Siemens secretly presented a hot product at it-sa: a zero-trust network access solution for OT infrastructures.
A push to end dependence on US vendors in the IT sector? I would be a big fan of this - especially because Europe, particularly the German-speaking countries, is continuously losing its footprint in the high-tech sector. ASML, for example, is probably the last company in Europe that has managed to hold its own in the high-tech market against US and Chinese competition, while almost all other markets have already been taken over or are about to be - which puts Europe at a huge geostrategic disadvantage.
I was therefore particularly curious to talk to the architects at Siemens and try to understand the product.
How do OT grids work so far?
OT networks are usually divided into cells (example: bottle washing process). A cell usually contains several individual machines, sensors, monitors and their control units, which together form a closed functional area. The control units are usually Siemens PLCs and are connected to the individual elements via PROFINET.
PROFINET is an Industrial Ethernet standard that Siemens once invented or played a key role in developing. It is roughly based on or derived from the regular Ethernet protocol. The protocol was developed because OT environments are often highly latency-sensitive and need to communicate almost in real time. With PROFINET, we are therefore talking about a real-time Layer 2 connection.
The connection of several cells to larger systems (e.g. a beverage bottling plant with individual cells such as bottle washing, filling, capping, labeling, etc.) is usually carried out via classically routed TCP/IP connections. For this purpose, the individual controllers (or their control units, i.e. the PLC) are terminated in different VLANs on switches and routed there.
An overview of such a network (there are of course many variations) looks something like this - more details will follow later.
.png?width=2627&height=1933&name=Architektur%20Workshop%20Template%20-%20Proposal%20(2).png)
The problems of OT networks
The problem here is segmentation.
All elements can see each other unhindered. Especially in view of the enormous depreciation periods of OT environments (often several decades) and their often completely outdated (operating) systems - nobody likes patching running OT systems, the failure of which would cause huge amounts of damage within a very short time - lateral movement (i.e. the movement of malware within the OT environment) opens the door in a figurative sense.
This is why such zones and their networks are sometimes (but very rarely) terminated on OT firewalls. These then filter access from zone 1 to zone 2. Sounds good - but is quite complex, static and expensive due to the many individual connections.
As these environments are both highly sensitive and usually contain ancient software versions, they are usually encapsulated, i.e. completely separated from the regular IT network. So far, so good - if it weren't for the problem that:
-
external service technicians from the machine manufacturer regularly require maintenance or servicing access,
-
data has to be extracted from these OT environments in order to process or evaluate it,
-
OT systems now also want to access virtualized management consoles or SaaS applications.
So you do have to open up the OT network - somehow, with your chest through your eyes, i.e. with firewalls, remote VPNs, tunnel boxes from the manufacturers or other workarounds. Ugly, insecure, uncontrollable - but it works.
In OT environments, there are often separate PCs to keep these network openings to a minimum. On-site maintenance can be carried out from these, but not remote maintenance.
Zero Trust in IT environments - SASE in brief
.png?width=300&height=327&name=Architektur%20Workshop%20Template%20-%20Current%20Situation%20(1).png)
What exactly is Zero Trust?
Zero Trust is often defined in the context of SASE - a modern way of merging network and security. It is based on the extended evaluation of context (location, device, user) in relation to each individual requested app (quasi IP + port + layer 7 protocol). Ideally, this results in a fully-meshed, micro-segmented environment with the two components SSE and WAN edge.
The strategy behind this: To degrade the perimeter to a "dumb Internet access" - i.e. to make it highly simple, inexpensive and standardized - and to shift costs and complexity to the cloud. Features such as PAM (privileged access via SSH or RDP) or WAF (secure exposure of internal systems via the Zero Trust or SASE exchange) are now even being integrated. This applies to both IT and OT environments.
The current problem with almost all solutions on the market is that no one is strong in every area. One can do the WAN edge part well, but is weaker in SSE, the next can do both mediocre, the third has no DLP, if any at all, and the fourth or fifth barely masters East-West segmentation.
(And for the Microsoft disciples out there, Microsoft doesn't even deserve the SSE classification - at least for now).
This is the reason why Rheintec currently relies primarily on multi-vendor SASE solutions - i.e. one vendor for SSE and another for WAN edge.
Such an environment can then look like this (here, for example, with Zscaler, Cloudflare, Ubiquiti, Fortinet):
.png?width=400&height=266&name=Architektur%20Workshop%20Template%20-%20Proposal%20(3).png)
So much for the current state of the art. I know you want to know what Siemens Zero Trust is.
The use case of SINEC Secure Connect Zero Trust
Here is your text with corrected errors and subtle fine-tuning (Swiss spelling, no changes to content):
SINEC, i.e. the Zero Trust solution from Siemens, aims to micro-segment OT environments (preferably from Siemens) on the network side. The solution is intended to solve the well-known problem that OT accesses are often difficult to access in separate networks/zones and access to them is cumbersome, while segmentation in most companies is solved macrotechnically at best. SINEC should enable both secure user access to OT devices (primarily the upstream PLC controllers to which the individual machines/systems are terminated) and micro-segmented East-West access between OT devices - the latter even across locations.
This is made possible via "edge routers". These edge routers are positioned in front of the cells, if required in high-availability clusters. The cluster members are managed by a central "Secure Connect Controller". This assigns logic, configuration, policies and routes. It is the central management and admin UI for the solution. The edge routers can connect to each other (encrypted overlay network). This is done fully meshed, even across locations. Cross-site access can either take place via hosted (Siemens has partially SaaS-ified this through automation) edge routers in public clouds in the desired region (due to latency). Deployment in a Siemens AWS environment is supposedly already fully automated today. Alternatively, the routers can also be exposed to enable direct routing between locations and avoid additional latency via the public cloud. Of course, these routers must be made publicly accessible (ouch - who does that?). The routers then pull the traffic to their ports into the overlay network and route it to its destination via the shortest route through the meshed network. Microsegmentation can be applied via the central management, but is completely non-automated. The protocols are identified in an application-aware manner and can also be referenced in the policy.
User access follows the same principle. Users connect to edge routers, are segmented there and then allowed to access OT environments if necessary - or not. This is currently done via an agent. The agent can either connect directly to the edge routers in the OT environments (note: the edge router must also be exposed here) or can be routed via the instances in the public clouds (to which the OT routers can connect inside-out) (higher latency). This is intended to micro-segment OT-to-OT access and simplify user/service provider-to-OT access.
The infrastructure then looks something like this (central SaaS management, which controls policies and routers, omitted for clarity) - without network components, more on this later in the review:
.png?width=2693&height=1802&name=Architektur%20Workshop%20Template%20-%20Proposal%20(4).png)
Evaluation and criticism
Basically: I think the fact that a European manufacturer is entering the IT sector is very good. If we want to have any chance at all strategically, then this is the very last chance anyway. I would like nothing more than to see Europe leading the high-tech industry again, because it secures our prosperity, provides jobs and enables us to defend our enlightened world view with a little more stability in the world.
I don't want to be unfair either, because Siemens is new to the field - even though they are actually a Zscaler customer and have a lot of internal expertise in the SASE and zero trust area. The product has only just been launched, while the Americans, Chinese (even if nobody here knows what good solutions Huawei doesn't build) and Israelis have been in the market for decades.
I am also unable to assess the quality of the product, as I have never tried it and all my knowledge comes from discussions with Siemens architects. So please forgive me for any mistakes here; I will be happy to correct them transparently afterwards.
Nevertheless, I must express the following criticism.
Complexity of an isolated solution
Siemens strategically separates the OT division from IT. According to their employees, they have no interest in entering the IT market later on. In my view, however, this represents a massive problem: Instead of reducing complexity, it is being increased.
With the architectural approach of the status quo, firewalls for IT and OT-to-IT are still needed, as well as proxies and a separate SSE solution for IT. In my opinion, the approach of separating IT and OT is unrealistic and highly inefficient.
It ultimately means that I have to multiply hardware at the locations instead of halving it. Overall, this creates even more complexity because I have to administer, manage and monitor another (in addition to SSE) overlay network in the local network.
Even if the zero trust market currently has a maximum market penetration of 20-30% and therefore still has enormous growth potential, I doubt that Siemens can be successful with it in the long term unless they grow into the IT sector.
Feature density and automation
When I think of access to OT, I want PAM, PEM, key injection, sandboxes for files, browser isolation, session recording, SIEM forwarding, certificate management and AI-assisted microsegmentation. Many of the SSE vendors already support a large number of these features. I have not yet been able to identify any of them. Even updates to edge routers - albeit the proposed exposed ones - are not yet managed centrally. Siemens has a lot of catching up to do here for anyone with an overview of the SSE market to even consider this solution.
Remote access
Remote access via an agent is basically fine for internal employees. It certainly leads to interference and increased effort in addition to proxies, VPNs and SSE agents, but according to Siemens it has at least been successfully tested in coexistence with Zscaler.
Nevertheless, should a machine manufacturer that sells its machines to hundreds of companies create 100 devices per customer in the future? This does not scale and makes no sense operationally - especially if the manufacturer itself uses an SSE or VPN solution and its compliance does not allow the use of a remote access agent from another company.
OT in particular has precisely this challenge. Browser isolation is an absolute must so that manufacturers can securely and easily access their machines at the customer's premises for maintenance purposes!
Cloud (partial SaaSification) & dependency
Customers have to assemble their cloud components themselves, even if the deployment in the Siemens AWS environment is automated. But why not a microservice environment, distributed around the world? Why not have your own data center?
The argument of dependency and blackmailability does not diminish with AWS. Downtime of OT environments because the fat American has thought about blackmailing Europe would be the absolute worst-case scenario.
Siemens can only counter this with its own data centers if it really wants to bear the title of "political resilience".
Marketing
Why the hell am I the first person to write about this? What is actually going on with the website, where the invention is hidden somewhere in a niche - with half-finished explanations and difficult presentation?
Why such complex explanations with overlay nets and underlays? Your segment doesn't understand this, they don't build machines for IT security solutions!
Where are the drums and trumpets with which the solution was launched? Where are the solution letters?
Conclusion
The idea is good, the necessity from a strategic perspective for Europe as a business location is maximum. With my current level of knowledge, I question the architecture and product strategy. The feature density is minimal - although the expectation remains that this will be expanded as quickly as possible.
As a Bavarian, a German and a European with high standards and cultural awareness, I hope Siemens does it - and is successful. I hope that at some point the European elite will no longer be on the hard shoulder, but back in the fast lane. But I also believe that this is still a lot of work and requires a massive rethink from the tunnel vision of OT.
