Executive Customer Council 2017

Transcription

1 Executive Customer Council und 31. Mai 2017 Würzburg Fujitsu Security Technology Office EMEIA

2 Security in the Age of Digital Transformation from Edge to Core Fujitsu Security Technology Office EMEIA

3 We recognize the trends of the times 50Bill. Connected Devices 2020 * Ca. 7 Smart Objects owns every human around the world +44ZB Generated Data p.a. in 2020 $11Bill. Potential impact: $11 Billion/ in 2025 Quelle: Fujitsu Technology & Services Vision 2015 Quelle: IDC & EMC The Digital Universe of Opportunities // April 2014 Quelle: McKinsey Global Institute The Internet of Things: Mapping the Value Beyond the Hype // Juni Fujitsu Security Technology Office EMEIA

4 Digital Transformation & IoT Urbanization Shortened Development Times Industrial Internet Smart Cities Glocalization Acceleration 4th Industrial Revolution Globalization Sharply Rising Volatility Smart Sensing Big/ Smart Data User Centric Mobility Cloud Fujitsu Security Technology Office EMEIA

5 There will be no Industrial IoT without Security EU Commissioner Günther Oettinger (September 21, IIC Quarterly Meeting) Poor state of security on connected devices enables large scale attacks (e.g. Dyn Attack October 2016) Existing threats utilize consumer devices and legacy industrial devices in the IoT for large scale attacks Industry will be a permanent target High leverage due to economic and safety impact Every vertical is affected, each in a specific way Awareness & Obligation IIoT competitiveness is a vital national interest to every country Imperative requirement of security-by-design in all IoT activities Fujitsu as a Strong Digital Transformation Leader Fujitsu leverages its expertise in Cyber Security within a network of excellent partners providing effective protection of our customers in their IoT applications IoT security is a key enabler of Digital business Fujitsu Security Technology Office EMEIA

6 Fujitsu among Global Players in Industrial IoT Industrial Internet Consortium US based Industrial Value Chain Initiative Japan based 200+ members Plattform Industrie 4.0 Germany based ~200 members Fujitsu Security Technology Office EMEIA

7 The digital disruption in waves... Online-Trading 1. wave Internet Interconnection, online 2. wave Mobiles Internet Real time, platform independent 4. wave KI und Robotik Knowledge and automation 3. wave Internet of Things Convergences of the physical and digital world Hyperconnected World Massive influence to all of the industries Fujitsu Security Technology Office EMEIA

8 By New Legislation will drive Security Requirements Network & Information Security Directive (NIS) & General Data Protection Regulation (DPR) New Legislation Main Customer Tasks Prepare Now! Network and Information Security Directive (NIS) Harmonized requirements on each Member State s legislation Each member state must pass a national law based on the directive by 2018 General Data Protection Regulation (GDPR) Regulation is valid as is in every country from 2018 on Countries may add national extensions Open issue: is relevant law that of consumer s or provider s jurisdiction? Information Systems and Data Governance Evidence of policies and effective implementation, e.g. Security Audit Data Protection Impact Assessments Data Protection Officer to be implemented Reporting Records of Processing Specific reporting of security incidents / data breaches without undue delay Severe Fines GDPR: 20M or 4% of annual turnover Governance, Risk and Compliance Security Consulting, e.g. Continuity & Resilience Data Protection, e.g. IAM, encryption MSS, e.g. vulnerability management, perimeter protection, content inspection Assessments & Audits Security Audits Privacy Impact Assessment Detect and Response Cyber Threat Intelligence SIEM enhanced by reporting according to NIS/GDPR Fujitsu Security Technology Office EMEIA

9 Security and IoT impact every Vertical Initial Situation Regulated, e.g. NIS (EU), National Health Transportation IT and Communications Food Water Energy (Electricity, Oil&Gas) Finance & Insurance Non-Regulated (EMEIA) Others (tbd) Retail Logistics Smart Cities Manufacturing Security today IoT future Digital Service Providers Fujitsu Security Technology Office EMEIA

10 Security in Connected Services Future Situation Safety Reliability Vertical Security 1 0,8 0,6 0,4 0,2 0 Privacy Resilience Customer Security Characteristics Regulated, e.g. NIS (EU), National Health Transportation IT and Communications Food Water Energy (Electricity, Oil&Gas) Finance & Insurance Non-Regulated (EMEIA) Others (tbd) Retail Logistics Smart Cities Manufacturing Connected Services Security for IoT, AI and Cloud based Services in Edge and Core Fujitsu Security Technology Office EMEIA

11 Security is a Quality KPI for Connected Services Security KPI per Vertical Requirements differ by vertical Specifically weighted functional requirements Ensure Security quality according to vertical obligations Quality of Security will be a digital supply chain KPI Industrial IoT Security is a continuum of system characteristics OT Safety (IEC 62443*) meets IT Security (ISO 27000*) Privacy (GDPR*), Resilience (ISO*, IEC*), Reliability (NIS*) are quality features in both OT and IT Determine and ensure quality measures per vertical, e.g. audit, certification *) Example Safety Reliability 0,8 0,6 0,4 0,2 Vertical Security 1 0 Customer Resilience Privacy Increasing Quality by Security KPI Fujitsu Security Technology Office EMEIA

12 Manufacturing Energy Water Food ICT Transportation Health Finance & Insurance Scope of Plattform Industrie 4.0 Model for Next-Gen Value Chain based on IIoT Smart Cities Retail Logistics Others (tbd) Frontrunner Manufacturing drives other Verticals Manufacturing is a rapidly growing IIoT(M2M) market and a thought leader for other verticals. Scope of Fujitsu Security Holistic Security in IIoT M2M needs obligatory security-by-design Fujitsu collaborates in IIC, Plattform Industrie 4.0, IVI, etc. These bodies see: Manufacturing as learning ground for other verticals Scope of Industrial Internet Consortium (IIC) Cross Domain Interoperability in IIoT Fujitsu Security Technology Office EMEIA

13 Manufacturing Energy Water Food ICT Transportation Health Finance & Insurance Scope of Plattform Industrie 4.0 Model for Next-Gen Value Chain based on IIoT Smart Cities Retail Logistics Others (tbd) Transfer to other Verticals We see nascent demand in other verticals, e.g. utilities Scope of Fujitsu Security Holistic Security in IIoT Fujitsu can initially address this with existing portfolio Fujitsu will develop specific IIoT security offerings for these verticals Partners and co-creation customers play a vital role Vertical intimacy as key for growth Scope of Industrial Internet Consortium (IIC) Cross Domain Interoperability in IIoT Fujitsu Security Technology Office EMEIA

14 Architecture & Technology Defining Connected Security Services Fujitsu Security Technology Office EMEIA

15 Principle Architecture in the new Ecosystem Edge The place where vertical IoT begins or ends is called the edge. E.g. ICS components, robots, PLCs, sensors, 3D-Print, IoT gateways, MES, etc. will live here. Core The Core will connect, Core manage, process, analyze and control all IIoT devices Fujitsu Security Technology Office EMEIA

16 Security in Edge and Core Ecosystems Edge Security Secure Code Identity and Access Management PKI, HSM, Secure Communications Encryption SIEM Managed Things Security AI supported Cyber Security, Anomaly Analysis Edge Core Core Security Standards and regulations: e.g. ISO 27001, ISO 20000, NIS, Data Protection (e.g. GDPR), legal Security requirements Example Security Services: Data Classification, Privacy Impact Assessments Secure Code, Security Review Identity and Access Management, PKI, HSM, Secure Communications, Firewall, IDS, IPS, Encryption, SOC, SIEM, Business and Service Continuity Security Analytics and AI AI supported Cyber Security, Anomaly Analysis, Threat Intelligence Core Management Services IoT & Asset Management, IT Service Management Interplay of Edge and Core is essential! Fujitsu Security Technology Office EMEIA

17 Analytics and AI drive IIoT Security AI supported (I)IoT and Machine/Components Trusted Identity Anomaly Analysis Connected and Autonomous (I)IoT Devices Cyber Security Fundamental Security Resilience (e.g. DDoS) Edge Core Security Analytics and AI AI based IAM for (I)IoT in Edge Edge/Core support by Threat Intelligence Anomaly analysis securing communications AI based policy and process management Privacy and compliance rules supported by AI Core Security utilizing AI Cloud Security supported by AI Application of AI for cloud service security AI supported Core Management Services IoT & Asset Management IT Service Management Threat management (DDoS, etc) Resilience control Security/Privacy Management Interplay of Edge and Core is essential! Fujitsu Security Technology Office EMEIA

18 Fundamental Building Blocks Dynamic Ecosystem requires permanent Sensing and Analysis Fujitsu Security Technology Office EMEIA

19 Trust in the Industrial IoT Source: IIC Industrial Internet Security Framework Trust evolves dynamically over time Dynamic Trust must be continuously reestablished Analytics and AI enable prediction and learning Trust results from interaction of hardware, software and services Updates and predictive maintenance may change properties and Trust Future standards of trust under development Trust services to be delivered to the Edge from the Core e.g. Policy & Risk Management, Data Classification, Federations, PKIs, CAs, IAM, SIEM IoT Management will be essential part of asset and security management Fujitsu Security Technology Office EMEIA

20 Automated Trust in Industrial IoT Trust relationships are required in systems New Trust paradigm E.g. roles in M2M: Operator, Integrator, Component Root of Trust (RoT) is the foundation Hardware, software, people and organizational processes used to establish confidence in the system. Confidence in the authenticity of the devices credentials Strength of RoT determines level of trust attainable by device Trust Services essential for Security in IoT RoT based, policy driven and AI enabled Standardized Trust Levels emerging to measure Trust Fujitsu Security Technology Office EMEIA

21 Secure Communications IAM for Things Authentication Only securely and trustworthy identified things may connect from Edge to the Core Temporary authentication due to dynamic change of Trust Identity of Things (~50bn by 2020) Things will stay and no end of life will be clear Fundamental IoT Services: Intelligent registration and identification of Things End2End management of Communication 5G security model provider dependent Lack of transparency for customers Industrial Quality of Service business critical requirement for IIoT Handling of access for insecure things by providers in consumer environments necessary AI automates mass identification and authentication of things Source: Fujitsu Security Technology Office EMEIA

22 Fujitsu EMEIA Security Offerings Firewalls, NGFW and IDS/IPS Endpoint protection Advanced Threat Protection Content Web, and DLP Security Consultancy Identity & Access Mgmt Continuity and Resilience Consultancy PalmSecure and Biometrics IDaaS SIEM and SIEMaaS Vulnerability Management Cyber Threat Intelligence Technical Design and Integration Cyber Threat Response Security Assessments inc. GDPR mpollux Managed Security Services Consultancy and Advisory Products 350+ Security professionals today Security Operations Centres operating to highest National Government security levels R&D Capability developing/delivering Fujitsu security products, e.g. PalmSecure and IdAM Operating across Public and Private sector, and National Defence Businesses Highest Strategic Technology Partner Accreditations 40+ Year History in design, delivery and Integration of large scale cyber security services Fujitsu Security Technology Office EMEIA

23 Fujitsu Security Technology Office EMEIA

24 Information Security Management System (ISMS) EMEIA Operating Model EMEIA Governance Framework EMEIA Security Governance Model Information Security Implementation Creation of EMEIA Security Framework Definition EMEIA Security Audit Strategy Launch of the EMEIA wide ISMS Awareness Training Alignment of basic Security Processes (Incident, Risk, Comms) Planning and performance of Security Audits Management Review (ECSF = EMEIA Cyber Security Forum) Fujitsu Security Technology Office EMEIA

25 EMEIA Security & Compliance Trainings FIOLA = Fujitsu International Online Learning Application Fujitsu Security Technology Office EMEIA

26 PalmSecure Fujitsu Security Technology Office EMEIA

27 Our own Intelligence gathering Fujitsu Security Technology Office EMEIA

28 The new attack surfaces: Sensors / Actors Gateway - Cloud Intranet Internet Extranet Cloud Identity With which sensor am I talking? Screen contents can be read Webcam and microphone (internal/external) can be activated and controlled (room surveillance possible) External HDDs, USBs can install viruses and backdoors unnoticed Remote access Transfer and control of the systems by remote access Access to critical data Administrations can access sensible data unnoticed Communication (Internet/LAN/WAN) Backdoors to active / passive network components Data is intercepted Outgoing data can be intercepted, read and manipulated Data Integrity? Personal information? Main memory saves data unencrypted BIOS, OS, driver, application can contain backdoors Mouse and keyboard input can be read Internal data media (HDD, SSD, DVD) are readable despite encryption Physical access to systems through insufficiently secured access processes Hacker attacks hacker attacks are facilitated by monitoring that is not end-to-end; logs can be falsified Gateway Identity? Security? Maintenance? Fujitsu Security Technology Office EMEIA

29 Everything is a connected endpoint even my best friend The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications. Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it. But the UK Toy Retailers Association said Cayla "offers no special risk". Cayla was offered for 2 years Hello Barbie is still legal (Big Brother Award 2015) Fujitsu Security Technology Office EMEIA

30 MetaArc: Digital Enablement Platform Multi Cloud Integration, Managed Services Fujitsu RunMyProcess Fujitsu Cloud Services Mgt Hybrid IT Managed Services Digital Initiatives: Platform Service Mobility Big Data IOT AI Fujitsu Cloud Service K5 (IaaS and PaaS) PRIMEFLEX for Cloud (Private cloud product) Fujitsu Group Clouds Other Clouds Digital Business Platform MetaArc A set of technologies, cloud solutions, Professional Services, multi-cloud integration, multi-cloud and Hybrid IT Managed Services and an ecosystem of partners. Security Global WAN Fujitsu Security Technology Office EMEIA

31 Definition of Industrial IoT Dr. Jacques Durand, Director R&D Fujitsu America, Member of Steering Committee IIC A user-centric definition IoT is a value chain for both businesses and people. IoT starts with connecting objects from the real world - buildings, vehicles, products, etc. between themselves and to computers at a significantly larger scale than done in the past Useless without additional intelligence provided: a new level of analytics and automated decision making is now possible based on the unprecedented amount of data generated from this connectivity. Benefits More efficient, insightful and productive industrial operations, Better and personalized responses to people s needs and interests. Challenges of gathering more data and of more reliance on automated systems Users will expect an IoT deployment to tell a lot more about how it ensures privacy, transparency, safety, security, reliability, resilience, than other conventional ICT systems. Source: (2015) Fujitsu Security Technology Office EMEIA