Cybersecurity for IoT to Nuclear

Similar documents
Innovation policy for Industry 4.0

Internet of Things Toolkit for Small and Medium Businesses

Industrial Defender ASM. for Automation Systems Management

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Cyber Security for Process Control Systems ABB's view

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Version: V2.0. Integrated Building. Architecture. 19 April dimension data advanced infrastructure

STANDARD ELECTRIC UNIVERSITY

CSI: VIDEO SURVEILLANCE CONVERTING THE JUGGERNAUT

Cybersecurity, Trade, and Economic Development

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Introduction to ICS Security

The Connected Water Plant. Immediate Value. Long-Term Flexibility.

No Industry 4.0 without Security

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

ISA Security Compliance Institute

Cyber Resilience Solution for Smart Buildings

ISASecure SSA Certification for DeltaV and DeltaV SIS

Cyber security - why and how

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

Let Energy Monitoring Solutions Do the Heavy Lifting

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

TWELVEDOT SECURITY DESIGN.BUILD.SECURE

Modicon M580 MUCH MORE than a PLC. the first epac!

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

Industrial Network Trends & Technologies

TD01 - Enabling Digital Transformation Through The Connected Enterprise

Manufacturing security: Bridging the gap between IT and OT

Cyber security for digital substations. IEC Europe Conference 2017

IE156: ICS410: ICS/SCADA Security Essentials

Introducing the 9202-ETS MTL Tofino industrial Ethernet security appliance

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

About Schneider Electric

Strong Security Elements for IoT Manufacturing

Securing Industrial Control Systems

Practical SCADA Cyber Security Lifecycle Steps

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

What It Takes to be a CISO in 2017

End-to-end Safety, Security and Reliability Keys for a successful I4.0 Migration

Watson Developer Cloud Security Overview

Digitalization Risk or opportunity?»

The synergy of SCADA with energy control

Making the Factory Floor Smarter with IoT and VxWorks

Comprehensive Cyber Security Features in SIPROTEC & SICAM. SIPROTEC Dag 11. Mei 2017

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Schneider Electric Innovative Products and Solutions for Industry. Industrial Automation and Control Solutions 2018 Line Card. schneider-electric.

Defensible and Beyond

Cyber Security Technologies

ISASecure. Securing the Supply Chain

EU General Data Protection Regulation (GDPR) Achieving compliance

MASP Chapter on Safety and Security

Cybersecurity. Can Standards Bring Clarity from the Confusion? Speaker: David Doggett

ABB Process Automation, September 2014

One Hospital s Cybersecurity Journey

ARM mbed mbed OS mbed Cloud

Continuous protection to reduce risk and maintain production availability

The Future of Industrial Control Systems Security

ISASecure. Securing the Supply Chain

Cloud Customer Architecture for Securing Workloads on Cloud Services

IOT Accelerator. October, 2017

OSIsoft Technologies for the Industrial IoT and Industry 4.0

Using Cisco security services for IoT open platform development

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Indegy. Industrial Cyber Security. The Anatomy of an Industrial Cyber Attack

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

COPYRIGHT 2018 NETSCOUT SYSTEMS, INC. 1

Dr. Johan Åkerberg, ABB Corporate Research, Sweden, Communication in Industrial Automation

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS NETWORK SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Ensuring System Protection throughout the Operational Lifecycle

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

Smart Manufacturing Enterprise

TSN and EtherNet/IP Networks

External Supplier Control Obligations. Cyber Security

Achilles System Certification (ASC) from GE Digital

Securing global enterprise with innovation

IoT & SCADA Cyber Security Services

Cyber Security Bryan Owen PE Principal Cyber Security Manager October 11, 2016

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

Cyber, An Evolving Ecosystem: Creating The Road For Tomorrows Smart Cities

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

NOVEMBER 2017 Leading Digital Transformation Driving innovation at scale Marc Leroux Executive Evangelist/Digital ABB

Cybersecurity Auditing in an Unsecure World

Challenges of Multivendor Systems in Implementation of IIoT-ready PLCs. ISA/Honeywell Webinar 10 November 2016

Brian Russell, Chair Secure IoT WG & Chief Engineer Cyber Security Solutions, Leidos

Transforming Security Part 2: From the Device to the Data Center

ISA99 - Industrial Automation and Controls Systems Security

Jeff Wilbur VP Marketing Iconix

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Transcription:

Seminar Series

Cybersecurity for IoT to Nuclear Fred Cohn, Program Director Property of Schneider Electric

Who Am I? Program Director, Schneider Electric Product Security Office Cybersecurity Strategy Process (SDL) Deployment and Governance PSIRT - Incident Response, Vulnerability Management, Threat Intelligence Previous background: Industrial Control, Programmable Logic Controllers, Industrial Networking How did I get involved in security? A funny thing happened... Page 2

Who is Schneider Electric? Schneider Electric in figures: ~ 25 billion in sales in FY2016 144,000+ employees in more than 100 countries. ~5% of revenues devoted to R&D About our Company: Schneider Electric is the global specialist in energy management and automation. With revenues of ~ 25 billion in FY2016, our 144,000+ employees serve customers in over 100 countries, helping them to manage their energy and process in ways that are safe, reliable, efficient and sustainable. From the simplest of switches to complex operational systems, our technology, software and services improve the way our customers manage and automate their operations. Our connected technologies reshape industries, transform cities and enrich lives. Property of Schneider Electric Page 3

Schneider Electric Offers Data Centers: UPS Power Management Cooling Building Management: Temperature Control Access Control Metering and Protection Electric Utility Protective Relays Substation Controllers Transformers Industrial Control Sensors and Actuators Variable Speed Drives and Motor Control PLC s, Motion Controllers, and RTUs DCS Safety PLC and Shutdown Systems Property of Schneider Electric Page 4

IT vs. OT Schneider Electric Lives in Both Worlds OT = Operations Technology Simple answer: IT controls electrons = bits & bytes OT controls molecules = things More complicated answer: OT leverages IT technologies; Ethernet, WiFi & Internet stacks, to connect intelligent devices, controllers, and software: Monitor Alarm Control Protect Control vs. Data Centric Page 5

OT is a Soft Target for Cyber-based Attackers Why OT is a soft target? Older systems; insecure by design Owners don t have same cybersec skills OT system lifecycle 5-10x longer than IT system lifecycle Shared systems tend to share passwords Naivete! - We aren t threatened! Who would attack us? What are they going to do change the building temperature? Security by Obscurity! Systems tend to remain unpatched too risky to patch! Good news, if there is any? System attack requires much more process knowledge than typical IT system Systems are designed to fail to a safe condition Page 6

IoT for OT = IIOT IIoT same principles as IoT but different (additional) risks Industrial IoT applying the concept of IoT to Industrial/Commercial Control: Cloud-based Building Management System Facility Monitoring Remote Maintenance Remote Asset Management ADR - Automated Demand Response WAGES tracking Remote robotic surgery Yikes! Page 7

Risks of IIoT Personal data can be compromised Equipment can be attacked and essential functions can be interrupted Data can be manipulated or modified Equipment can be damaged! Life safety can be impacted! Page 8

Schneider s R&D Approach It s a Journey Standards-based development practices Consistency Rules Bricks and Platforms Innovative Designs Suited for Our Markets Research to apply IT Security Practices/Technologies to OT environments Page 9

Standards Based Development Approach Corporate Policy that all R&D Projects must follow SDL: Initially based on ISO 27034, while a few groups leveraged ISASecure Migrating to IEC 62443-4-1 for all R&D ISO 30111 for Vulnerability Management SE IT organization embracing the methodology Some R&D departments are SDLA certified Page 10

IEC 62443-4-1 Practices Security Management Security Requirements Secure by Design Secure Implementation Secure Verification and Validation Defect Management Security Update Management Security Guidelines Page 11

Consistency Rules Rules that govern technical choices: Marketing or Technical All segments or segment-based Factored into requirements and checked at early development stage Examples (in development): Robustness testing Software signing Firmware signing Secure Boot Page 12

Bricks and Platforms Consistency Library Documents Consistency Rules Code References Bricks IoT Platform for Hosted Services EcoStruxure Communication services User AuthN and AuthZ Data storage Application interface services Page 13

Innovative Designs Applying IT Principles to OT Environment Software, Device, and Patch Integrity User to Machine Authentication and Authorization Machine to Machine Authentication and Authorization Device Authenticity Device Replacement Safety Logging and Auditing Robustness Page 14

Integrity We developed a Software Signing Utility to assist development teams. Using Commercial MPKI; Microsoft (or Java) code Signing Techniques Upgrade underway to keep up with Microsoft We developed our own Firmware Signing using self-signed MPKI Still immature, but evolving Adoption challenges for our R&D Issues with authentication infrastructure in customer environment Patch Signing Depends on Software vs. Firmware Page 15

Authentication and Authorization All agree on value of certificate-based authentication for U2M and M2M Working on standard approach to allow for interoperability Trying to standardize designs including Secure Elements for future needs Standard crypto library available for all developers Biggest issue is confusion over export/import licensing Authorization schemes vary; difficulty with convergence Based on roles Include role in device certificate, or Centralize system authorization role Page 16

Device Replacement Consistently, the biggest barrier to applying security technologies and practices How can a failed device be replaced at 3:00AM? Two approaches: System Security Appliance Manages user access, roles, and asset inventory Use certificates in the device Provide a standards-based CA Use standard mechanisms for certificate deployment through CET Working on CET code changes and user documentation Page 17

Logging and Auditing Created internal standards for logging methods and format for embedded devices. Standard format Protected from modification Adoption has just started; limited experience for embedded devices Page 18

Secure Industrial Communications Protect Confidentiality and Integrity Secure Modbus Based on TLS Being submitted to Modbus.org Secure EtherNet/IP Being managed by ODVA Page 19

Robustness Network protocol fuzz testing to prevent DoS Standard TCP and UDP Some industrial protocols Standardized on Achilles test; certify devices Alternative, Codenomicon, but no device certification available Page 20

Key Areas of Innovation Blockchain for Asset Authenticity; what are Use Cases? Custom fuzzers for unique industrial protocols How U2M and M2M authentication works using certificates when system is not internet connected (or connected intermittently) ((or connected through a gateway)) How do we validate genuineness of a device that connects to our hosted solutions? Did we manufacture it? Is it our firmware? How do we validate integrity of embedded device configuration or application program Intersection of Security and Safety Page 21

Page 22

Educate our Customers, Channel Partners, and FSE s 1. Patch Your System 2. Separate the Network 3. Define and Enforce Contractor Guidelines 4. Secure Remote Connections 5. Password Management 6. Educate Your People 7. Monitor Your System Page 23

Page 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback