Congressional Briefing on Cyber Security for … › ccc › wp-content › uploads › sites › 2...
Transcript of Congressional Briefing on Cyber Security for … › ccc › wp-content › uploads › sites › 2...
1
CongressionalBriefingon
CyberSecurityforManufacturersCrea%ngtheSecureFactory
Hostedby:
AllianceforManufacturingForesight&theCompu?ngCommunityConsor?um
inconjunc?onwiththeHouseManufacturingCaucus
CongressionalVisitorsCenter-CVC-217;April12,2017
MFORESIGHT: Alliance for Manufacturing Foresight
TheNa%on’sAdvancedManufacturingAdvisoryConsor%um
SridharKota Execu7veDirectorMichaelRusso Chair,Exec.Comm.
Afederally-sponsoredconsor7umofna7onalthoughtleadersfromindustryandacademiafocusedonfutureofAmericanmanufacturing.
www.mforesight.org
3
Mission and Leadership LeadershipCouncil
Mission:Toenablethegrowthand
compe?venessoftheU.S.manufacturing
communityviaaframeworktoprovide
coordinatedinputonR&Dandrelated
opportuni?esalignedwithna?onalpriori?es
4
NeedsearlydevelopmentsupportTheUnitedStatesisposi?onedtolead
Gamechangers
Regenera?veMedicine
EngineeringBiology
Democra?zingManufacturingManufacturing101
Providescross-cuWngbenefitsGivesU.Smanufacturersacompe??veadvantage
LeadstoanewprocessortechnologyplaZormoverthenextdecadeWorthyoftaxpayerinvestmentandalignedwithna?onalpriori?es
EmergingTechnologies: EmergingNeeds:
July2017May2017
Educa?onandSkillsBuilding
The mission of Computing Research Association's Computing Community Consortium (CCC) is to catalyze the computing research community and enable the pursuit of innovative, high-impact research.
COMPUTING COMMUNITY CONSORTIUM
Promote Audacious Thinking: Community Initiated Visioning Workshops Blue Sky Ideas tracks at conferences
Inform Science Policy: Outputs of visioning activities Task Forces – AI and Robotics, Computing & Data, IoT, Health, Privacy and Fairness
Communicate to the Community: CCC Blog - http://cccblog.org/ Great Innovative Ideas White Papers
Promote Leadership and Service: Industry – Academic Collaborations Leadership in Science Policy Institute
NationalPriorities
AgencyRequests
OpenVisioning
Calls
Blue SkyIdeas
Reports • White PapersRoadmaps • New Leaders
Public Funding Agencies
Science Policy Leadership
Computing Research Community
Council-LedWorkshops
CommunityVisioning
6
Michael Russo, Chair of Executive Committee – MForesight; Corporate Lead –Govt. & Regulatory Affairs, Global Foundries.
Kevin Fu, Prof. of Electrical Eng. & Computer Science, University of Michigan;
Robert Frazier, Cyber Security Chief Architect, Lockheed Martin Corporation
Kirk McConnell, Senate Armed Services Committee
CyberSecurityforManufacturers
7
Cyber Security for Manufacturers
~40ExpertAKendees:(50%Industry,25%Academia,25%USG)
• Addressedcybersupplychainsecurityandriskmanagement:
• Iden%fiedpriorityac%vi%es;ana%onalefforttomeetsecurityneeds
TopicsCoveredinDepth:1. Systemlevelsecurityandcyber-resilience2. Integrityofmanufacturinggoodsfrom
designtothefactoryfloor3. Machine-to-machinesecurity,especially
legacysystems4. Securelyconnec?ngthefactorytothe
supplychain5. CyberIntelligence(Gathering,Assessing,
andSharing)
AVisioningWorkshopon
March20-21,2017;WashingtonDC
8
ManufacturingSectorRisks-KeyObserva7ons
• Manufacturersreceivedthegreatestvolume(20%)oftargetedcyber-afacksacrossallindustriesgloballyin2014.
• Cyber-physicalinterfacesofOTposechallengesinunderstanding,monitoring,upda?ng,authen?ca?ng,isola?ng,maintaining,managingandintegra?ngcounter-measures.
• Everymanufacturingjobintroducesnewexecutablecodeintoexis?ngsystems,crea?ngnewpoten?alvulnerabili?estothehand/oraltera?on;legacysystemsexacerbatethechallenge
• Maximizinginteroperabilityacrosstheen?resupplychaincreatesecosystem-widevulnerabili?estocyberthreats.
• Lackofsecurityintegra?onacrossthesupplychain-SMEsinpar?cularcouldweakentheen?remanufacturingecosystem
9
IoT,IICandManufacturingSectorSpecificRisks
IoTandIICaremul%-industry(energy,healthcare,transporta%on,agricultureetc.)ini%a%ves–
theyprovidecommonsecurityfounda%onsbutnotmanufacturing–specificconsidera%ons.Manufacturingsector-specificrisksaddressedbytheworkshoppar8cipantsinclude:
• Difficulttoimplementandvalidatesecurityonopera?onsthatarealwaysrunning
• Manufacturerswillnotshutdownwhatiss?llworking-havetoretrofitlegacyopera?ons
• Physicalopera?onswithveryhighriskprofiles-safety,environmentandcost
• Physicalfacili?esinasupplychaininwhichphysicalproductandmaterials,energyanddatamovethroughthem
• Highdiversityinopera?onalsystems,proprietarydatasystemsand?merequirements.
10
IfAissecure
andBissecure,
A+Bmaynotbesecure
AorB=networkedequipment,opera?on,plant,companyenterprise,vendorproduct,informa?onsystem,etc.)
Non-Commuta7venatureofsecurity Weakest-linksecurity
Cybersupplychainsecurityandresiliencerequireseachorganiza?ontoaddress• Internalcore• Organiza?onframeworks• Highlycollabora?ve,cross-companyapproachtobuildsupplychain/ecosystemsecurityframework
11
R&DChallengesandOpportuni7esToolsandTestbedsforAssessment,Valida%on,Verifica%onandThreatPreven%on
TechnologyImplementa7onacrosstheSupplyChainEffec%veImplementa%on,Communica%on,Collabora%onandWorkforceTraining
PolicyConsidera7ons
Guidelines,StandardsandCer%fica%on
GeneralTake-away:theneedforana7onalini7a7vetoaddress:
12
R&DChallengesandOpportuni7es
• Automatedriskassessmentanddetec?ontools
• Robustpartvalida?ontechnology• Toolstoaudittheextentofafack• TestbedstosafelyprototypeandtestnewITandOT• Developmentofareferencearchitecturewithcross-cuWngapplicability
• Cyberrangetotestcomponentandsystemlevelvulnerabili?es,trainteams,actasa
sandboxfornewideasandprovidea”cyberautopsy”capability
• Decoysforintelligencegathering;Priori?zingandSharingIntelligence
ToolsandTestbedsforAssessment,Valida%on,Verifica%onandThreatPreven%on
13
TechnologyImplementa7onAcrosstheSupplyChain
• Anonymous,fault-freesharingofincidents,threats,vulnerabili?es,bestprac?cesand
solu?onsisessen?al
• Developadata-repositoryofanonymoussubmissions.
• Establishaconsor?umtopromotepar?cipa?onofallpar?esindigital-readiness
assessments,damageassessmentsandriskevalua?on
• Treatawareness,convic?on,adop?onandexecu?onofsecuritymeasuresasa
compe??veadvantage
• Implementworkforcetrainingprogramstoavoidthehighestriskfactor–humanerror
Effec%veImplementa%on,Communica%on,Collabora%onandWorkforceTraining
14
CyberSecurity-Integra7onofEnterprise,CrossCompanyandMul7VendorPrac7ces
InternalANDExternalCollabora?vePrac?ces
• Technology• BusinessandRisk• PeopleandOrganiza?on
AlignedandInteroperablePrac?ces• Informa?onSecurity• DataSecurity• CyberspaceSecurity
15
PolicyConsidera7ons
• Defineabaselevelofsecurityforsohwareandhardware(productandprocess)
• CyberSecurityCer?fica?on,similartoISO9001qualitysystems,offerscompe??ve
advantagetohardwareandsohwaresuppliers
• Ana?onalcybersecuritycer?fica?onlaboratoryeliminatestheneedforeachcompany
totesteveryproduct/process(similartoUnderwriterslaboratory)
• Establishoveralltaxonomy,guidelinesandstandardsforIT/OTinterfaces,authen?ca?on,
protec?onfromdifferentcaliberofafacksandrepor?ngafacks
• Mergeexis?ngstandards,cer?fica?onsetc.toreduceoverallburdentomanufacturers.
Guidelines,StandardsandCer%fica%on
16
Poten7alNextStepsEstablishana%onalcenterofexcellenceoncybersupplychainsecurityto:1. FormanInfo.SecurityAdv.Councilforanonymoussharingofincidents,threats,
vulnerabili?es,bestprac?cesandsolu?ons
2. Applysystemsmethodologies
3. Developandincentana?onalqualityassuranceprogram(ex:cybersecuritycer?fica?on;cyberrange,automatedtools)
4. FacilitateindustrytestbedstosafelyprototypeandtestnewIT/OTtechnologies
5. Developecosystemsecurityframework(taxonomy,standards,partvalida?ontech.etc.)
6. Facilitatesolu?onsthatnoonecompanycanaddress(developreferencearchitectureetc.)
17
KirkMcConnellSenateArmedServicesCommifee
18
Thanks to House Manufacturing Caucus
QuesFons?
Cyber Security for Manufacturers Creating the Secure Factory