Are Mobile Technologies Safe Enough for Industrie 4.0?

Similar documents
Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

Cyber Security Bryan Owen PE Principal Cyber Security Manager October 11, 2016

What s New in PI Security?

What s new in PI System Security?

ANATOMY OF AN ATTACK!

What s new in PI System Security?

Hardcore PI System Hardening

USING DEVICE LIFECYCLE MANAGEMENT TO FUTURE PROOF YOUR IOT DEPLOYMENT

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Secure Development Lifecycle

Security: The Key to Affordable Unmanned Aircraft Systems

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Combating Cyber Risk in the Supply Chain

IC32E - Pre-Instructional Survey

CSWAE Certified Secure Web Application Engineer

AGILE AND CONTINUOUS THREAT MODELS

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

K12 Cybersecurity Roadmap

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Keys to a more secure data environment

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

C1: Define Security Requirements

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Why Most IoT Projects Fail And how to ensure success with OSIsoft and Cisco Kinetic

Building Resilience in a Digital Enterprise

Securing the SMB Cloud Generation

How Next Generation Trusted Identities Can Help Transform Your Business

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

RiskSense Attack Surface Validation for Web Applications

the SWIFT Customer Security

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

IoT & SCADA Cyber Security Services

Security+ SY0-501 Study Guide Table of Contents

You knew the job was dangerous when you took it! Defending against CS malware

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cybersecurity with Automated Certificate and Password Management for Surveillance

Keep the Door Open for Users and Closed to Hackers

OSIsoft Technologies for the Industrial IoT and Industry 4.0

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cloud Security Standards and Guidelines

Solutions Business Manager Web Application Security Assessment

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Addressing the elephant in the operating room: a look at medical device security programs

Certified Secure Web Application Engineer

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Cloud Security Standards Supplier Survey. Version 1

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Cybersecurity The Evolving Landscape

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Village Software. Security Assessment Report

Cyber Security - Information Security & Testing

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Base64 The Security Killer

Protect Your Organization from Cyber Attacks

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Internet of Things Security standards

INTERNET SAFETY IS IMPORTANT

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Secure Access & SWIFT Customer Security Controls Framework

Challenges and. Opportunities. MSPs are Facing in Security

RiskSense Attack Surface Validation for IoT Systems

Jeff Wilbur VP Marketing Iconix

MOBILE DEFEND. Powering Robust Mobile Security Solutions

How to Develop Key Performance Indicators for Security

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Mobile Devices prioritize User Experience

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Internet of Things Toolkit for Small and Medium Businesses

Tripwire State of Cyber Hygiene Report

Advanced Security Tester Course Outline

CIS Controls Measures and Metrics for Version 7

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

The Role of the PI System in IIoT. Dr Dominic John, VP of Marketing and Technical Communication

ABB Process Automation, September 2014

Achieving End-to-End Security in the Internet of Things (IoT)

CloudSOC and Security.cloud for Microsoft Office 365

Defense in Depth Security in the Enterprise

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

CIS Controls Measures and Metrics for Version 7

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Effective Strategies for Managing Cybersecurity Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security

Transcription:

Are Mobile Technologies Safe Enough for Industrie 4.0? Presented by Bryan Owen PE

Mobile Technology is Awesome! Cameras Drone UAVs GPS Sensors Smart phones Wearables https://www.osisoft.com/presentations/geospatial-sensor---driven-analytics-using-drones/ 2

Optimize remote asset inspection use cases 3

Extend from inspection to Regulatory Monitoring 4

4G is Convenient and Fast Enough Availability ~50% Down speed ~20Mbps Up speed ~10Mbps Latency ~45 ms http://www.speedtest.net/awards/gb/london https://opensignal.com/reports/2016/10/uk/state-of-the-mobile-network 5

Lightweight Data Collection at the Edge over 4G Benchmark Tags ~1000 Scan ~1s Utilization ~5% Buffering (2 Servers) ~2days/GB ~20m/GB @10Mbps OSIsoft Buffer & Bandwidth Calculation Spreadsheet Interface Node Configuration What is the Interface node average scan rate? Estimated Network Throughput: Oct. 28th, 2013 Avg. scan rate (secs) : 1 Actual Peak Bytes / Second : 6,480 1,310,720 What is the Interface node tag count? Mbits / Second : 0.05 10.00 MBaud / Second : 0.01 2.50 Integer 16 : 0 PI Events / Second : 200 42,243 Total percent used : 0% 100% Integer 32 : 0 Float 16 : 0 Estimated Buffer Capacity: Float 32 : 900 Fill Drain In Hours : 53.9 0.3 Float 64 : 0 In Days : 2.2 0.0 In Weeks : 0.3 0.0 Digital State : 90 In Months : 0.1 0.0 String : 10 Fill (events/sec) : 200 Drain (events/sec) : 42,243 Avg. string size (bytes) : 140 Net (events/sec) : (42,043) Do you use exception? Exception ratio (%) : 10 Which kind of buffering do you use? Bandwidth and Buffer Usage What is your network speed? Please specify (Mbits/s) : 10 999999999 0 Network Latency (ms) : 50 Number of bits per baud : 4 Number of target PI Servers: 2 What PINS & PI Server versions are you using? What is your buffer file size / free disk space? Free disk space (MB) : 1000 Custom buffering settings? 6

What about Security Issues with Mobile Networks? Signaling System 7 All carriers Design flaw No quick fix Congress calls on Homeland Security to warn Americans of SS7 hacking threat Tech Crunch Mar 15, 2017 by Taylor Hatmaker (@tayhatmaker) 7

What about industrial protocols like Modbus? Vulnerable by design too (e.g. Force Listen Only Mode ) Active communication is turned off Waits forever until Restart Communications Option Script kiddie exploits in the wild Bad idea: Modbus over mobile networks If you must, restrict functions at device edge Better idea: IIoT gateway pattern (Intermediate PI Connector or Interface node) 8

Mobile might not be ready for Safety Critical IIoT security challenges are whatever devices cannot do safely until they can. Safety Critical Industrial Business Consumer

Use a Purpose Built Protocol for Data Collection Attack surface Restrict file transfer, KVM access, and scripts Read only mode Authentication Device identity, certificate or password Message Integrity Tamper detection and fail safe Message Privacy Occasionally required and good practice 10

A Kill Chain is recommended Attack complexity increases with each layer Maximize defender advantage PI Square: Hardcore PI Coresight Hardening

Defenses Commensurate with Capability Industrie 4.0 / IIoT Security Function Short Life Sensor Long Life Sensor Sensor Gateway Actuator Actuator Gateway Health Telemetry Network Defenses Identity Safeguards Device Management Data Integrity Observed security poverty line (eg compromised device management Mirai, StJude)

Malware Targeting Mobile Devices is a Growing Concern 2015 2016 2017 XcodeGhost Ghost Push AceDeceiver Gooligan Hummingbad Viking Hoard Pegasus Chrysaor Lipizzan Ad revenue Credential theft Credential theft Botnet Mass surveillance Data exfiltration Individualized surveillance 13

Industrial Mobility Security Risks LOGIIC Project 10 1. Common Risks in Native Applications 2. Common Risks in Web Applications 3. Platform Risk 4. Connectivity 5. Nature of Mobility 6. Device Handling 7. Supply Chain Components 8. Installation, Maintenance, and Management https://www.automationfederation.org/logiic/logiicprojects 14

Common issues for native applications (OWASP M7) Not using platform security features or security features missing from platform Examples: Certificate validation Certificate pinning Jailbreak detection Debug detection Automatic Reference Counting 15

Common issues for web applications May require a more sophisticated threat and effort to exploit with high impact Examples: Cross site scripting vulnerabilities Session handling and termination risks Mishandled cookies 16

Platform Risks (OWASP M1) At the time of testing, the attributes of the Android platform led to a greater attack surface than ios Examples: Transport Layer Security (TLS) version requirements Key handling Signature verification processes 17

Connectivity Perform a risk analysis, based on your own security objectives Examples: Connection to control systems Access options for internal and external audiences Connectivity for central management 18

Nature of Mobility (OWASP M2) Security and operational policy should be considered Examples: Protecting access to high-value data Situational awareness from outside the physical boundaries of a control center or site Management of numerous mobile devices 19

Device Handling Mobile devices can be difficult to fully protect, both physical security and unauthorized view. Examples: Shoulder surfing data or alerts Single-user devices may be necessary Decommissioning or reuse of a device 20

Supply Chain Components (OWASP M10) Neither vendor nor end user may have the ability to mitigate supply chain vulnerabilities Examples: 3 rd party components Application development tools Web frameworks 21

Lifecycle: Installation, Maintenance, and Management Installation and ongoing maintenance of any industrial solution should be considered at several levels. Examples: Server Application Users Devices 22

My internal report card for PI Vision Risk Grade Comment Native Applications A Browser based defenses are enabled Web Applications A PI Vision design incorporates LOGIIC findings Platform Risk A PI Vision runs on ios Connectivity A Control system safety is a priority for PI Vision Nature of Mobility B Sensitive data is protected, white paper available Device Handling C Assess improvement opportunities with customers Supply Chain B Dependencies are documented and maintained Lifecycle B Single app server scales to 100s of users 23

Overall findings from multiple assessments Mobility for industrial environments can be done securely if technical and design aspects are managed with appropriate security controls. 24

The PI System and PI Vision Mobile helps safeguard IT and OT assets. COMPANY and GOAL 1) OSIsoft, makers of the PI System 2) This project is about enabling valuable and safe mobile use cases for the PI System Company Logo Picture / Image CHALLENGE How do we know it s safe enough to use the PI System for mobile use cases? Mobile technology is inherently exposed to cyber threats. There is a general lack of industry vetted security guidance on IIoT and mobile use cases. SOLUTION Assess the maturity of mobile technology as part of an industry consortium project. The project reports on security characteristics of multiple mobile security architectures. Benchmark methods and effort to harden the PI System for IIoT and mobile use cases RESULTS The PI System and PI Vision mobile can be safely deployed for industrial environments. Architecture is a defining security characteristic Lifecycle support must be considered

References PI System PI Vision 2017: Installation and Administration guide KB01631 Security tips for PI Vision Bow Tie: Hardcore PI Coresight (now PI Vision) Hardening How secure are your PI Systems? A primer for PI System baselining PI Security Audit Tools Platform Claims-Based Architecture Windows Security Baselines Microsoft Security Guidance for IIS Installing an SSL Certificate in Windows Server Security Tool Test: Observatory by Mozilla OWASP Secure Headers Project 26

Thank You Mobile technology is too useful to wait. Get started now with PI Vision!

Contact Information Brian Bostwick Brian@OSIsoft.com Cyber Security Market Principal Bryan Owen Bryan@OSIsoft.com Principal Cyber Security Manager 28 28

Questions Please wait for the microphone before asking your questions Please remember to Complete the Online Survey for this session State your name & company 29

Thank You

High Level Bow Tie Analysis Client Attacks (solicited input) Tampering (sabotage) Social Attacks (credential theft) Server Attacks (unsolicited input) Cyber Security Event Information Theft (espionage) Abuse resource (pivot to target) 31

Bow Tie Diagrams: Introduced by Shell Engineering Bow-Tie Model ICS Security Bow-Tie Evaluating Cyber Risk in Engineering Environments: A Proposed Framework and Methodology https://www.sans.org/reading-room/whitepapers/ics/evaluating-cyber-risk-engineering-environments-proposedframework-methodology-37017

Bow Tie Attacks diagram & Defenses from PI Coresight Point of Analysis Impacts & Reductions Keep the bad guys out But if they get in, limit the damage

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback