Internet of Things (IoT) Securing the Connected Ecosystem

Transcription

1 Internet of Things (IoT) Securing the Connected Ecosystem June 2018

2 Making sense of the buzzwords: What is the Internet of Things Internet of Things (IoT) refers to a world of intelligent, connected devices that generate data for automating business processes and enabling new services Physical devices and objects intelligently connected Things Process Delivery of the right information to the right place at the right time Connection of people in more relevant and valuable ways People IoT Analytics Individual data streams are processed and analyzed with algorithms Copyright 2018 Deloitte Development LLC. All rights reserved. 2

3 IoT and The information value loop Increasingly, organizations are developing approaches to managing data, leveraging brownfield infrastructure, and developing new business models. Augmented Behavior Sensors THINGS Act MAGNITUDE APPLICATIONS Analyze Scope Scale Frequency RISK Security Reliability Accuracy TIME Latency Timeliness Create Augmented Intelligence Network Aggregate Communicate Standards Copyright 2018 Deloitte Development LLC. All rights reserved. 3

4 Challenges Facing IoT and Industry 4.0 Strategies The need to digitalize and automate operations is now widely recognized as an opportunity for competitive advantage, but various challenges are impacting adoption. Skills shortage and resistance to outsourcing Concerns over cybersecurity and data Lack of a clear, phased, strategic plan Lack of collaboration within the culture Lack of access to proof points Need for large-scale and rapid investment Source: Siemens Financial Services, Practical Pathways to Industry 4.0, Spring 2018 Copyright 2018 Deloitte Development LLC. All rights reserved. 4

5 IoT and Increased Cyber Risk Copyright 2018 Deloitte Development LLC. All rights reserved. 5

6 Innovations driving rapid growth also create complex cyber risks In a world increasingly driven by inter-connected digital technologies and information, cybersecurity is more than just a strategic imperative, it is a fundamental part of doing business. Evolution of Internet of Things (IoT) Innovations Before interconnectivity Evolution Present Day Before interconnectivity, exposure involved breaching the physical security associated with the device (e.g., physical theft, physical damage to equipment, or product espionage) As systems advanced and were attached to networks, newer points of exposure were introduced to the already vulnerable systems. Technology now includes ever more complex, configurable, embedded processors and increased interconnectivity creating a myriad of newer innovative yet significant threats. Cyberspace New assets Cyber attacks The interconnected network of systems and assets (physical or virtual), that includes data, human resources, telecommunications networks, computer systems, etc. The continuously evolving complexity of hardware/software components of cyberspace makes these assets the crown jewels of an organization; particularly data that once used to be physical such as personal information, intellectual property, etc. Having recognized the value of these assets and the difficulty faced by organizations in dealing with the new threats, various actors are seizing the opportunities to exploit weaknesses to gain access to sensitive information. Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 6

7 The rise of IoT cyber risks today Environmental and industry factors Increased connectivity: Organizations are moving toward IoT by adding more complex features and network connectivity to their products to stay competitive and meet customer demand. New valuable digital assets: Digital assets including customer data, employee data, intellectual capital, etc., are increasing in size and number as the systems on which they are stored become virtualized and interconnected. As more data accumulates through the use of IoT devices, it often also becomes more valuable. Motivated attackers: Adversaries have promptly recognized the value of digital assets and have become more and more motivated to steal that data or disrupt operations for their own advantage. Increased connectivity New valuable digital assets Motivated attackers Unsecure technology & processes Complacency Limited resources Lack of awareness IoT Cyber Risk Factors that lead to security weaknesses Unsecure technology & processes: Many organizations often do not take security into account for their processes and technology. Lack of awareness Many organizations lack an understanding of cyber threats and the need for proper cyber security to protect against threats. Complacency: Many organizations have an over reliance on existing IT security processes and tools that may not apply well to new IoT technologies. Limited resources: Many organizations lack appropriately skilled resources or strength in the existing IT organization to focus on addressing IoT-related cyber security issues. Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 7

8 The four attack vectors of the cyber threat actor Physical Supply Chain: The ability to sabotage the supply chain in order to compromise computer equipment. Physical Infrastructure Nodes: The technology and capabilities to compromise physical nodes to include cell infrastructure, switching centers, SATCOM, WiMax, Antennas, Radio Relay, etc. Physical Infrastructure Links: The technology and capabilities to compromise physical links to include fiber optic cable, RF signals, wireless signals, coaxial cable, telephone lines, satellite signals, microwave signals, etc. Human Social Engineering: The use of three virtual, physical, and interpersonal techniques designed to deceive an organization into taking an unintended action. The Insider: The ability to leverage pre-existing personnel within an organization or to physically insert operators into an organization in order to directly carry out threat operations. Coercion: The ability to leverage threats, bribery, emotional appeals, and ideological reasoning to infiltrate organizations with highly sensitive information contained within their networks. Logical Periphery Adjacent to Network Perimeter: The ability to leverage access and attack methodologies against an organization s network perimeter and firewall settings in order to find holes and infiltration vectors. Local Inside the Network: The ability to compromise applications, operating systems, and computing equipment that resides within the boundaries of an organization s network. External Outside the Network: The ability to compromise an organization by determining which external websites are used; subsequently compromising those sites and using them as infiltration vectors. Economic Acquisition: The process of acquiring needed access through mergers, buy outs, or the use of monetary instruments to buy access to a select network or type of data via the open market, black market, or some other kind of trade/exchange relationship. Development: The ability to conduct business development activities within a country for the purpose of using built infrastructure to facilitate a collection apparatus. Sanction: The use of economic denial to force an entity into making a business purchase decision that can, in turn, be manipulated by an adversary to enable access opportunities. Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 8

9 With new innovative IoT functionality comes new cyber risks By integrating the networking strength of IoT with exponential technologies like robotics and 3D printing, they are on a path to realizing scenarios like this one: Intercept and use information maliciously or alter message to cause delays / confusion Intercept or alter signal to create delays. Use vulnerable 3D printer as entry point to infiltrate the broader supply chain network Autonomous vehicle is disabled or controlled remotely to endanger lives / damage equipment on the tarmac The wireless connection is flooded and results in a denial-of-service attack In-air detection and notification On-demand supply chain Connected, autonomous tarmac Connected Employee In mid-flight, an aircraft part recognizes it is not functioning properly. The aircraft sends a message to the ground about the malfunctioning part for repair upon arrival. The part used in the repair will need to be replaced upon landing, so before arrival, a 3D printer at the arrival airport receives a signal to print the part. The printed part should be delivered to the arrival gate. An autonomous vehicle picks it up and makes the delivery. The mechanic uses heads-up display eyeglasses to view reference documents from the cloud. Using a borescope connected to a wireless tablet, the mechanic streams live video to a remote engineer allowing the repair and inspection to benefit from the engineer s authority without the need for travel. As a result, the aircraft is able to leave on time. Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 9

10 Audit Considerations Copyright 2018 Deloitte Development LLC. All rights reserved. 10

11 Audit scope What is the typical scope of an IoT security audit? In order to audit the current state of the organization s IoT security processes and provide recommendations against specific security requirements leveraging industry leading practices, the below activities should be considered: Obtain and assess the completeness of policies, standards, and procedures compared to leading practices Interview personnel responsible for security functions and perform procedural walkthrough interviews to understand the policies, standards, and procedures in place: o o o o o o Governance Security & privacy risk management Security event handling External communications Security education & training Program monitoring Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 11

12 Governance and leadership What governance is in place for securing IoT devices across the organization? Sample Audit Considerations What is the governance model around IoT security? Is there a single governance model in use and is it driven down from the top? Are groups from across the organization included in the governance model and operations? Is there a program framework that includes the future state vision? Is a strategy and roadmap in place to achieve future state goals? Is an overarching IoT security policy in place? Are security gates included throughout the device lifecycle (e.g., acquisition) where cybersecurity's signature is required? Security Risk Security Event Handling Security Education and Training Governance Privacy Risk External Communications Program Monitoring Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 12

13 Security and privacy risk management What risk management processes are in place regarding security and privacy? Sample Audit Considerations Are there formalized security and privacy IoT requirements? Are security and privacy requirements provided to manufacturers during IoT device procurement? Are security and privacy risk assessments and technical security testing completed for IoT devices during procurement and periodically once fielded? Are risk management thresholds established for triggering risk management decisions (accept, mitigate, transfer, avoid)? Are both program- and device-level security and privacy assessments completed prior to procuring IoT devices? Security Risk Security Event Handling Security Education and Training Governance Privacy Risk External Communications Program Monitoring Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 13

14 Security event handling What processes are in place to keep IoT devices safe and secure once fielded? Sample Audit Considerations Does the organization subscribe to threat and information sharing feeds? Is a software-bill-of-materials (SBOM) obtained from the manufacturer and used to identify vulnerabilities at the software level? Is there a process and mechanism in place to identify and rollout patches as permitted by service level agreements? Is a process in place to handle security events once identified and feed incident handling as appropriate? Is a process in place to handle security incidents? Is technology in place to monitor for IoT device security events and incidents? Security Risk Security Event Handling Security Education and Training Governance Privacy Risk External Communications Program Monitoring Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 14

15 External communications What information is exchanged with and obtained from external parties and how is it handled? Sample Audit Considerations What information is requested from the manufacturer for each of the organization s IoT devices? Does the organization centrally store IoT device security attribute information in a central repository? Does the organization participate in information sharing groups, standards setting bodies, and conferences? How are inquiries from external parties handled and who is typically involved in generating responses? Are security points of contact identified for each manufacturer within the manufacturer s corporate IoT/product security or R&D team? Security Risk Security Event Handling Security Education and Training Governance Privacy Risk External Communications Program Monitoring Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 15

16 Security education and training What security training is provided to personnel to assist with securing IoT devices? Sample Audit Considerations Is security awareness training delivered to IoT security practitioners and other specific stakeholders across the organization? Are secure development lifecycle and privacy-by-design training delivered to IoT security personnel? Is training provided on each of the organization s IoT security processes and when that process should be completed in the device lifecycle? Is a mechanism in place to track the effectiveness of the provided training? Is a competency-based learning (CBL) model in place to configure training per role, level of experience, and knowledge? Security Risk Security Event Handling Security Education and Training Governance Privacy Risk External Communications Program Monitoring Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 16

17 Program monitoring What processes are in place to know how well the IoT security program is performing? Sample Audit Considerations Are key performance indicators for IoT security operations established, collected, and reported to leadership? Is a risk-based IoT device inventory in place, which consists of select security information including, but not limited to device risk profiles and previous security risk history? Is a program audit and assessment framework in place to identify if processes are being followed and are performed in alignment with industry leading practices? Security Risk Security Event Handling Security Education and Training Governance Privacy Risk External Communications Program Monitoring Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 17

18 Next steps Copyright 2018 Deloitte Development LLC. All rights reserved. 18

19 Top 5 Initiatives to Secure IoT Environments The following categories have been identified as having the highest positive impact to organization s cyber risk profile. 1 Business and IT Alignment (Improved Governance Processes) 2 Improved Network Visibility 3 Extend Network Segmentation and Vulnerability Capabilities 4 Improved of Powerful IDs and Vendors 5 Integrating IT and IoT security and threat management programs and platforms Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 19

20 What actions can be taken What are some of the takeaways and actions that can be considered to address the complex issues that are being created? What can be done now to help mitigate an organization s cyber risk? Conduct an audit of your current state IoT security organization to assist with the development of a strategy and roadmap to enhance security capabilities Establish a risk-based inventory of your IoT devices to allow for prioritization, analysis, remediation, and monitoring Hold IoT device manufacturers accountable to include cybersecurity within the design of their products by leveraging secure procurement processes Integrate cybersecurity into your procurement processes to better under the risk of the IoT devices you are fielding as well as what your own responsibilities are in securing the device Participate in security standards setting group/body meetings in order to have a major input into new standards before they are arbitrarily developed for your industries Copyright 2018 Deloitte Development LLC. All rights reserved. 1 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: 20

21 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the Deloitte name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see to learn more about our global network of member firms. Copyright 2018 Deloitte Development LLC. All rights reserved.