The cybersecurity platform for industrial small and medium-sized enterprises (SME) Andreas Harner, Head of

Transcription

1 The cybersecurity platform for industrial small and medium-sized enterprises (SME) Andreas Harner, Head of

2 What is a Computer Emergency Response Team (CERT)? A CERT (sometimes called Computer Security Incident Response Team (CSIRT)) is a team of computer experts that helps to coordinate IT security incidents, e.g. new vulnerabilities, new viruses, or even new attacks publishes warnings proposes approaches to solutions supports the information exchange between analysists, operating companies, component suppliers, There are CERTs working for one (big) company only working for the government CERT@VDE works for the German automation branch (manufacturers, suppliers, customers ) VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 2

3 Industrial IoT (IIoT) or Industry 4.0 IT based automation devices based on classic operation systems classical fieldbuses replaced by Ethernet-based buses Worldwide access to the sensors: through the Cloud! Process-IT (PIT) Office-IT shop-floor office-floor 5/26/2018 VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 3

4 need of a coordinating PSIRT in Germany for ICS Common Position:.we, the SMEs of the Industrial Automation need a trustworthy, neutral, independent platform based on an institution with a well-known reputation VDE e.v. (registered association, non-profit) Within European time zone able to speak German able to speak Automation 5/26/2018 VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 4

5 Scope of Process-IT (PIT) Office-IT shop-floor office-floor VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 5

6 The VDE e.v. - Association for Electrical, Electronic & Information Technologies Science,Technology, Innovation Standardisation Test, Certification Knowledge transfer in the VDE network of experts Partner for educational and technological policies Youth development VDE DKE is the German member of IEC and of CENELEC Interoperability Safety Security - Usability non-profit 5/26/2018 VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 6

7 Historical insertion, or why VDE? 1879 Foundation of the first Berliner Elektrotechnik- Vereins : Proposed by Werner v. Siemens: Safety for electrical systems Exchange of information between power operators and manufacturers Fußnote: Von Unknown, dead. - Scan from Original, Gemeinfrei Quelle: Foundation of VDE (by Adolf Slaby and Georg Wilhelm von Siemens) Electrical Safety Functional Safety Cybersecurity 5/26/2018 VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 7

8 Today s situation: vulnerability handling in SMEs unorganized approaches no access to the CERTcommunity no / limited resources for vulnerability handling no PSIRT no routine in interacting with CERTs SMEs feel overstrained (CVSS, CVE,..) vulnerability handling of ICS products in SME no trusting instance in Germany restricted trust in governmental organizations ICS Cert speaks English and is not in the European time zone reactions happen secretly: no collaboration no exchange of information no cross-company interaction many partial solutions 5/26/2018 VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 8

9 Further drivers for Technical threat level Economic importance Political situation Standards VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 9

10 Germany: National Cybersecurity-Strategy (2016) 1 Increase - Protect enterprises - Foster economy 2 the ability to analyze and to react on cyber threats to fight against cyber espionage and cyber sabotage - Colaboration of providers Strengthen CERTstructures: - Involvement of external IT-security expertise Attract resources and personnel VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 10

11 IEC 62443: Normative requirements in standards for industrial security General 1-1 Technology, concepts and models 1-2 Master Glossary of terms and abbreviations 1-3 System security compliance metrics 1-4 System security lifecycle and use case Policies and procedures 2-1 Requirements for an IACS security management system Ed 2.0 Profile of ISO 27001/ Implementation guidance for an IACS security management system 2-3 Patch management in the IACS environment (TR) System 3-1 Security technologies for IACS (TR) 3-2 Security risk assessment and system design 3-3 System security requirements and security levels Component 4-1 Secure product development lifecycle 4-2 Technical security requirements for IACS products 2-4 Requirements for IACS solution suppliers Definitions Metrics Security Requirements for plant owner and suppliers Process requirements Security Requirements for a secure system Security Requirements for secure components Functional requirements Dr. Lutz Jänicke / SPS: CERT@VDE /

12 Closing the gap: has own production: is an operator too! Manufacturer (HW und SW) has own production: is an operator too! Machine builder or Integrator Operator (asset owner) national /international CERT community VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 12

13 Added values for cooperation partners cross-company discussions and interaction on the trustworthy and secure environment of (anonymous, if required) motivates to collaborate! information hub between CERT community and automation industry improved information exchange between manufacturers, operators, integrators Responses to threats/detected vulnerabilities: structured and faster! Single Point of Contact: for operators to find contact persons of the manufacturers operators find published security information of all their suppliers in one place for manufacturers to address customers and integrators using their products take over the communication with other CERTs (e.g. ICS-CERT) for the constituency take over the communication with reporters of vulnerabilities ( White-Hats ): Coordinated Disclosure collection and provision of industry-specific security information for the constituency 5/26/2018 VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 13

14 Added values for cooperation partners II. coordination when fixing vulnerabilities and support on publication of advisories. CVE number assignment (lack of routine in SMEs dealing with CVSS) elaborate Best Practices by the constituency, for the constituency events and workshops for the automation industry to promote the importance of CERTs image boost for the cooperation partners institutionalization of PSIRT structures inside the SMEs is encouraged VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 14

15 Status of Team: 1 Head 2 IT-Sec-Managers 1 BDM + marketing Web: Advisories Collaboration platform based on Mattermost Member: - Deutscher CERT Verbund - Accredited in TI-TF-CSIRT VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 15

16 Thank you for your attention! Andreas Harner Head of Phone: VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 16

17 Support contribution: sliding scale depending on turnover Turnover / a [Mio ] Support contribution [ /a] Quelle:... Fußnote: VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. 17