#IoTMan - Internet of Business...•Constantly learning from models and data throughout the life...
Transcript of #IoTMan - Internet of Business...•Constantly learning from models and data throughout the life...
#IoTMan
Protecting the Digital Thread: Cybersecurity for Defense Advanced Manufacturing
Presented to: Internet of Manufacturing Business Conference
Presenter: Dr. Larry John, ANSER ([email protected])
Date: 7 March 2017
Modern Manufacturing
#IoTMan
• Manufacturing is an increasingly digital business• Smart Manufacturing
• Industrial Internet of Things
• Industry 4.0
• …Industry Week Photo
• Advanced Manufacturing is: • Networked at every level to gain efficiency, speed, quality and agility• Constantly learning from models and data throughout the life cycle• Driven by a “Digital Thread” of product and process information
• Source of competitive advantage for manufacturers and their customers• Source of military advantage for DoD• Demands protection throughout the product lifecycle
• Accompanied by a “Digital Twin” (models and simulations) used to mirror and predict activities and performance of processes and products
2
3#IoTMan
The Digital Thread as DoD Sees It
• Simplified system of system view• Actual instances often
contain many entities of each type show here
• Applies to each manufactured product, including the ones manufacturers use
• Extends across entire SDLC--conceptualization through disposal
• Imagine the complexity of the maintenance and sustainment portion …
#IoTMan
The Technical View
Adapted from: Overload: Critical Lessons Learned from 15 Years of ICS Vulnerabilities, Fireeye Insight Intelligence 2016 Industrial Control Systems (ICS) Vulnerability Trend Report
4
Inter/IntranetApplications
intended to provide remote ICS
functionality relying on the public
internet, such as mobile devices and
apps
Workstation
Printer
Zone 4Meets general
computing needs, including email, databases, and
word processing
CORPORATE
App Server
Historian
Zone 3Makes data and
applications from the control
network available to users outside of
the control network
NetworkingDevices
HMI
EngineeringWorkstation
Historian
DMZ
SCADA
Zone 2Allows a human
operator to supervise and
control the physical process
Other
NetworkingDevices
Zone 1Uses sensor
readings to send appropriate
commands to actuators and
motors
Zone 0Senses process characteristics,
such as temperature,
pressure, and level; opens and closes valves; and turns
pumps and motors on or off
PLC
RTU
Sensors
Actuators
PLC & RTUSENSORS &ACTUATORS
#IoTMan
The Digital Thread Is Vulnerable …
• Insiders can do recon and data exfiltration or alter design or process control files
• Insecure external/internal communications can be exploited to steal design data
• Sensors embedded in equipment can contain malware• Visitors and contractors may have extensive or
unsupervised access to software, firmware and hardware
• Tainted firmware from supply chain can contain sophisticated malware
• Facility systems can be used to alter the process environment to damage/destroy products
Large companies may be OK on their own, but
what about the small and mid-size firms that may be connected to the big companies?
NIST SP 800-82r2
Threat Types• Adversarial• Accidental• Structural• Environmental
Vulnerability Types• Policy and Procedure• Architecture and Design• Configuration Management• Physical• Software Development• Communication and Network
And Somebody Wants Access to Your System
5
#IoTMan
The Threat is Global and Growing
IBM Security Services Cyber Security Intelligence Index 2016
SANS 2016 ICS Survey
6
Maintaining security and safety are even more challenging when you add connected IIoT devices throughout the enterprise
(see the NASA OIG report at https://oig.nasa.gov/audits/reports/FY17/IG-17-011.pdf)
IoT devices for the most part are not covered by standard endpoint protection systems …
(Dr. Johannes Ullrich, in SANS NewsBites Vol. 19 Num. 013)
#IoTMan
Painful Realities of OT• IACS are long-lived capital systems (15-30 year life)
• Old processors, operating systems, protocols, and configuration management.
• Little processing power. Incompatible with IT cybersecurity products.
• New systems architected for security, but hard to interoperate with old
• “Production mindset” with little tolerance for OT down time• Operate in real time with critical safety implications – cannot install patches without scheduled downtime and testing
• System availability valued over integrity or confidentiality. Weak privilege management among operators and maintainers who troubleshoot the systems. Growing use of wireless devices.
• Nascent cybersecurity awareness. Poor password management, etc.
• Manufacturing differs from other IACS applications (Power Grid et al.)• Every manufacturing job brings new executable code into system
• Tech data flowing through the system is a target
• Now add the fact that DoD (via DFARS) now requires cyber breach reporting at all supplier tiers and wants primes to determine what information their subs must protect …
Small and mid-size firms need help or they may abandon the DoD market
… and the military will lose a major source of innovation
7
#IoTMan
Challenges for Small and Mid-Size Firms
• Often lack cybersecurity knowledge and resources. Most have no full time cybersecurity staff • ISA99 Standards and NIST SP 800-82 are complex. No turnkey solutions.
• Forums available to large companies are often beyond their reach – e.g. DIB CS/IA Program requires facility clearance and COMSEC account
• Cannot afford differing cybersecurity requirements from different customers
• Believe they are not targets, so they focus on perimeter defense for IT network• Lack of compartmentalization despite standards calling for discrete zones and conduits
• Vulnerable to OEM backdoors, default passwords, discoverable IP addresses, connection by portable devices, connection from outside networks
May think they lack a business case for investing in OT cybersecurity, BUT …
Verizon* says that small business systems can provide jumping off points for major breaches at larger firms*Verizon 2017 Breach Report Digest
8
#IoTMan
What You Can Do Now• Exercise good cyber hygiene
• Implement at least the first five CIS controls
• Maintain a living map of your network and allendpoints (including employees' devices)
• Control privileged accounts
• Have an Integrated Cyber Incident Response Plan (see NIST SP 800-81r2):• Governance
• Policies and Procedures
• Roles and Responsibilities
• Common Definitions
• Investigative Approaches
• Review, Test and Update this plan frequently
• Leverage emerging NIST MEP training
• Implement a defensible architecture• Segmentation
• Hardened virtualization , especially for older operating systems
• Two-factor authentication
• Application whitelisting
• Continuous network monitoring
• Add ICS-specific security capabilities to your network• Sensors on ICS ingress and egress points
• Intrusion Detection and Prevention capabilities
• Event log collection and analysis
• Agents on Windows hosts to speed analysis
• If on the cloud, treat data security as your job
Honor the Threat!
9
When working with a defense prime, talk with them about their cybersecurity expectations and if they can help