Herbert Dirnberger True Cost and Real Benefits of @bsidesvienna 07e1 IIoT Security Verein zur Förderung der Sicherheit in Österreichs strategischer Infrastruktur
Agenda Digital Darwinism Risks Scenario based IIoT Security Use Case Summary
Digitalization @home
Smart Cats @home RFID-Reader RFID Smart Door IoT Hub Mobile Cloud
Smart Humans @world I CYBORG Google Glass Steve Mann Kevin Marvick http://www.csmonitor.com/Innovation/Latest-News-Wires/2012/0718/Cyborg-allegedly-attacked-over-camera- implants http://www.zeit.de/digital/internet/2012-08/cyborg-neil-harbisson-biohacking-campus-party http://dailynoise.blogspot.co.at/2011/10/what-is-cyborg-anthropology.html http://en.wikipedia.org/wiki/Steve_Mann http://www.kevinwarwick.com/ICyborg.htm Alle Inhalte dieser Präsentation unterliegen der Creative Common License. 2012 Herbert Dirnberger
b0111 1110 0001: 0.15 7 E 1 1024 + 512 + 256 +128+ 64+32 + 1
Technical Progress of Industry 200 years digital, 70 years computer, 6 years Industrie 4.0/IIoT How do we call this kind of nerds and geeks in s e Loom with punched cards c i v r e l a S Markus Schweiß [GFDL (http://www.gnu.org/copyleft/ i the industry? r d t s n fdl.html) or CC-BY-SA-3.0 (http://creativecommons.org/ u a d s licenses/by-sa/3.0/)], via Wikimedia Commons n g I n i h 0 T . 4 f o e i t r e t s n u r d e t n n I I Apollo 11 Zuse Z3 PLC Robot PC Internet mobil Cloud IIoT 1805 1941 1969 2011 2017
Industrial Automation in 2 min SCADA Operator HMI Controller Industrial Network Actor Sensor Physical Process Alle Inhalte dieser Präsentation unterliegen der Creative Common License. 2012 Herbert Dirnberger
Industrial Actors Robots Power Plants …
Disruption and Digital Darwinism Digital Customer need Transformation Player A top management of medium-sized companies believes that their company has nothing to do with digitalization. Player B (innovativ) Player C (innovativ + disruptive) Time 42 Arno Martin Fast 2017 - Phoenix Contact - Industrial Cloud Computing The new form of creative destruction "Disruptive self-attack!" Let us ask ourselves, what is the business model that would destroy us ?!
Don’t think in Camps and Silos! physical business services process process IIoT
(some) IIoT Benefits Business Model Slide to flip very fast Process pay per use over!! reduced costs contracting better quality data as service optimized cycle time customized products Machine higher availabity reduced service costs Employee longer lifetime ergonomics better decisions meaningful work
web access with cross site open scripting system found in shodan.io Business Risks Risk Management exposed exposed physical wireless access networks The IoT is extremely insecure and not no secure no backups patchable passwords Bruce Schneier
p u k c Traditional Risk Management Program a B Slide to flip very fast Strategy Alignment over!! Asset Management Business Impact Analysis Risk Monitoring Risk Management Business Continuity Mgt. Threat Analysis Incident Management Vuln Analysis 01100 13708 € Program Risk Mitigation ROI Controls Typical Scope: 1 year - balancing cost and risk
BSI Top 10 Threats to IIoT/ICS Systems Cost Social Engineering Internet Phishing Confidentiality Enterprise Value Malware Privacy unauthorized Access/Ownership Intrusion via Remote Access Data Leak • to/of Buildings • to/of Systems Compliance • and Transfer/Manipulation of Human Error / Sabotage Information Safety Compromised Smartphones Value Add Availability Collateral Damages Compromised Cloud Realtime Integrity Technical Malfunctions (D)DOS Force majeur BSI: Top 10 Threats and Countermeasure 2016
p u k c Controls for IIoT Security a B Restricted Access to Internet, VPN, Industrial Firewalls (micro Segmentation) are the basics. Securit Vendor Management Policies, Procedures restricted Internet for Control Network Passwords, Files, DB Sandbox, Whitelists Business Continuity Segments, Firewall Backup, Diversity Secure Appstores Monitoring, Audits Security Updates y Policy Need to Know Scan, Log, IDS DMZ, Network Fences, Guards no VPN, 2 Faktor Anti Malware & Backup Secure Redundancy Awareness Encryption SLA Interne Need to Scan Hardening VPN+2F SLA, NDA Training Awarre Proced Patches Redund Appstor NDA t i n Know Logs Hardeni Update aktor DMZ, MDM Guards nss + ures anz e Vendor Control (Files, Audits ng sPatch Encrypt Segmen Training Busines Diversit (BDEW) Networ PW, DB) IDS ion s Cont. y MDM ks Manage ment Social Engineering / Phisihing + + + + + + + + + + Human Error / Sabotage + + + + + + + + + Malware + + + + + + + + + Malfunctions / Force Majeur + + + + Compromised Cloud + + + + Intrusion via Remote Access + + + + + Compromised Smartphones + + + + + DDOS + + + BSI: Top 10 Threats and Countermeasure 2016
Use Case: IIoT in manufacturing Focus: Business Interruption and Cyber Security IT Security Information Security ICS Security IIOT Security Physical Security
IIoT Security is about DEFENSE and ENABLER Industrial Users Attacks (Scan, Tests, Enumeration, … Exploits) IT Security Unauthorised use Information Security Human Misbehaviour Physical Security Processes Sabotage, Theft, Fraud Ressources ICS/IOT Security Malicious Code Safety & Cyber Security Technical Misbehaviour t VS (uncontrolled Patches, Software Bugs, n y e t Protocol Error) i m u t n n e e i g t t m n n a Force majeure e n e o e m c C a g n M a e s e a n VA g C s c n t a a n i e e v M n e n t r a n d i e k s M i i S c a u s Costs Value Add n M i B R I
Use Case: IIoT in manufacturing Industrial user, 200 employees, 50 m € sales/year, 1 m € profit/year Manufacturing Enterprise Ressource Execution System Planning System Article produced External Energy consumed services Production data Order Program ID Article to produce RFID 5 Robots, 2 CNC 3 HMI/SCADA, 4 PLC, 20 IED 5 automatic transport vehicle 3 Network cells, 1 Industrial DMZ 10 MES Clients, 100 Office Clients, 25 Notebooks, 50 mobile, 200 User, 2 IT KPI Admins, 1 Automation Engineer, 2 Maintenance, CISO + managed security Maintenance Availability services 15 VPN Accounts (10 internal 5 external)
What we will expect, because it happened last years Industrial user, 200 employees, 50 m € sales/year, 1 m € profit/year 20 hardware malfunctions 20 malware / Crypto 45 software defects / updates 4 orders in Junk 40 locked User (10 leaks) 25 network outage > 1d Scope: 5 years Damage: 100.000 EUR 1 data breach > 15000 EUR 20 lost - 5 stolen devices 10 power breakdown 10 lost encryption keys 13708 20 problems with VPN
Comparing Costs and Value Add Industrial user, 200 employees, 50 m € sales/year, 1 m € profit/year Costs in TSD € Damage Costs in TSD € Industrial FWs, VPN Router incl. 20 100 CAPEX 8 Hardware/Software Malfunctions 40 Config and Licenses Enterprise FW inkl. Config and 12 Power Breakdown/Network Outage 10 Licenses 100 OPEX Managed prof. ICS Security Services 24 Unrealized Orders 10 Managed basic ICS Security Services 6 Data Breach 15 Scope: 5 years Managed Client Security Services 60 Stolen Devices 5 Managed mobile Security Services 10 Crypto/Ransomware 15 CISO as a Service Incl. Mini Problems 5 Value add in TSD € Value Add 250 Direct „measurable" Value Add ~ 0.1% of sales/year CAPEX -20 OPEX -100 Realtime Availability Integrity Damage Costs -100 Privacy Safety Compliance no Data Leak Confidentiality Real Benefit +30 Value add > Costs
What we will not see, but it will happen. Industrial user, 200 employees, 50 m € sales/year, 1 m € profit/year Social Engineering Manipulation (IIOT in Internet) If we not directly notice, we will not handle in etc. Phishing (Accounts) risk management! Industrial Spionage Sabotage (Availability) Manipulation (Integrity) DDOS (Availability) 13708 Friendly Malware BSI: Top 10 Threats and Countermeasure 2016
Szenario based Enterprise Values EV IIoT security costs are part of LCC Enterprise Value Value Add VA Life Cycle Costs LCC „The best way to predict the future is to invent it.“ Alan Curtis Kay time Concept Idea 0 EOL „running“ Investment LCC, OPEX, service and security costs are mostly defined in the concept and investment.
The Reality about Industrial Security 10% Hackers, Script Kiddies, APT, Cybercrime … 90% Wrong documentation, no backups, protocol errors, no time, no awareness, legacy …
1 typical Lifecycle … 25 years 2010 Stuxnet 2017 Wannacry, NonPeyta 2035 all problems solved 2042+ Picture taken at Security of Things Conference 2017 - Berlin
Summary Disruptive self-attack Don’t think in camps and silos, but in lifecycle! IIoT security is about defense and enabler. What we will not see, but it will happen. „The best way to predict the future is to invent it.“ 2042+
Think big, start small, secure and now Verein zur Förderung der Sicherheit in Österreichs strategischer Infrastruktur
Recommend
More recommend