Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service...
Transcript of Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service...
![Page 1: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/1.jpg)
UL and the UL logo are trademarks of UL LLC © 2018. Proprietary & Confidential.
Lighting Europe, Brussels, 6.11.2018
UL IT-Security / Cybersecurity
Partnering for growth
Alexander W. Koehler, Dipl.Math, CISSP; BDM Cybersecurity, Neu-Isenburg
![Page 2: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/2.jpg)
Lighting Goes “Smart” – Should We Care About Cybersecurity?
Alexander W. Koehler, Dipl.Math, CISSP, CCSK
Cybersecurity Business Development Manager
UL International Germany GmbH
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
Underwriters Laboratories
![Page 3: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/3.jpg)
Underwriters Laboratories
• Founded in 1894
• Safety, security, quality, sustainability
• 143 countries
– German HQ: Neu-Isenburg (Frankfurt)– Cybersecurity lab for IoT, IIoT, Industry 4.0
• > 20 industries
• > 14,000 FTE– > 400 FTE in information security / cybersecurity
• UL SDO: >1600 standards
• IT-Security Systems House
– IT-security standards development
– IT-security technical specifications development
– IT-security research
– Consulting• Security architectures (design reviews)
• Security processes
– Software development (it-security, test tools)
– Training
– Testing• Pentesting
• Souce Code Analysis
– Certification• All relevant industry standards
– Leadership in IECEE CB certifications
– 5 cybersecurity labs w/w
– > 20 years IT-security / cybersecurity
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
![Page 4: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/4.jpg)
Science and
global expertise
UL operates
in more than
143COUNTRIES
20
and across
more than
INDUSTRIES
UL’S SUSTAINABILITY CERTIFICATIONS are referenced in
sustainable product specifications or
purchasing guidelines around the globe 900+
UL HAS ENHANCED TRANSACTION SECURITY FOR:
500+ banks
20+ payment
schemes
60+ mobile network operators
50+ governments/
transport operators
UL SERVES
Fortune 500 companies
OUT OF 1 3
ORGANIZATIONS inOVER 10 INDUSTRIES
UL software is used by
10,000+
1,600standards defining safety,
security, quality and sustainability
UL has helped to set
MORE THAN
![Page 5: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/5.jpg)
Current 2018 Locations
Certification
Industrial
Lighting IoT
Access Control & Video
Advisory OT Assessment
CHICAGO2015
FRANKFURT, GERMANY2018
Industrial
IoT
Automotive
Lighting
Access Control & Video
Smart Home
Building Automation
Factory Automation
Energy
Energy
SILICON VALLEY2017
LEIDEN, NETHERLANDS
2012
SUZHOU, CHINA2017
Medical
Medical
![Page 6: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/6.jpg)
Lighting Goes “Smart” – Should We Care About Cybersecurity?
Alexander W. Koehler, Dipl.Math, CISSP, CCSK
Cybersecurity Business Development Manager
UL International Germany GmbH
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
Underwriters Laboratories
![Page 7: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/7.jpg)
What Can Cybersecurity Do For Your Business ?
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
![Page 8: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/8.jpg)
Bright Side: Cybersecurity Landscape
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
SMART CITIES
CRITICAL INFRASTRUCTURE
The world is becoming more connected
BUILDING AUTOMATION
& SECURITY
HEALTHCARE
30 BILLIONconnected devices by
2020
AUTOMOTIVE
FACTORY AUTOMATION
SMART HOME
(EMC 2015)
![Page 9: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/9.jpg)
Lighting Systems And Cybersecurity 1
• Two classes of functionality• Light emitting devices with smart control
capabilites (on/off, brightness, color, sequenced)• Central management, usually cloud,
• Resilience, security, safety,
• Cross device communication: ZigBee, BT Mesh
• Light emitting devices with enhancedcapabilities, based on available energy, connectivity
• Sensors: microphones, cameras (pattern recognition)motion, chemical sensors, radar,
• Central management, usually cloud,
• Cross device communication: ZigBee, BT Mesh, 5G, etc.
• Resilience, security, safety: requirements dependon use case.
• „Smart“: added value or the primary added value?
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
![Page 10: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/10.jpg)
Dark Side: Threats And Danger
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
10
>94,000
of companies think83%
CYBERATTACKS ARE ONE OF
THE 3 BIGGEST THREATS
KNOWN PUBLIC VULNERABILITIES
Security is not promised with IoT
(NIST NVD 9/8/17)
to their organization(ISACA, 2015, Global Cybersecurity Status Report);
![Page 11: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/11.jpg)
Lighting Systems And Cybersecurity 2
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
• X percent of lighting devices will become „smart“.
• Amount of devices: y million.
• Revenues & profits generated by „smart“: € z million.
• „Smart“ business models.
• Needs to get protected to prevent malfunction
– Darkness, wrong guidance, wrong data from sensors, extracted data (motion profiles, confidential/privacy data),
• Cybersecurity: limitation or business enabler?
• Anything missing?
• Most important: Misuse of IoT devices
– DDoS: Distributed Denial of Service Attack
– DDoS as ultimate data processing power to attack major sites (German Telekom, Netflix, …)
– Mirai-based IoT botnet, DDoS, 21st October, 2016
– Telekom Germany 2017: turned down 800.000 connected devices
– Liabilities
![Page 12: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/12.jpg)
Outsourcing
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
2 millionUNFILLED GLOBAL
CYBERSECURITY
POSITIONS BY 2019
(ISACA 2016)
Expertise is limited & in high demand
![Page 13: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/13.jpg)
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
The Fundamental Process
![Page 14: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/14.jpg)
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
The Fundamental Process
„Security is not a product, security is a process!“
Bruce Schneier, 2008
![Page 15: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/15.jpg)
NIS Directive, „Cybersecurity Act“, ENISA
PROPOSAL FOR A REGULATION OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL on ENISA, the "EU
Cybersecurity Agency", and repealing Regulation (EU) 526/2013:
“Cybersecurity Act”
Establishment of European Cybersecurity Certification Framework
3 assurance levels,
certification schemes.
Granting permanent mandate to European Union Agency for Network
and Information Security (ENISA).
DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL of 6 July 2016
concerning measures for a high common level of security of
network and information systems across the Union.
![Page 16: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/16.jpg)
Regulation Or Not – Cybersecurity Is Serious Stuff !
Impact of Security Issues
Critical Infrastructures
Electricity
Gas
Water
Financial Services
Cities
Medical operations
Transport
Supply chain
In case of, it does not matter who has done a bad job
Privacy violations
Reliability and sustainability -> Trust
Risk Management, Trust: core business of UL for > 125 years
![Page 17: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/17.jpg)
Regulation Or Not – Cybersecurity Is Serious Stuff !
Self-declaration works for cybersecurity as it does already for product safety?
Wrong. It does not, sorry.
Why:
IoThings: The „Thing“ is something within the perimeter of competence of
the manufacturer or system integrator (machine, toy, …).
Cybersecurity is not (in most cases).
Compromised product safety is limited in doing harm to the product
(hairdryer), the operator (electrical shock) or the close environment (burn
down the house). Cybersecurity is not (always).
The solution:
Do it right: PDCA: Plan, Do, Check, Act.
Check: 3rd party testing, design review, certification.
![Page 18: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/18.jpg)
Regulation Or Not – Cybersecurity Is Serious Stuff !
Self-declaration works for cybersecurity as it does already for product safety?
Dead wrong, it does not! Why:
IoThings: The „Thing“ is something within the perimeter of competence of
the manufacturer or system integrator (machine, toy, …).
Cybersecurity is not (in most cases).
Compromised product safety is limited in doing harm to the product
(hairdryer), the operator (electrical shock) or the close environment (burn
down the house). Cybersecurity is not (always).
The solution:
Do it right: PDCA: Plan, Do, Check, Act.
Check: 3rd party testing, design review, certification.
https://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-attack-cause-outage-status-explained
Mirai-based IoT botnet, DDoS, 21st October, 2016
![Page 19: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/19.jpg)
Questions?
Answers: [email protected]
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
Lighting Goes “Smart” – Cybersecurity, a business opportunity.
![Page 20: Lighting Europe, Brussels, 6.11.2018 UL IT-Security ... · – DDoS: Distributed Denial of Service Attack – DDoS as ultimate data processing power to attack major sites (German](https://reader036.fdocuments.in/reader036/viewer/2022071212/6025d131f4ba460d1e4462d1/html5/thumbnails/20.jpg)
Questions?
Answers: [email protected]
UL International Germany GmbH UL and the UL logo are trademarks of UL
LLC © 2018
Lighting Goes “Smart” – Cybersecurity, a business opportunity.