The charter is now backed by AES, Airbus, Allianz, Atos, Cisco, Daimler, Dell Technologies, Deutsche Telekom, Enel, IBM, NXP, SGS, Total and TÜV Süd as well as the BSI German Federal Office for Information Security, and the CCN National Cryptologic Centre of Spain. The Graz University of Technology in Austria, which hosts one of the teams that discovered the “Meltdown” and “Spectre” vulnerabilities, is also joining the charter as an associate member.
The associate partner is a new format so that government representatives, universities and think tanks can be part of specific projects without having to become full members with all rights and duties.
“In the age of the internet of things, the cybersecurity is a crucial task. Our Charter of Trust initiative is a very important first step,” said Joe Kaeser, CEO of Siemens. “We’re open to many more partners. Cybersecurity is the key enabler for successful digital businesses as well as protecting critical infrastructure. We hope that this initiative will lead to a lively public awareness and, ultimately, to binding rules and standards.”
An area of early and intense focus has been security of supply chains. Third party risks in supply chains, are becoming a more prevalent issue and are the source of 60 percent of cyberattacks, according to Accenture Strategy. Charter of Trust member companies have worked out baseline requirements and propose their implementation for making cybersecurity an absolute necessity throughout all digital supply chains. These requirements address all aspects of cybersecurity – including people, process and technology. Examples of these requirements include:
- Data shall be protected from unauthorized access throughout the data lifecycle.
- Appropriate level of identity and access control and monitoring, including third parties, shall be in place and enforced.
- A process shall be in place to ensure that products and services are authentic and identifiable.
- A minimum level of security education and training for employees shall be regularly deployed.
These are key to the new contracts for suppliers of security-critical components such as software, processors and electronic components for certain types of control units. Existing suppliers who do not yet comply with the requirements are to implement them gradually using the principles of the Charter. In the future, suppliers themselves must, for example, perform security reviews, conduct tests and take corrective action on a regular basis. Siemens is making these requirements mandatory for its own activities as well.
“This step will enable us to reduce the risk of security incidents along the entire value chain in a holistic manner and offer our customers greater cybersecurity,” said Roland Busch, member of Siemens’ Managing Board and the company’s Chief Operating Officer and Chief Technology Officer. “If all our partner companies put their global weight behind these measures and implement them together with their suppliers, we can generate tremendous impact and make the digital world more secure.”