-
Home
-
About Elfack
- Exhibitors
-
Activities
-
Plan your visit
-
For exhibitors
- Tickets
-
Cybersecurity of the future: Siemens on new strategies to counter rising threats
The number of cyber-attacks against critical societal functions is increasing, creating new, complex security challenges. To deal with the growing threats, we need to dare to think in new ways, step out of the computer room and face reality where it actually happens.
Cybersecurity is one of today’s greatest challenges for both businesses and critical functions in society. The Swedish Civil Contingencies Agency (MSB) reports that cyber-attacks against government agencies and suppliers have become increasingly common – a clear indication of how the threat landscape has evolved.
— Attackers only need to succeed once, whereas we as defenders need to succeed every time, says Michael Dufva, Cyber Security Officer at Siemens AB.
With his experience of security issues and a background in the defence sector, he leads the work to strengthen cybersecurity, both within Siemens and for the company’s customers. Siemens operates in more than two hundred countries and handles billions of security-related events every day – from small intrusion attempts to major cyber-attacks.
— It’s a race against time and technology. Attackers have reached such a high level of automation that we need to stay ahead of the game, he explains.
Technical obsolescence and legacy systems
Many companies are struggling with technical obsolescence from legacy systems that are still in operation, despite not being adapted to today’s security threats.
— Even if you have state-of-the-art AI solutions, they may need to interact with systems that are 30-35 years old, built at a time when cyber-attacks were not even on the radar, Michael Dufva says.
These older systems often lack security features, making them vulnerable to breaches where attackers can exploit old weaknesses to infiltrate modern systems. Beyond this, there are challenges related to suppliers. A production line can consist of hundreds of OT (operational technology) devices from different manufacturers, with each supplier needing access to their own systems.
— This leads to an uncontrolled number of access points and major security risks.
The right supplier and clear requirements
— The problem is exacerbated when companies try to deal with the situation themselves through short-term solutions, without having a clear strategy or a deep dialogue with their suppliers on how to protect their systems. Another pitfall is turning to the wrong type of supplier. It’s a bit like asking an IT supplier of office systems to secure industrial or property-based networks, Dufva says.
He emphasises the importance of having the courage and ability to make demands on the supplier in order to maintain a durable security chain. This requires an architecture that supports continuous updates of both systems and software.
How to build the security strategy of the future
Although attacks have become more intense and harder to detect, there are still ways to protect yourself.
— Identify the risks, assess how big they are, and decide how much you are willing to invest to protect things. Spending more on protection than something is worth is not sustainable. But when it comes to a company’s reputation or critical information, the cost of not protecting yourself can be incalculable. At the same time, cybersecurity investments must go hand in hand with the digitalisation of the company – otherwise security will fall behind.
Michael Dufva says it is crucial that the security strategy is embedded at all levels, all the way up to senior management. This ranges from having the courage to carry out tests and simulations to training both staff and management teams.
— A modern security manager must have a completely different approach, supporting management and understanding the needs of the business. If bosses and management don’t take it seriously, no one else will either.
He emphasises that in the end, it is the people and the business that are the most important factors. That’s why he says we need to dare to rethink and let go of old ways of thinking in the security industry. Dufva explains that the role of security manager has traditionally gone to people with a military or police background, or to technically trained engineers. This still characterises the industry, which he says is largely made up of middle-aged men.
— This is a tragedy because security work needs more perspectives and broader competences. To meet the challenges of the future, we need to build teams that reflect a global world and can understand and respond to different needs.
Security by design
Siemens is actively working to certify as many products as possible to meet customers’ security needs. By participating in NATO exercises and other international collaborations, the company gains valuable information about how other nations protect their systems. This knowledge is used to further develop the company’s own solutions and improve cyber security for customers on a global scale.
Michael Dufva explains that the basic idea is to build security from the ground up, that is, ‘security by design’.
— We also develop architectures and prototypes that show how to build safe solutions, whether for factories, hospitals or substations.
He points out that the conversation with customers is as crucial as the technical aspect, as each customer has unique needs and specific security risks to consider.
— We endeavour to understand their reality, as safety is never a one-size-fits-all solution. Whether they are large corporations or small businesses, our aim is to tailor solutions to their needs and to create an open and inclusive dialogue.
New EU rules to identify vulnerabilities
The new EU directive NIS 2 aims to improve the cybersecurity of critical functions in society. The directive requires companies to identify their vulnerabilities and manage the risks that exist. Those who do not comply with these requirements can face serious consequences.
— Companies that do not comply with NIS 2 risk fines of up to €10 million or 2 per cent of their global turnover. That could be devastating, he says.
NIS 2 is not just about meeting a requirement; it also offers an opportunity. By setting a common standard for cybersecurity, the Directive allows companies to strengthen their protection against threats while increasing the trust of both customers and business partners.
The future of cybersecurity
Looking ahead, Michael Dufva sees several major challenges. One of the biggest is managing the rapidly growing number of (IoT) and (OT) devices being connected, ranging from small appliances such as light switches and refrigerators to more advanced industrial systems.
— The question is how to keep track of everything and prevent these devices from being misused. AI is likely to play an important role as part of the solution to monitor and protect these systems, he says, noting:
— We must dare to think in new ways, break down walls and see security as an integral part of our daily activities. This is a change that needs to happen in the near future.
At Elfack 2025, Siemens will share its insights and solutions to tackle the cybersecurity challenges ahead, focusing on everything from security by design to AI-powered protection systems.