Monitoring and Managing IIoT Security

Size: px

Start display at page:

Download "Monitoring and Managing IIoT Security"

Amos Bailey
5 years ago
Views:

Monitoring and Managing IIoT Security Dr.

4 Introduction Monitoring aggregates and stores a variety of types of data from running Industrial Internet of Things systems Enables analysis of current security events using different techniques Analysis allows actions such as proactive defenses, predictive defenses, detect and recovery, and forensics Monitoring, analysis and actions should be highly automated Monitoring and analysis also applies to the supply chain, a series of processes that may span organizations in producing a component of an IIoT system The monitoring and analysis system should be protected, and possibly segregated They should be tailored to other key system characteristics Safety: avoid interrupting critical processes Privacy: data collected needs to be evaluated Reliability and resilience: it should not modify processes behaviors 3 Copyright 2016 FUJITSU LIMITED

7 Security Monitoring & Analysis Behavioral/anomaly-based systems first learn the characteristics of normal operation. Once complete, the system generates alerts when tracked characteristics deviate significantly from that learned normal operation. Rule/signature-based analytics rely on a library of rules or signatures to identify suspicious behavior. When a set of security values is received that matches a rule, an 6 alert is raised. Copyright 2016 FUJITSU LIMITED

9 Special Considerations Brownfield Passive monitoring Detailed logging at gateways to legacy systems Supply chain integrity device (e.g., meter) module manufacturing/production (hardware/software) device module system integration device initialization/configuration setting by owner (provisioning) deployment of devices by entity/third-party in field (activation) periodic field updates of price and service info firmware upgrade and maintenance remote deactivation/reactivation (temporary) termination (end of life) Privacy considerations and regulations Metadata collected Traffic collected 8 Copyright 2016 FUJITSU LIMITED

11 Security Configuration & Management Changes to the environment and the discovery of new vulnerabilities and threats will require updates to policy, firmware and software IIoT security models should be dynamic and deployed in a secure and controlled manner Periodic security compliance reports are often mandated and certainly advisable. Network and endpoint configurations should be analyzed periodically to report deviations from all relevant policies and to summarize compliance postures Operational management updates should be controlled and logged 10 Copyright 2016 FUJITSU LIMITED

13 Security Configuration & Management Gather events based on the machine policy settings security event data is correlated, alarms triggered when security thresholds are exceeded, and automated responses executed to mitigate the security events. The automated responses may be as simple as setting an alert on a dashboard or sending an , or as complex as sending out new machine policy 12 Copyright 2016 FUJITSU LIMITED

15 Security Configuration & Management Operational management is the configuration of the operational functionality of the system and its endpoints Security management is the management of the security controls on an endpoint Operational management should be separated from security management so that security controls processes can evolve independently Secure operational management involves protecting the operational management process and functions 14 Copyright 2016 FUJITSU LIMITED

17 Safety in operational management Be aware of safety implications that traverse operational management systems Segregate operational networks with safety regulations Differentiate security from operational safety in operational management Avoid situations where system security is not updated due to safety impediments This may involve rethinking brownfield systems (use virtual machines, passive network monitoring, etc) 16 Copyright 2016 FUJITSU LIMITED

18 ENDPOINT CONFIGURATION & MANAGEMENT Software and firmware updates add security, safety, reliability or functionality features, especially in brownfield scenarios Use staging Have a well defined update policy Secure update of endpoints can be implemented using software or a combination of software and hardware Using hardware containers such as an HSM, TPM or other TEE is strongly recommended If not, cryptographic methods such as digital signatures Avoid manufacturers automatic software and firmware updates without control Use staging specially in OT systems Utilize gateways 17 Copyright 2016 FUJITSU LIMITED

19 Identity Management Identity management includes the processes and policies involved in managing the lifecycle and value, type and optional metadata of attributes in identity Identity management should contain other characteristics such as privacy automotive identities Use standards ISO/IEC Entity Authentication Assurance Framework NIST , Recommendation for Key Management.. Create an identity centric lifecycle management for identities 18 Copyright 2016 FUJITSU LIMITED

Example: Industrie 4.0 Source: Secure Identities https://www.plattformi40.

22 Conclusions Managing and monitoring IIoT has unique challenges such as Brownfield vs. greenfield Preserving safety, privacy, etc Identities The security framework provides the building blocks and best practices for implementation Adoption in different IIoT verticals will provide additional information for implementers IIC testbeds New security technologies Industrie 4.0 Unique opportunity to add security as part of the engineering process 21 Copyright 2016 FUJITSU LIMITED

IIC World Tour - Turin: Security Working Group Briefing. Nisarg Desai Product Manager, GlobalSign

IIC World Tour - Turin: Security Working Group Briefing Nisarg Desai Product Manager, GlobalSign Security Working Group Charter Group Mission Scope The purpose of the Security Working Group, is to address