reinema, a cybersecurity expert who’s spent his entire career protecting the world against malware like Stuxnet. As the former Head of IT Security for Siemens worldwide, he used to oversee every aspect of cybersecurity.
“The attack proved to everyone that something can be hacked even if it’s not connected to the internet,” he says. “The significance of what can happen when our products are under attack is much bigger than other industries. Imagine if an entire country had a blackout? This is the level of havoc that hackers can unleash.”
Hacking used to be a favorite pastime of fraudsters and low-level criminals; now it’s one of the main threats to international security and political stability. “Thanks to the Internet of Things, physical products are increasingly merging with the digital,” says Rolf. “And this exposes a whole host of vulnerabilities for cyber-terrorists and hacktivists to exploit.”
Protecting the world against digital weapons
At Siemens, IT security is divided into three areas: managing cybersecurity for its own infrastructure and assets, creating the blueprints for their products, and a team of cyber security first responders.
“We don’t just look after Siemens,” says Rolf. “We also provide security for our customers.”
When an alarm is raised in any of Siemens’ Cyber Defence Centers, their Cyber Emergency Response Team (CERT) leap into action. “Our cybersecurity roles are anything but a regular 9–5 job,” says Rolf. “We need people to be able to step back and look at the bigger picture and think of new approaches and ideas.”
Contrary to popular belief, the majority of the cybersecurity roles aren’t about fixing problems, they’re about trying to find out whether they exist in the first place. Rolf likens it to finding a needle in a haystack: “What can we do to shorten the time when we’re confronted with so many devices? Do you shrink the haystack or color the needle? Our teams have to be on par with the worst hackers you could think of. They basically spend their days trying to break everything we make.”
The cybersecurity team at Siemens also have to think beyond the here and now to ensure their technology will stand the test of time. In your average tech company, products are developed with a three to five year lifespan in mind — but when you’re working on power plants designed to last over 20 years, the technology available right now will more than likely be redundant later on.
“Because our products have a lifetime of 10, 20 or even 30 years, we have to consider all the protective measures we’ll need in the next decade or more,” says Rolf. “We want to build automated tools that test products for vulnerabilities but at the moment only 20 percent can be detected. The other 80 percent needs human creativity.”
Guardians of the future
Some of the technology the IT security team are looking into isn’t even in general practice yet. Take Quantum-safe cryptography, for example. “Just today I was in a meeting where we were discussing a potential breakthrough in quantum computing over the next five years,” says Rolf. “If that happens it means all the cryptographic algorithms currently in use today will be broken. So right now we’re trying to figure out whether it’s safe for us to integrate these so-called crypto-algorithms in our products.”
Blockchain is another example. Right now, the team are looking beyond the hype to see if it will still hold up in ten years from now. “We could look at solving some of our problems by using a decentralized third party like the blockchain but is there a business case for it?” asks Rolf. “Does it add real value? Then there’s the security case. If someone owns more than 51 percent of the computer power in the blockchain network then they can completely manipulate the system, because they have the majority of the power. It’s why people are currently investing so much in computer power because it means you can just generate money.”
Standing out from the crowd
One of the advantages of working for a company like Siemens, says Rolf, is the resources available to entrepreneurial employees. “Because we invest so heavily in R&D, if you come up with a cool idea we’re in the unique position to make it happen,” he says. “In other companies, you have to make a huge business case for any new products with the likelihood they’ll never see the light of day.”
The opportunity to work on a global scale is another selling point. “Hacking the IT space has become boring,” says Rolf. “Why tell your friends ‘I hacked another server’ when you can say ‘I hacked a train’. Siemens is much more interesting than other IT jobs. We play with much bigger things, like production plants, ships, and even MRI scanners.”
In every job it’s important to keep people stimulated but in cybersecurity it’s vital. Rolf makes sure that change and stimulation are at the heart of every career. “There are so many opportunities for change,” he says. “People might start in our emergency response team or our hacking team. Then, they can join the architecture or building block team to develop their own improvements. Rotation is really important to us because it helps foster different perspectives. And it also gives you that regular kick of adrenaline.”
At Siemens, Rolf is the former Head of IT Security for Siemens worldwide, where he oversaw every aspect of IT security. He previously worked in cybersecurity for Vodafone and the German National Research Centre for Information Technology. He now lives in Munich. Find out more about working at Siemens.
Illustration: Peter Henderson
