Industrial Security Co-Sourcing: Shifting from CapEx to OpEx Presented by Vinicius Strey Manufacturing in America 03/22-23/2017

Size: px

Start display at page:

Download "Industrial Security Co-Sourcing: Shifting from CapEx to OpEx Presented by Vinicius Strey Manufacturing in America 03/22-23/2017"

Clarence Austin
6 years ago
Views:

1 Industrial Security Co-Sourcing: Shifting from CapEx to OpEx Presented by Vinicius Strey Manufacturing in America 03/22-23/2017 Unrestricted Siemens 2017 usa.siemens.com/mia

2 Table of contents Industrial Security s Hidden Challenge 3 The Sourcing Problem 8 Building an Effective Sourcing Strategy 12 My Contribution to My Organization 16 Siemens Industrial Security Approach 18 Q&A / Discussion 22

3 Table of contents Industrial Security s Hidden Challenge 3 The Sourcing Problem 8 Building an Effective Sourcing Strategy 12 My Contribution to My Organization 16 Siemens Industrial Security Approach 18 Q&A / Discussion 22

COMPLEXITY Challenge #2: The Budget Issue I was approved just 20% of the budget I need this year to

4 Typical Challenges: Security is a complex and adaptive system! SCALE Challenge #1: The Corporate Mandate We have to protect our plants against cyber attacks. COMPLEXITY Challenge #2: The Budget Issue I was approved just 20% of the budget I need this year to develop my industrial security program. Challenge #3: The Maintenance Issue It s getting hard to maintain and rationalize our industrial security infrastructure

Typical Challenges SCALE Technology will help you a lot on how to handle with the scale. Security systems are typically highly scalable and will help you to maintain your security baseline.

5 Typical Challenges SCALE Technology will help you a lot on how to handle with the scale. Security systems are typically highly scalable and will help you to maintain your security baseline. Key Message: The success of a security program is on the staff, not the tools COMPLEXITY Complexity will ultimately rely on the people. People have to comply with processes. People will operate and configure the technology. People will have to handle unexpected security situations.

6 The Hidden Challenge: Workforce

The Hidden Challenge: Workforce Source Ponemon Institute Critical Infrastructure: Security Preparedness and Maturity Survey 43% 33% 17% 7% Early Stage Middle Stage Late Stage Mature Stage Definition

7 The Hidden Challenge: Workforce Source Ponemon Institute Critical Infrastructure: Security Preparedness and Maturity Survey 43% 33% 17% 7% Early Stage Middle Stage Late Stage Mature Stage Definition Many security activities have been defined but not deployed Security activities are defined but only partially deployed Many security activities are deployed Most security Activities are deployed Characteristics Not focused on OT security 0 or 1 person dedicated to OT No dedicated OT technologies Full transparency into the assets Partially secured OT environment Dedicated OT security program

8 Table of contents Industrial Security s Hidden Challenge 3 The Sourcing Problem 8 Building an Effective Sourcing Strategy 12 My Contribution to My Organization 16 Siemens Industrial Security Approach 18 Q&A / Discussion 22

9 What s Being Outsourced Source

10 Common Mistakes/Myths

In-House Co-Sourcing One-time invest USD 70,000 USD 50,000 Yearly USD 160,000 USD 30,000 Total (first year): USD 230,000 USD 80,000 Total (second

11 Comparison of Sourcing for Security Monitoring USD 150,000 USD 50,000 USD 50,000 USD 30,000 yearly one time one time yearly Salary for 1 employee Components and Installation Components and Installation Annual Fee USD 10,000 yearly USD 20,000 Pure In-House one time Trainings costs for 1 employee In-House Co-Sourcing One-time invest USD 70,000 USD 50,000 Yearly USD 160,000 USD 30,000 Total (first year): USD 230,000 USD 80,000 Total (second year): USD 160,000 USD 30,000 Key Message: Co-Sourcing is very attractive. Asset owners save money and reduce risks by outsourcing some activities. Co-Sourcing

12 Table of contents Industrial Security s Hidden Challenge 3 The Sourcing Problem 8 Building an Effective Sourcing Strategy 12 My Contribution to My Organization 16 Siemens Industrial Security Approach 18 Q&A / Discussion 22

13 Criteria to Support Sourcing Strategy Activity/Process causes anxiety to the staff Staff doesn t want to perform this activity/process Activity/Process causes satisfaction to the staff Staff wants to perform this activity/process Activity/Process has lower impact on business Activity/Process is not core Activity/Process has high impact on business Activity is core

14 Criteria to Support Sourcing Strategy Activity/Process demands specific knowledge or product specialization Activity/Process doesn t demand specific knowledge or product specialization Activity/Process can be performed with lower service costs by another partner Activity/Process can be performed with lower service costs by in-house staff

15 Use Case for a Given Customer: Incident Response Levels Anxiety Satisfaction OUTSOURCE Non-Core/ Low Impact High Core / High Impact Low IN-HOUSE Incident Response 3 rd Level Elite Squad 2 nd Level Specialized Teams Outsource In-House 1 st Level Single Point of Contact Outsource Outsourcing Attractive In-House Attractive

16 Table of contents The Challenge 3 The Sourcing Problem 8 Building an Effective Sourcing Strategy 12 My Contribution to My Organization 16 Siemens Industrial Security Approach 18 Q&A / Discussion 22

My Contribution to My Organization Corporate Level Operations/Maintenance Manager Operations/Maintenance Engineer Supervise security for industrial environment.

17 My Contribution to My Organization Corporate Level Operations/Maintenance Manager Operations/Maintenance Engineer Supervise security for industrial environment. Established security business units should take plant-floor risks into consideration. Security has reached the plant-floor and it is not pure IT business. There is a need for change management support. The development of security skills is valuable to support your organization. IT Security Practitioner Validate your sourcing strategy for IT on OT considering specific industrial requirements.

18 Table of contents Industrial Security s Hidden Challenge 3 The Sourcing Problem 8 Building an Effective Sourcing Strategy 12 My Contribution to My Organization 16 Siemens Industrial Security Approach 18 Q&A / Discussion 22

and VPN System integrity System hardening Authentication and use administration Patch management Detection of attacks

19 Siemens Security Plant security Physical access protection Processes and guidelines Security service protecting production plants Security threats demand action Network security Cell protection, DMZ and remote maintenance Firewall and VPN System integrity System hardening Authentication and use administration Patch management Detection of attacks Integrated access protection in automation Security solutions in an industrial context must take account of all protection levels

Plant Security Services IEC 62443 Assessment ISO 27001 Assessment SIMATIC PCS 7 and WinCC Assessment Risk and Vulnerability Assessment Industrial Security Monitoring Remote Incident Handling

20 Plant Security Services IEC Assessment ISO Assessment SIMATIC PCS 7 and WinCC Assessment Risk and Vulnerability Assessment Industrial Security Monitoring Remote Incident Handling Perimeter Firewall Management Perimeter Firewall Review Anti Virus Management Whitelisting Management Patch and Vulnerability Management Security Awareness Training Security Policy Consulting Network Security Consulting Perimeter Firewall Installation Clean Slate Validation Anti Virus Installation Whitelisting Installation System BackUp Windows Patch Installation

Elektronikwerk Amberg Implementation and operation of Industrial Security Monitoring Challenge Highly sensitive IT-controlled processes Fully networked automation environment Comprehensive data flow

21 Elektronikwerk Amberg Implementation and operation of Industrial Security Monitoring Challenge Highly sensitive IT-controlled processes Fully networked automation environment Comprehensive data flow and database Protection against industrial espionage, manipulation and hacker activities Bild & Logo Solution Implementation of Defense in Depth with S and SCALANCE S using TIA Portal. Monitoring of security-relevant events Monthly status report on plant and system security Recommendations for optimizing the level of protection Profile Elektronikwerk Amberg is a prime example of a digital factory. The factory uses cutting-edge technologies to produce approximately fifteen million SIMATIC products each year. Benefit Protection of networks and TIA components according to the defense-in-depth security concept Solid, in-depth security information thanks to Security Information and Event Management (SIEM) Continuous optimization of the security concept

22 Table of contents Industrial Security s Hidden Challenge 3 The Sourcing Problem 8 Building an Effective Sourcing Strategy 12 My Contribution to My Organization 16 Siemens Industrial Security Approach 18 Q&A / Discussion 22

23 Thank you for your attention! Vinicius Strey DF PLDS (Data Services) 4800 North Point Pkwy Alpharetta, GA Mobile: +1 (470)

24 Security Information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under

Plant Security Services Protecting productivity in the digital era October

Plant Security Services Protecting productivity in the digital era October2017 Restricted www.siemens.com/plant-security-services Internet of (hacked) Things Page 2 Use case - No OT cybersecurity company