Autobot - IoT enabled security. For Private circulation only October Risk Advisory

Transcription

1 For Private circulation only October 2018 Risk Advisory

2

3 Table of contents Background 02 Common Challenges 03 About the AutoBot 04 Capabilities of the AutoBot 05 Future of Autobot 06 The success story 08 Oil & Gas 09 Other Industries use cases 10 Telecom 12 Manufacturing 13 Shipping 14 Smart Stadiums 15 Banking, Financial services and Insurance 16 Retail 17 Agriculture 18 Insurance 19 Automotive 20 Mining 21 Contacts from Deloitte Touche Tohmatsu India LLP 24 01

4 Background While most business models are changing globally towards an interconnected ecosystem, there exist models with a distributed landscape in the form of remote sites, stores or infrastructure. The threat landscape is constantly evolving and challenging the organisations and their security teams. Thus, the need to have a pro-active security testing and tracking mechanism which could provide organisations with holistic coverage of all their sites/ infrastructure in a near real-time basis arises. Organizations not only need to enhance their security posture but also need to adhere to various regulatory / stakeholder compliance requirements. Connectivity issues and the cost of travel to remote locations are few of the key challenges which limit an organization s ability. 02

5 Common Challenges Some of the common challenges faced by industries Connectivity Cost Unmanaged & Unmonitored Coverage Compliance Examples of industries facing similar challenges Oil industries having thousands of retail sites across the globe Organised retail having presence at various part of the world Banking industries having their branch and ATMs at remote places Shipping industries running many fleets and loaded with IT systems Telecom Towers across the globe for connectivity Manufacturing industries having many plants across the globe for better supply chain 03

6 About the AutoBot The AutoBot is an automated penetration testing solution with built in intelligence to take care of various operations which are otherwise performed as a part of professional services. The solution is aimed at performing security testing with no manual intervention; reducing cost associated with deploying professionals at remote locations; providing near real-time security posture; and enabling wider coverage of security testing for organisations at remote locations with connectivity issues. Features of the AutoBot In-house developed programs and intelligence to perform various operations Compact and portable with inbuilt encryption. Can be shipped to remote places Built-in Intelligence Compact & Secure No Manual Intervention Faster and IOT Enabled Developed in a way that it only needs to be plugged in to a switch and it does the rest Comes with latest configuration to deliver faster performance. Can be also be connected to Cloud 04

7 Capabilities of the AutoBot Automated Penetration Testing Continuous Control Monitoring Asset Identification and Profiling Asset Inventory Audit for Statutory Critical Infrastructure & Site Monitoring Rogue System Detection Software License Management Audit Configuration & Patch Management for Remote Systems Site Security Maturity Assessment for Cyber Insurance Automated IT Controls Testing 05

8 Future of Autobot Sensor Equipped Autobot OT Gateway Autobot IOT Gateway Autobot Autobot on Drone Sensor equipped Autobot can not only monitor cyber attacks on critical infrastructure, but also detect breaches / defects / malfunctions with the help of pressure, smell, vapor sensors. Can collect logs from OT systems to integrate with IT Systems for monitoring. Can collect security logs from IOT devices & Systems and can push over Internet to SIEM for central monitoring of remote sites. Autobot mounted on drones, with RFID and GPS capability, can assist in Asset / Fleet tracking, asset movement and asset inventory reconciliation. 06

9 07

10 The success story 08

11 Oil & Gas Background The client currently operates with around retail sites of which are client owned sites and retail sites operate in the franchisee model. In an endeavor to comply with the PCI-DSS requirement, the client with support from it's service partners, currently conducts an annual penetration testing (PT) exercise on a select set of 120 retail sites. Challenges Conducting Penetration Testing (PT) for sites/infrastructure with connectivity constraints (viz. slow VSAT connectivity) Increased cost due to travel required for manual penetration testing at sites across the globe. Coverage Coverage of the PT of all the remote sites across the globe is minimal due to accessibility and cost Delay in getting the complete security posture in near real time encompassing from all sites. Compliance Meeting Regulatory/ Compliance requirements (PCI DSS) for organisations at regular interval. How did we help Understands the retail network and gets itself assigned on their IP address Identifies live hosts (systems and devices) in the retail network (multiple VLANS) Captures hosts hostname, MAC address for asset inventory Identifies vulnerabilities in the host Automated exploitation of vulnerabilities 09

12 Other Industries use cases 10

13 11

14 Telecom Background Telecom Tower Infrastructure spreads across the globe for seamless network connectivity. The new generation telecom network (4G, 5G) hosts many IT equipments. Challenges Accessibility Installed on remote places and usually unguarded Increased cost due to travel required for site maintenance and monitoring of the devices from performance and security perspective Compliance & Coverage Meeting Regulatory / Compliance requirements (eg. Telecom Regulations) by conducting periodic Penetration Testing (PT) Coverage of the PT of all the remote sites across the globe is minimal due to accessibility and cost Monitoring Absence of mechanisms to continuously monitor any attacks or security posture of the tower equipments How can we help Automated Penetration Testing Critical Infrastructure & Site Monitoring Rogue System Detection 12

15 Manufacturing Background Manufacturing plants spread across the globe, for better supply chain of the products. These plants / stores undergo multiple audits such as Statutory Audit for asset, InfoSec Audits etc. Challenges Time Consuming Asset Reconciliation Statutory auditors spend significant amount of time in taking stock of the assets at the plants and store Monitoring ICS Systems Absence of security monitoring mechanism for ICS systems at plants Connectivity Connectivity to plants and stores due to their presence in remote sites How can we help Asset Inventory Audit for Statutory Critical Infrastructure & Site Monitoring Software License Management Audit 13

16 Shipping Background Shipping industries operate multiple fleets, which carry many IT systems on board. These are critical and prone to cyber attacks. Challenges Connectivity Even though ships are equipped with state of the art internet connectivity and GPS, these are not connected to a corporate network Cyber Attacks Since ships are always mobile, these are prone to external cyber attacks Monitoring Since ships are not connected to a corporate network, these are unmanaged and unmonitored Delay in getting the complete security posture in near real time encompassing from all sites How can we help Automated Penetration Testing Rogue System Detection Continuous Control Monitoring Configuration & Patch Management for Remote Systems 14

17 Smart Stadiums Background To improve digital engagement and in-arena experience for fans, smart stadiums are now IOT enabled to facilitate features like stadium directions, in-seat concessions ordering, games' stats parking availability, digital signage, replays, restroom availability, seat upgrades, loyalty program, players' tracking and safety. Challenges Monitoring Huge numbers of sensors and systems are deployed for monitoring the movement of players and fans using various features, however security posture of these are not monitored Cyber Attacks Since sensors are IOT enabled, these are prone to various cyber attacks from fans with malicious intent How can we help Automated Penetration Testing Rogue System Detection Critical Infrastructure & Site Monitoring 15

18 Banking, Financial services and Insurance Background Business models demand banks to have their presence in form of branches & ATMs at various parts of the world including cities, villages and remote locations. Challenges Connectivity Not all branches and ATMs are connected to core banking network over MPLS or High Speed network Monitoring Since ATMs are not connected to a corporate network, they are unmanaged and unmonitored. Delay in getting the complete security posture in near real time encompassing from all sites How can we help Automated Penetration Testing Continuous Control Monitoring Configuration & Patch Management for Remote Systems Asset Identification and Profiling 16

19 Retail Background Retail chains spread across the globe with various IT equipments, devices and scanners in each site. Challenges Asset Management & Cost Absence of view of the assets at retail sites and its security posture Increased cost due to travel required for asset profiling, inventorying and manual penetration testing at sites How can we help Coverage Coverage of the PT of all the remote sites across the globe is minimal due to accessibility and cost Delay in getting the complete security posture in near real time encompassing from all sites Compliance Meeting Regulatory / Compliance requirements (PCI DSS) for sites at regular interval Automated Penetration Testing Asset Identification and Profiling Continuous Control Monitoring Automated IT Controls Testing 17

20 Agriculture Background This industry now heavily relies on modern equipment, IT systems and sensors for faster production and delivery to consumers. Challenges Monitoring Huge numbers of sensors and systems are deployed for monitoring the plants, however security posture of these are not monitored Cyber Attacks Since sensors are IOT enabled, these are prone to various cyber attacks Connectivity Agricultural sites are at remote places with slow connectivity How can we help Automated Penetration Testing Rogue System Detection Asset Identification and Profiling 18

21 Insurance Background Insurance industries make huge efforts and bear high costs to gauge the current security postures of their clients before issuing cyber insurance. They rely on external consultants or their team to study the security posture and maturity of their clients. Challenges Time Consuming Insurance companies spend good effort in studying and understanding the security posture of their sites Cost Spend on external consultants to understand their clients' security posture Connectivity Insurance companies are not generally connected to a client environment for remote study How can we help Site Security Maturity Assessment for Cyber Insurance 19

22 Automotive Background The Automobile Industry works with it's dealer network for a more efficient distribution of vehicles. The dealer network requires to be connected to the automobile industry for demand-supply insights. Challenges Monitoring Due to a larger number of dealer networks connected, it is difficult to manage and monitor any security threats coming from them Cost Incurs huge cost in periodic review of the dealer network to ensure security posture and control implementations How can we help Automated Penetration Testing Continuous Control Monitoring Asset Identification and Profiling 20

23 Mining Background Mining industries heavily rely on OT/ICS systems for their operations at remote places. These OT machines are not connected to IT Systems hosted at corporate network. Challenges Monitoring Due to limitations and constraint in protocols, OT systems are not connected to corporate network, hence not monitored from security and performance prospective centrally Cyber Attacks OT systems are prone to various sophisticated cyber attacks. Connectivity Mining OT systems are hosted at remote places of the world making them difficult to access, and for connectivity How can we help Critical Infrastructure & Site Monitoring 21

24 22

25 23

26 Contacts from Deloitte Touche Tohmatsu India LLP Shree Parthasarathy Partner Maninder Bharadwaj Partner Gaurav Shukla Partner Santosh Jinugu Director 24

27 25

28 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms. This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited