Natalia Oropeza is Chief Cybersecurity Officer & Chief Diversity Officer at Siemens, a multinational technology company that focuses on industry, infrastructure, and transport. She has 30 years of experience in information technology and has worked in Mexico, the U.S. and Germany. Before joining Siemens in 2018 she was Chief Information Security Officer and head of the largest IT transformation program at Volkswagen Group. Oropeza recently spoke to The Innovator about cybersecurity challenges and what to expect in 2022.
Q: What is the best way to combat the rise of ransom attacks?
NO: The vectors hackers used to exploit cybersecurity vulnerabilities at Colonial Pipeline and in 80% of other cases are things like not very complex passwords, outdated hardware, patches that are not deployed and old network vulnerabilities that no one bothered fixing. Companies can do a lot just by making sure they issue complex passwords and use two factor authentication, hardware that is not outdated and up-to-date versions of software. Really make sure you do this to decrease a lot of risk. The risks are important because these are attacks that request a ransom and if you don’t pay up, they will publish your intellectual property or personal data. You could get fined by the government for not protecting personal data if it gets published. And in some cases, not paying the ransom could endanger people’s lives.
Q: Is zero trust an effective strategy?
NO: The way we used to protect companies was all about containing things inside firewalls. It was like a castle in the Middle Ages; everything inside the castle was trusted. With the development of tech and incremental use of Cloud solutions and with COVID happening and sending millions of people to work remotely, even if the firewalls are still there, they can’t protect us anymore because employees are literally outside of the walls. Zero Trust is an architecture that takes a completely different approach, mainly that you can’t trust anything or anyone without verifying them in a very similar way to what modern countries do when someone wants to cross the border. They verify your ID as well as your health. We need to verify, in a similar way, that any devices that want to connect and access data, whether they be mobile phones or laptops or industrial controllers, are what they say they are and the people using them are who they say they are, and to check if they are healthy, meaning they don’t have embedded ransomware, spyware or a virus. This Zero Trust philosophy is what Siemens and many companies are now deploying in their IT and OT landscapes and also for our products.
Q: Is it enough to protect your own company? What about the supply chain?
NO: We know that it is not enough to secure your company. We need to secure the supply chain. In the SolarWinds attack, which was discovered in December last year, hackers infiltrated the supply chain of commercial software vendor SolarWinds, inserting a backdoor into the product. As many Fortune 500 customers downloaded the Trojan Horse installation packages from SolarWinds, attackers were able to access the systems running the SolarWinds product. Going forward companies need to determine what is the risk the supplier is posing and be very focused on the ones that could create potential risks. Siemens does this. But we are also suppliers, we are providers of critical infrastructure, so we need to make sure we also comply with requirements. All corporates need to do this. If they don’t, they risk their business.
Q: There is an increased need for coordination between companies and governments. Both the White House and the European Union are encouraging governments to collaborate on cybersecurity. Companies are also starting to share information with each other about attacks. How can we get more companies to be more open about their attacks and share information with each other?
NO: Siemens initiated the Cybersecurity Initiative Charter of Trust together with sixteen cross industry global partners as we at Siemens cannot do it alone. In the digital age partnerships, platforms and ecosystems become more and more important. Companies have got to cooperate and co-create risk management strategies. Everything we create and co-create is published. We don’t keep it secret because we have a common goal: creating trust in the digital world. If we don’t, we will never survive as businesses. We do a lot in terms of communication, not only sharing information but sharing the knowledge and solutions we are using to protect ourselves. We need more companies to join the Charter of Trust and encourage them to do so.
Q: There are not enough people to fill the openings for cybersecurity jobs. How can this be fixed?
NO: Communication around the field needs to inspire people by helping them to understand that cyber security is technology with a purpose. At Siemens we are touching lives. We provide critical infrastructure for energy, for example, so by protecting our networks we are helping to protect society. New technologies can help us solve some of the worlds’ biggest problems but only if we can secure our networks and innovate in cybersecurity. Siemens is training a lot of young people. People trained in other fields, such as communications, or those with high emotional intelligence, could be a good fit in cyber security. To fill these jobs companies and organizations will have to become more open-minded about mapping skill sets and helping people to transition to the field. Women and minorities need to be better represented. One of the reasons more women don’t enter the field is that there are not enough role models. This is one of the reasons that Siemens appointed me to be both Chief Cyber Security Officer & Chief Diversity Officer rather than appointing a woman from a more traditional field like human resources to take on the diversity role.
Q: What are your cybersecurity predictions for 2022 and what advice do you have for companies?
NO: Attacks will increase massively, including ransomware attacks. Companies need to protect IoT and smart devices. Today everything from smoke detectors to dishwashers to robots in factories are connected and this is going to increase. My advice is: invest in cybersecurity. Develop a strategy. You don’t have to invest huge sums of money necessarily, but you need to take risk management seriously. The sooner you do that as a company the better.
This article is content that would normally only be available to subscribers. Sign up for a four-week free trial to see what you have been missing.
