#IoTMan

Protecting the Digital Thread: Cybersecurity for Defense Advanced Manufacturing

Presented to: Internet of Manufacturing Business Conference

Presenter: Dr. Larry John, ANSER (Larry.John@anser.org)

Date: 7 March 2017

Modern Manufacturing

#IoTMan

• Manufacturing is an increasingly digital business• Smart Manufacturing

• Industrial Internet of Things

• Industry 4.0

• …Industry Week Photo

• Advanced Manufacturing is: • Networked at every level to gain efficiency, speed, quality and agility• Constantly learning from models and data throughout the life cycle• Driven by a “Digital Thread” of product and process information

• Source of competitive advantage for manufacturers and their customers• Source of military advantage for DoD• Demands protection throughout the product lifecycle

• Accompanied by a “Digital Twin” (models and simulations) used to mirror and predict activities and performance of processes and products

2

3#IoTMan

The Digital Thread as DoD Sees It

• Simplified system of system view• Actual instances often

contain many entities of each type show here

• Applies to each manufactured product, including the ones manufacturers use

• Extends across entire SDLC--conceptualization through disposal

• Imagine the complexity of the maintenance and sustainment portion …

#IoTMan

The Technical View

Adapted from: Overload: Critical Lessons Learned from 15 Years of ICS Vulnerabilities, Fireeye Insight Intelligence 2016 Industrial Control Systems (ICS) Vulnerability Trend Report

4

Inter/IntranetApplications

intended to provide remote ICS

functionality relying on the public

internet, such as mobile devices and

apps

Workstation

Printer

Zone 4Meets general

computing needs, including email, databases, and

word processing

CORPORATE

App Server

Historian

Zone 3Makes data and

applications from the control

network available to users outside of

the control network

NetworkingDevices

HMI

EngineeringWorkstation

Historian

DMZ

SCADA

Zone 2Allows a human

operator to supervise and

control the physical process

Other

NetworkingDevices

Zone 1Uses sensor

readings to send appropriate

commands to actuators and

motors

Zone 0Senses process characteristics,

such as temperature,

pressure, and level; opens and closes valves; and turns

pumps and motors on or off

PLC

RTU

Sensors

Actuators

PLC & RTUSENSORS &ACTUATORS

#IoTMan

The Digital Thread Is Vulnerable …

• Insiders can do recon and data exfiltration or alter design or process control files

• Insecure external/internal communications can be exploited to steal design data

• Sensors embedded in equipment can contain malware• Visitors and contractors may have extensive or

unsupervised access to software, firmware and hardware

• Tainted firmware from supply chain can contain sophisticated malware

• Facility systems can be used to alter the process environment to damage/destroy products

Large companies may be OK on their own, but

what about the small and mid-size firms that may be connected to the big companies?

NIST SP 800-82r2

Threat Types• Adversarial• Accidental• Structural• Environmental

Vulnerability Types• Policy and Procedure• Architecture and Design• Configuration Management• Physical• Software Development• Communication and Network

And Somebody Wants Access to Your System

5

#IoTMan

The Threat is Global and Growing

IBM Security Services Cyber Security Intelligence Index 2016

SANS 2016 ICS Survey

6

Maintaining security and safety are even more challenging when you add connected IIoT devices throughout the enterprise

(see the NASA OIG report at https://oig.nasa.gov/audits/reports/FY17/IG-17-011.pdf)

IoT devices for the most part are not covered by standard endpoint protection systems …

(Dr. Johannes Ullrich, in SANS NewsBites Vol. 19 Num. 013)

#IoTMan

Painful Realities of OT• IACS are long-lived capital systems (15-30 year life)

• Old processors, operating systems, protocols, and configuration management.

• Little processing power. Incompatible with IT cybersecurity products.

• New systems architected for security, but hard to interoperate with old

• “Production mindset” with little tolerance for OT down time• Operate in real time with critical safety implications – cannot install patches without scheduled downtime and testing

• System availability valued over integrity or confidentiality. Weak privilege management among operators and maintainers who troubleshoot the systems. Growing use of wireless devices.

• Nascent cybersecurity awareness. Poor password management, etc.

• Manufacturing differs from other IACS applications (Power Grid et al.)• Every manufacturing job brings new executable code into system

• Tech data flowing through the system is a target

• Now add the fact that DoD (via DFARS) now requires cyber breach reporting at all supplier tiers and wants primes to determine what information their subs must protect …

Small and mid-size firms need help or they may abandon the DoD market

… and the military will lose a major source of innovation

7

#IoTMan

Challenges for Small and Mid-Size Firms

• Often lack cybersecurity knowledge and resources. Most have no full time cybersecurity staff • ISA99 Standards and NIST SP 800-82 are complex. No turnkey solutions.

• Forums available to large companies are often beyond their reach – e.g. DIB CS/IA Program requires facility clearance and COMSEC account

• Cannot afford differing cybersecurity requirements from different customers

• Believe they are not targets, so they focus on perimeter defense for IT network• Lack of compartmentalization despite standards calling for discrete zones and conduits

• Vulnerable to OEM backdoors, default passwords, discoverable IP addresses, connection by portable devices, connection from outside networks

May think they lack a business case for investing in OT cybersecurity, BUT …

Verizon* says that small business systems can provide jumping off points for major breaches at larger firms*Verizon 2017 Breach Report Digest

8

#IoTMan

What You Can Do Now• Exercise good cyber hygiene

• Implement at least the first five CIS controls

• Maintain a living map of your network and allendpoints (including employees' devices)

• Control privileged accounts

• Have an Integrated Cyber Incident Response Plan (see NIST SP 800-81r2):• Governance

• Policies and Procedures

• Roles and Responsibilities

• Common Definitions

• Investigative Approaches

• Review, Test and Update this plan frequently

• Leverage emerging NIST MEP training

• Implement a defensible architecture• Segmentation

• Hardened virtualization , especially for older operating systems

• Two-factor authentication

• Application whitelisting

• Continuous network monitoring

• Add ICS-specific security capabilities to your network• Sensors on ICS ingress and egress points

• Intrusion Detection and Prevention capabilities

• Event log collection and analysis

• Agents on Windows hosts to speed analysis

• If on the cloud, treat data security as your job

Honor the Threat!

9

When working with a defense prime, talk with them about their cybersecurity expectations and if they can help

#IoTMan

Questions?Larry.John@anser.org

703-416-3199 (office)

703-785-6331 (mobile)