3.4 Cybersecurity and data privacy Due to the growing demand for cybersecurity experts, we Proactive approach to handling threats and launched the CyberMinds Academy in 2022. This is a world- vulnerabilities, reactive approach to incidents 3 wide one-year program that combines learning modules Siemens CERT and Siemens ProductCERT are dedicated with professional experience designed to develop young teams of experienced security experts who can provide an talents into cybersecurity specialists. immediate response to potential security threats and incidents affecting Siemens’ products, solutions, services, or Cybersecurity insurance and risk analysis infrastructure. To protect the company and reduce the potential financial impact of cyber incidents, we have explored risk transfer Siemens CERT secures our internal infrastructure, continu- options in detail. Following an international call for insurance ously monitors cyberthreats, and evaluates their potential bids, the currently insurable cyber risks were transferred to a impact on the company. When security incidents occur, our group of insurers in fiscal 2021. The coverage emphasizes experts analyze the causes and initiate countermeasures to losses caused by incidents such like as breaches of information minimize harmful impacts, and the appropriate stakeholder security and data privacy within Siemens or by third parties. groups (and the authorities, if required) are informed. The scope and limits of the risk transfer to the insurance market are reviewed annually. Under the Special Vulnerability Handling program, CERT also takes proactive steps to support a consistently high level of Siemens’ Cybersecurity department has also acted to mitigate protection by addressing potential vulnerabilities before any risk even more. For example: damage occurs. → As industrial environments become increasingly digi- The ProductCERT team addresses security issues that affect talized, the share of software grows significantly, as does Siemens products and solutions. It is the central point of the number of associated vulnerabilities. To mitigate contact for reports of security gaps in Siemens products. As these risks, Siemens is automating the collection and a key partner of the Siemens business units, the ProductCERT distribution of information about vulnerabilities with the team supports the entire process – from identification to goal of offering end-to-end security for our customers. resolution of vulnerabilities – and provides crucial informa- These efforts include our collaboration with the Common tion to customers. Updated Siemens Security Advisories are Security Advisory Framework (CSAF) 2.0 from the OASIS published on a monthly basis to ensure our level of transpar- Consortium ency. With the CSAF format, we are among the leading → Since 2022, Siemens has been working intensively to industrial manufacturers for the automated distribution of encrypt the most important data in the post-quantum vulnerability information. era. As part of this work, the previous crypto algorithms have had be completely replaced with new methods. In addition, our Vilocify Vulnerability Services4 continually Because it is our expectation that crypto algorithms will search for information about vulnerabilities in software and need to be updated much more frequently in the future, hardware components used in Siemens’ products and infra- the project also addresses the encryption lifecycle in the structures. As a final step, product security must be guaranteed form of an expiration date for the classification of docu- by means of verification tests. To this end, we have developed ments. the Siemens Extensible Security Testing Application (SiESTA5), → Our Zero Trust initiative, whose motto is “Never trust, which enables the dedicated identification of vulnerabilities always verify,” has been extended to fiscal 2024. The in infrastructures, products, and solutions. objective is to check every internal and external connection between IT/OT devices and products in real time and only permit trustworthy communications. 3 Computer Emergency Response Team. 4 https://www.siemens.com/global/en/products/services/digital-enterprise-services/ industrial-security-services/vilocify-vulnerability-services.html. 5 https://new.siemens.com/global/en/products/services/cybersecurity/siesta.html. SIEMENS SUSTAINABILITY REPORT 2023 51