In Conversation: Leo Simonovich
IN THE ENERGY sector, the stakes already felt sky-high when it came to cybersecurity. Unlike other fields where a bit of malware might simply tangle up the IT team, attacks here might cut off power for large swaths of the country. So Leo Simonovich, the Vice President and Global Head for Industrial Cyber and Digital Security at Siemens, had plenty to think about at the start of 2020—then, he tells Cognitive Times, the COVID-19 pandemic complicated everything.
COGNITIVE TIMES: Siemens does work across so many fields—from energy to industry to transportation—so how do you pitch partners on the value of artificial intelligence in cybersecurity?
LEO SIMONOVICH: We’re helping to make AI simple and practical for the industrial context. In general, our customers—utilities, oil and gas companies—are skeptical of black boxes. They’re looking for proven technologies that can last 20-plus years, for decades.
With that said, we’re doing three things by integrating AI: first, we’re making models applicable at an increasing efficiency. Second, we’re doing assurance testing to make sure we do more good than harm. That is to say, availability and reliability and safety are of the utmost importance. So when you deploy a piece of technology that is new, we better be sure it’s not going to trip a plant or, worse, cause a safety event.
And the third thing we’re doing is demystifying the black box by providing insights about how AI enriches detection and protection capabilities. We’re out there sharing, let’s say, what SparkCognition’s DeepArmor brings to the industrial environment. And the best way we do this with customers is by providing outcomes—outcomes around detection and outcomes around protection.
CT: COVID-19 has really upended all aspects of life, but that’s especially true for industries like energy where things are suddenly decentralized for the first time. What are some of the new security concerns this operational shift has unearthed?
LS: We’ve seen a fundamental change, a transformation, in both the way people are working and also in the attack surface and security models we need to protect this new environment. We call it “plant-to-couch.”
As our customers transition their field personnel—the people running plants—into a home environment and only keep critical staff on board to maintain assets, the operational technology/information technology divide—the demilitarized zone of sorts—is being crossed in real time as employees connect to power plants to monitor and control. This has widened the attack surface.
This fundamental shift requires new security models and a new approach. There are two big problems we see: one is as power plants see a shortage of personnel that can maintain these assets—people who can do support patching, malware protection, whitelisting— and maintain the hygiene of these plants. They’re forgoing that in favor of [staff who can maintain] basics like providing power supply and keeping the lights on.
The other problem is there are fewer eyes on screens, and as those eyes are distributed and decentralized, there’s an increased need for monitoring. We see AI and machine learning having a key role to play in addressing both of these challenges. There’s now more complexity to detection. If you’re not maintaining these assets, you need a backstop that can help you detect anomalies and also provide protection in case you cannot patch and close vulnerabilities.
CT: What are some best organizational security practices you’ve developed recently that might be applicable to other organizations?
LS: My best tip is to keep cybersecurity front and center. Safety and availability are clearly paramount [in the energy field]; you have to keep the lights on. But cybersecurity is also an important risk that needs to be addressed.
[The priority is] establishing connectivity and maintaining these assets and their uptime; cybersecurity is something that follows this scramble. So keep security top of mind. Second, have a clear map of the connections that you’re establishing. Track them. That will allow you to have a better understanding of your attack surface. Third, utilize these connections not just to service, but also to do things like monitoring.
When workflows change and people are sitting at home, they’re often going to have their home laptops open at the same time. They may be plugging in from their home machines. They may be using social media. We’ve seen a rise in employees sharing their experience, and in doing that they might be sharing pictures of real-time production. That invites attackers and social engineering. This is where, again, AI can play an important role—it can triangulate between these different pieces of data to help paint the larger picture.
CT: Before this pandemic, we were already entering a new era of cybersecurity where you see attackers leveraging AI or black markets online that simplify the knowledge needed to utilize malware. What are some of the most prominent security challenges on your radar when COVID-19 concerns finally calm down?
LS: We really saw two challenges our customers were facing. One is the “Brown Challenge,” securing legacy assets that have been around a long time that have open architectures and digital was bolted on top for increased connectivity. The other is focusing on digital-native technologies, a lot of which are associated with renewables and more efficient energy technology.
At the core of both focuses is the idea that we need to solve the visibility challenge. By providing detection and context, we are then able to empower our customers to take action. In Brownfield environments in particular, there are a lot of legacy assets that cannot be maintained using the traditional life cycle and hygiene measures. Take, for example, a compressor station that transports either gas or petroleum—that compressor station will have a terminal that has not been patched for three, five, eight years.
So we need a solution that can help us provide a backstop to patching to protect those assets until they’re decommissioned. This is where machine learning can really help—to help us detect the unknown, unusual activity for assets that cannot be patched.
We think that to do this well, to secure the Brownfield and secure this OT/IT convergence, you need to make AI practical. A lot of attackers are operating at machine speeds, so you need detection capabilities that can piece different pieces of the puzzle together quickly, at speeds that are frankly too much for the human mind. AI and machine learning can then play a role, because you need to understand not just the anomaly itself, but what assets are associated and where they are in the production process. You need to provide context and insight. The consequences are really high in the energy sector, so it’s important for us to bring together these technologies old and new to solve the challenges and meet that demand.