1

CongressionalBriefingon

CyberSecurityforManufacturersCrea%ngtheSecureFactory

Hostedby:

AllianceforManufacturingForesight&theCompu?ngCommunityConsor?um

inconjunc?onwiththeHouseManufacturingCaucus

CongressionalVisitorsCenter-CVC-217;April12,2017

MFORESIGHT: Alliance for Manufacturing Foresight

TheNa%on’sAdvancedManufacturingAdvisoryConsor%um

SridharKota Execu7veDirectorMichaelRusso Chair,Exec.Comm.

Afederally-sponsoredconsor7umofna7onalthoughtleadersfromindustryandacademiafocusedonfutureofAmericanmanufacturing.

www.mforesight.org

3

Mission and Leadership LeadershipCouncil

Mission:Toenablethegrowthand

compe?venessoftheU.S.manufacturing

communityviaaframeworktoprovide

coordinatedinputonR&Dandrelated

opportuni?esalignedwithna?onalpriori?es

4

NeedsearlydevelopmentsupportTheUnitedStatesisposi?onedtolead

Gamechangers

Regenera?veMedicine

EngineeringBiology

Democra?zingManufacturingManufacturing101

Providescross-cuWngbenefitsGivesU.Smanufacturersacompe??veadvantage

LeadstoanewprocessortechnologyplaZormoverthenextdecadeWorthyoftaxpayerinvestmentandalignedwithna?onalpriori?es

EmergingTechnologies: EmergingNeeds:

July2017May2017

Educa?onandSkillsBuilding

The mission of Computing Research Association's Computing Community Consortium (CCC) is to catalyze the computing research community and enable the pursuit of innovative, high-impact research.

COMPUTING COMMUNITY CONSORTIUM

Promote Audacious Thinking: Community Initiated Visioning Workshops Blue Sky Ideas tracks at conferences

Inform Science Policy: Outputs of visioning activities Task Forces – AI and Robotics, Computing & Data, IoT, Health, Privacy and Fairness

Communicate to the Community: CCC Blog - http://cccblog.org/ Great Innovative Ideas White Papers

Promote Leadership and Service: Industry – Academic Collaborations Leadership in Science Policy Institute

NationalPriorities

AgencyRequests

OpenVisioning

Calls

Blue SkyIdeas

Reports • White PapersRoadmaps • New Leaders

Public Funding Agencies

Science Policy Leadership

Computing Research Community

Council-LedWorkshops

CommunityVisioning

6

Michael Russo, Chair of Executive Committee – MForesight; Corporate Lead –Govt. & Regulatory Affairs, Global Foundries.

Kevin Fu, Prof. of Electrical Eng. & Computer Science, University of Michigan;

Robert Frazier, Cyber Security Chief Architect, Lockheed Martin Corporation

Kirk McConnell, Senate Armed Services Committee

CyberSecurityforManufacturers

7

Cyber Security for Manufacturers

~40ExpertAKendees:(50%Industry,25%Academia,25%USG)

•  Addressedcybersupplychainsecurityandriskmanagement:

•  Iden%fiedpriorityac%vi%es;ana%onalefforttomeetsecurityneeds

TopicsCoveredinDepth:1.  Systemlevelsecurityandcyber-resilience2.  Integrityofmanufacturinggoodsfrom

designtothefactoryfloor3.  Machine-to-machinesecurity,especially

legacysystems4.  Securelyconnec?ngthefactorytothe

supplychain5.  CyberIntelligence(Gathering,Assessing,

andSharing)

AVisioningWorkshopon

March20-21,2017;WashingtonDC

8

ManufacturingSectorRisks-KeyObserva7ons

•  Manufacturersreceivedthegreatestvolume(20%)oftargetedcyber-afacksacrossallindustriesgloballyin2014.

•  Cyber-physicalinterfacesofOTposechallengesinunderstanding,monitoring,upda?ng,authen?ca?ng,isola?ng,maintaining,managingandintegra?ngcounter-measures.

•  Everymanufacturingjobintroducesnewexecutablecodeintoexis?ngsystems,crea?ngnewpoten?alvulnerabili?estothehand/oraltera?on;legacysystemsexacerbatethechallenge

•  Maximizinginteroperabilityacrosstheen?resupplychaincreatesecosystem-widevulnerabili?estocyberthreats.

•  Lackofsecurityintegra?onacrossthesupplychain-SMEsinpar?cularcouldweakentheen?remanufacturingecosystem

9

IoT,IICandManufacturingSectorSpecificRisks

IoTandIICaremul%-industry(energy,healthcare,transporta%on,agricultureetc.)ini%a%ves–

theyprovidecommonsecurityfounda%onsbutnotmanufacturing–specificconsidera%ons.Manufacturingsector-specificrisksaddressedbytheworkshoppar8cipantsinclude:

•  Difficulttoimplementandvalidatesecurityonopera?onsthatarealwaysrunning

•  Manufacturerswillnotshutdownwhatiss?llworking-havetoretrofitlegacyopera?ons

•  Physicalopera?onswithveryhighriskprofiles-safety,environmentandcost

•  Physicalfacili?esinasupplychaininwhichphysicalproductandmaterials,energyanddatamovethroughthem

•  Highdiversityinopera?onalsystems,proprietarydatasystemsand?merequirements.

10

IfAissecure

andBissecure,

A+Bmaynotbesecure

AorB=networkedequipment,opera?on,plant,companyenterprise,vendorproduct,informa?onsystem,etc.)

Non-Commuta7venatureofsecurity Weakest-linksecurity

Cybersupplychainsecurityandresiliencerequireseachorganiza?ontoaddress•  Internalcore•  Organiza?onframeworks•  Highlycollabora?ve,cross-companyapproachtobuildsupplychain/ecosystemsecurityframework

11

R&DChallengesandOpportuni7esToolsandTestbedsforAssessment,Valida%on,Verifica%onandThreatPreven%on

TechnologyImplementa7onacrosstheSupplyChainEffec%veImplementa%on,Communica%on,Collabora%onandWorkforceTraining

PolicyConsidera7ons

Guidelines,StandardsandCer%fica%on

GeneralTake-away:theneedforana7onalini7a7vetoaddress:

12

R&DChallengesandOpportuni7es

•  Automatedriskassessmentanddetec?ontools

•  Robustpartvalida?ontechnology•  Toolstoaudittheextentofafack•  TestbedstosafelyprototypeandtestnewITandOT•  Developmentofareferencearchitecturewithcross-cuWngapplicability

•  Cyberrangetotestcomponentandsystemlevelvulnerabili?es,trainteams,actasa

sandboxfornewideasandprovidea”cyberautopsy”capability

•  Decoysforintelligencegathering;Priori?zingandSharingIntelligence

ToolsandTestbedsforAssessment,Valida%on,Verifica%onandThreatPreven%on

13

TechnologyImplementa7onAcrosstheSupplyChain

•  Anonymous,fault-freesharingofincidents,threats,vulnerabili?es,bestprac?cesand

solu?onsisessen?al

•  Developadata-repositoryofanonymoussubmissions.

•  Establishaconsor?umtopromotepar?cipa?onofallpar?esindigital-readiness

assessments,damageassessmentsandriskevalua?on

•  Treatawareness,convic?on,adop?onandexecu?onofsecuritymeasuresasa

compe??veadvantage

•  Implementworkforcetrainingprogramstoavoidthehighestriskfactor–humanerror

Effec%veImplementa%on,Communica%on,Collabora%onandWorkforceTraining

14

CyberSecurity-Integra7onofEnterprise,CrossCompanyandMul7VendorPrac7ces

InternalANDExternalCollabora?vePrac?ces

• Technology• BusinessandRisk• PeopleandOrganiza?on

AlignedandInteroperablePrac?ces•  Informa?onSecurity• DataSecurity• CyberspaceSecurity

15

PolicyConsidera7ons

•  Defineabaselevelofsecurityforsohwareandhardware(productandprocess)

•  CyberSecurityCer?fica?on,similartoISO9001qualitysystems,offerscompe??ve

advantagetohardwareandsohwaresuppliers

•  Ana?onalcybersecuritycer?fica?onlaboratoryeliminatestheneedforeachcompany

totesteveryproduct/process(similartoUnderwriterslaboratory)

•  Establishoveralltaxonomy,guidelinesandstandardsforIT/OTinterfaces,authen?ca?on,

protec?onfromdifferentcaliberofafacksandrepor?ngafacks

•  Mergeexis?ngstandards,cer?fica?onsetc.toreduceoverallburdentomanufacturers.

Guidelines,StandardsandCer%fica%on

16

Poten7alNextStepsEstablishana%onalcenterofexcellenceoncybersupplychainsecurityto:1.  FormanInfo.SecurityAdv.Councilforanonymoussharingofincidents,threats,

vulnerabili?es,bestprac?cesandsolu?ons

2.  Applysystemsmethodologies

3.  Developandincentana?onalqualityassuranceprogram(ex:cybersecuritycer?fica?on;cyberrange,automatedtools)

4.  FacilitateindustrytestbedstosafelyprototypeandtestnewIT/OTtechnologies

5.  Developecosystemsecurityframework(taxonomy,standards,partvalida?ontech.etc.)

6.  Facilitatesolu?onsthatnoonecompanycanaddress(developreferencearchitectureetc.)

17

KirkMcConnellSenateArmedServicesCommifee

18

Thanks to House Manufacturing Caucus

QuesFons?

Cyber Security for Manufacturers Creating the Secure Factory