Siemens & TÜV Rheinland A strong Relationship in Cyber Security Siemens & TÜV Rheinland A strong Partnership Frank Kuempel, The Hague, NL - Mai 11th 2017

Unrestricted

At Home on all continents.

Frank Kuempel, The Hague Mai 11th 2017 2

Key figures 2015

Sales in millions of euros 1,881

Foreign portion (%) 50.6

EBIT (%) 5.4

Employees 19,630

Foreign portion 11,587

Locations:

500 Over

in 69 countries

Sales by business streams.

3

27%

24% 24%

10%

8% 7%

Industry Service

Products

Mobility

Academy & Life Care

ICT & Business Solutions

Systems

Frank Kuempel, The Hague Mai 11th 2017

Solution Expertise. Information and IT Security.

5

Objectives and strategy

Management and planning

Design and implementation

Operations Audit 1 2 3 4 5

Business requirements

Strategy

Management processes

Management of information security

Data protection and data security

IT risk management according to ISO 31000 and 27005

ISMS, BCM, and GRC tool selection/ introduction

Secure architectures and processes for networks, data centers, mobile devices

Application security

Security in operations

Operations (MSS) and support of IT security solutions

APT – Computer Security Incident Response Team (CSIRT)

Security audits

Certification of processes and services

Industry solutions, individual concepts, professional consulting, and strong in implementation. !

list of abbreviations ISMS = Information Security Management System BCM = Business Continuity Management GRC = Governance, Risk and Compliance APT = Advanced Persistent Threat – targeted cyber attack MSS = Managed Security Services

Frank Kuempel, The Hague Mai 11th 2017

Cyber Security Strategy - Theory vs. Reality

6

In theory there should be

well defined and documented bus. processes well defined and documented RACI documented IT related network diagrams (plans) Policies and Procedures (operational and IT) trained IT staff Incident Management Process Change Management Process Risk Management Audit (organizational, technical)

Awareness about IT threads and vulnerabilities Reporting on a regular basis Technical/organizational measures based on risk-

treatment plans

What we find in Customer Situations

There’s just one process e.g. “Produce Energy” Responsibilities (IT) not defined or unclear Just sketches Operational procedures but no IT related procedures trained IT staff but not educated to demands on OT Rarely defined to demands of OT Rarely defined to demands of OT No risk based approach Audit limited to safety or quality mgmnt. (work and/or

environmental) (IT) Awareness/education organized by myself Rarely defined, not risk driven Adhoc measures (often not planned, technically driven)

Frank Kuempel, The Hague Mai 11th 2017

7

Secure Power

Generation

Secure Power Trans-

mission

Secure Power Distri-bution

Secure Control Center

Business Require-ments

Business Strategy

Stake-holder

Regulation

Supply-Chain

Liabilities

Cyber Security Strategy – Key Influencer

THREADS VULNEARBILITIES

Frank Kuempel, The Hague Mai 11th 2017

Cyber Security Strategy – Taking Measures

8

Organizational Measures

Technical Measures

Frank Kuempel, The Hague Mai 11th 2017

Cyber Security Strategy – Governance of Organizational and Technical Security

9

Organizational Measures

Technical Measures

Frank Kuempel, The Hague Mai 11th 2017

Cyber Security Strategy – Constant Improvement & Securing the Business

10

Organizational Measures

Technical Measures

Frank Kuempel, The Hague Mai 11th 2017

Cyber Security Consulting – How we Support our Customers

11

Organizational Measures

Technical Measures

Analyze the Environment • Identifying internal / external

factors / drivers / business needs / Requirements

• Identify / Analyze As-Is • Identify GAPS

Frank Kuempel, The Hague Mai 11th 2017

Cyber Security Consulting – How we Support our Customers

12

Organizational Measures

Technical Measures

Plan for Actions • Cyber Security Governance • Policiies & Procedure • Security Processes • Risk Management • Security Devices and Technology • Reporting

Analyze the Environment • Identifying internal / external

factors / drivers / business needs / Requirements

• Identify / Analyze As-Is • Identify GAPS

Frank Kuempel, The Hague Mai 11th 2017

Cyber Security Consulting – How we Support our Customers

13

Organizational Measures

Technical Measures

Plan for Actions • Cyber Security Governance • Policiies & Procedure • Security Processes • Risk Management • Security Devices and Technology • Reporting

Analyze the Environment • Identifying internal / external

factors / drivers / business needs / Requirements

• Identify / Analyze As-Is • Identify GAPS

Build lines of Defense • Develop Processes /Policies /

Procedures / Methodologies • Enable & Educate Employees • Create Awareness

Frank Kuempel, The Hague Mai 11th 2017

Cyber Security Consulting – How we Support our Customers

14

Organizational Measures

Technical Measures

Plan for Actions • Cyber Security Governance • Policiies & Procedure • Security Processes • Risk Management • Security Devices and Technology • Reporting

Analyze the Environment • Identifying internal / external

factors / drivers / business needs / Requirements

• Identify / Analyze As-Is • Identify GAPS

Build lines of Defense • Develop Processes /Policies /

Procedures / Methodologies • Enable & Educate Employees • Create Awareness

Run & operate the Strategy • Assess Risk • Evaluate Measures • Monitor & Improve • Audit, PEN-Testing & Network

Scanning • Increase Awareness

Frank Kuempel, The Hague Mai 11th 2017

15

Thank you for your attention

Frank Kuempel Principal Consultant, Information Security & Data Protection TÜV Rheinland i-sec GmbH Am Grauen Stein 51105 Köln Tel: +49 221 56783 281 Cell: +49 151 1679 1782 frank.kuempel@i-sec.tuv.com www.tuv.com/informationsecurity

Frank Kuempel, The Hague Mai 11th 2017