IoT Security for Critical Information Infrastructures. Andrey Tikhonov

Similar documents
Securing the future of mobility

Copyright 2011 Trend Micro Inc.

Changing face of endpoint security

KASPERSKY ANTI-MALWARE PROTECTION SYSTEM BE READY FOR WHAT S NEXT. Kaspersky Open Space Security

Security: The Key to Affordable Unmanned Aircraft Systems

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Implementing Cisco Network Security (IINS) 3.0

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Security+ SY0-501 Study Guide Table of Contents

The following chart provides the breakdown of exam as to the weight of each section of the exam.

IC32E - Pre-Instructional Survey

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

McAfee Embedded Control

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Security Audit What Why

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Bank Infrastructure - Video - 1

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Internet of Things real life cases Alex Ahlberg

CIH

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Certified Secure Web Application Engineer

Building Resilience in a Digital Enterprise

Cloud-Based Data Security

CSWAE Certified Secure Web Application Engineer

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

Blackjacking. Daniel Hoffman. Security Threats to BlackBerry Devices, PDAs, and Cell Phones in the Enterprise. Wiley Publishing, Inc.

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

SentinelOne Technical Brief

McAfee Embedded Control

Kaspersky Security for Small and Medium Business

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

PrecisionAccess Trusted Access Control

Cybersecurity Survey Results

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

CSI: VIDEO SURVEILLANCE CONVERTING THE JUGGERNAUT

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

European Union Agency for Network and Information Security

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

A Strategic Approach to Industrial CyberSecurity. Kaspersky Industrial CyberSecurity

Cybersecurity Roadmap: Global Healthcare Security Architecture

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ANATOMY OF AN ATTACK!

locuz.com SOC Services

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Cyber Criminal Methods & Prevention Techniques. By

Understanding Cisco Cybersecurity Fundamentals

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Getting over Ransomware - Plan your Strategy for more Advanced Threats

SYMANTEC DATA CENTER SECURITY

Endpoint Security - what-if analysis 1

Improving Security in Embedded Systems Felix Baum, Product Line Manager

The next step in IT security after Snowden

Symantec Endpoint Protection Family Feature Comparison

Cloud Customer Architecture for Securing Workloads on Cloud Services

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Verizon Software Defined Perimeter (SDP).

Copyright

Chapter 4. Network Security. Part I

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

We re Different. Founded in 2007, Secure Source specializes in Network Security technology and compliance solutions.

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Expanding Cyber Security Management for Critical Infrastructure

CYBERSECURITY IN THE INDUSTRIAL INTERNET OF THINGS

June 2 nd, 2016 Security Awareness

Windows IoT Security. Jackie Chang Sr. Program Manager

The Common Controls Framework BY ADOBE

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Cloud-Security: Show-Stopper or Enabling Technology?

CompTIA CSA+ Cybersecurity Analyst

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Critical Information Infrastructure Protection Law

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Cyber Security in the time of Austerity. Shannon Simpson, CCO CNS Group

Certified Ethical Hacker (CEH)

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CyberArk Privileged Threat Analytics

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Innovation policy for Industry 4.0

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Stopping Advanced Persistent Threats In Cloud and DataCenters

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

Transcription:

IoT Security for Critical Information Infrastructures Andrey Tikhonov

Impact 2 THE SCALE OF EVENTS Weapons of Mass Destruction Extreme weather events Natural Disasters Cyber Attacks Climate Change Likelihood World Economic Forum 2018 Top-10 IoT Security Targets

3 1 IoT and Critical Information Infrastructures

4 EVOLUTION OF SECURITY IN SMART SYSTEMS CYBER-PHYSICAL SYSTEMS SECURITY DOMAINS

5 EVOLUTION OF TRUST NETWORKS CENTRALISED DECENTRALISED DISTRIBUTED INSTITUTIONAL (AUTHORITY) INTERPERSONAL (SOCIAL CONTROL) BLOCKCHAIN (AUTONOMOUS)

6 PROTECTING THE CRITICAL INFORMATION INFRASTRUCTURE The State emphasises the protection of Key Information Infrastructure in public communications and information services, i.e telecommunications, energy, finance, transportation, water conservation, public services and e-governance, as well as other critical information infrastructure that could cause serious damage to national security, the national economy and public interest if destroyed, functionality is lost or data is leaked (Articles 31, 187) Federal Law on Critical Information Infrastructure China s Network Security Law and Key Information Infrastructure Secure by Design: Improving the cyber security of consumer Internet of Things Report Policy of Critical Information Infrastructure Protection Information Security Strategy for Protecting the Nation

7 HOW WE FIT WITH THE REGULATORY TREND Priorities to the nationally certified technologies and solutions or even direct requirements for their use in CII Protection Security by design not only contributes to trust but makes the verification and thus certification of technologies easier Cyberspace and CII sovereignty (cross-border data transmission rules + in-house control of key technologies) Increasing trustworthiness level for solutions on a base of clear trust architecture specific to the regulation General auditing and supervising the protection of CII, from the classification of CII systems to onsite checks Combination of state-of-the-art solutions with services supporting the proper security maturity level

8 2 IoT VULNERABILITIES, THREATS AND RISKS

9 IoT VULNERABILITIES Kaspersky Lab ICS CERT identified 63 vulnerabilities in industrial and IIoT/IoT systems in 2017 BY INDUSTRY BY COMPONENT Source: https://ics-cert.kaspersky.com/reports/2018/03/26/threat-landscape-for-industrial-automation-systems-in-h2-2017

10 IoT VULNERABILITIES Adversary Weaknesses can be used for: Cloud Week security policies, access control SSL vulnerabilities OWASP TOP10 Shared responsibility Insecure communications (week encryption, authentication, verification, etc) BotNets Backdoors Privacy violation Data theft Spying Extracting private credentials Threat surface Mobile Server APP Laptop Database Database Software vulnerabilities OWASP Mobile top10 OWASP TOP10 Insufficient security Insufficient updates Gateway Vulnerabilities in firmware, software, physical interfaces Insecure web interface Open insecure ports Outdated protocols (e.g. SIP) Inherent vulnerabilities Sensors Controls

11 IOT ATTACK SCENARIOS MITC: Man in the Cloud User impersonation Plant backdoors Buffer overflow SQL Injection Privilege escalation Side channel DDoS Data integrity Certificate spoofing Phishing Drive-By-Download Brute Force Password reset Attack surface Remote Cloud attacker Mobile Server APP Laptop Database Database Intercepting communications Man In The Middle Device discovery via SSDP/UPNP Unauthorized access and app execution Device discovery through open ports Device vulnerabilities discovery and exploit Intercepting communications Gateway Has access to the local network Sensors Physical tampering Infiltration during manufacturing Controls Configuration change Malware Sim replacement Has direct access to the device

12 IOT SECURITY ELEMENTS DDOS protection Advanced persistent threat protection Various servers protection: Web, Mail, File... Virtual machines and hypervisors protection Secure Hypervisor Security Orchestration Perimeter protection Whitelisting: apps, communications, devices Antivirus Reputation assessment Vulnerabilities Detection Firewall Mobile Cloud Server APP Laptop SECURITY CENTER Intelligence services Extensive cloud database of known signatures, vulnerabilities, file, url reputations, etc Database Database Secure execution environment Security domain separation Strict policies: apps, communications, devices, users Vulnerability detection Patch management Communication anomalies and violations detection (DPI, Machine Learning) Intrusion detection Network filtering Gateway Sensors Secure OS Vulnerability detection Controls Strict policies: apps, communications, devices, users Patch management State monitoring

13 3 BEST PRACTICES

14 IIC IoT SECURITY MATURITY MODEL

15 IIC ENDPOINT SECURITY BEST PRACTICES Infrastructure Services BASIC SECURE COMMUNICATIONS CRYPTOGRAPHY ENDPOINT IDENTITY SECURE LIFECYCLE ROOT OF TRUST ENCHANCED ENDPOINT CONFIGURATION & MANAGEMENT SECURE COMMUNICATIONS CRYPTOGRAPHY ENDPOINT IDENTITY SECURE LIFECYCLE ROOT OF TRUST CRITICAL SECURITY INFORMATION & EVENT MANAGEMENT ENDPOINT CONFIGURATION & MANAGEMENT SECURE COMMUNICATIONS CRYPTOGRAPHY ENDPOINT IDENTITY SECURE LIFECYCLE ROOT OF TRUST POLICY & ACTIVITY DASHBOARD Intentional violation using simple means and limited resources Intentional violation using sophisticated means and sufficient resources IIC:WHT:IN17:V1.0:PB:20180312 Intentional violation using sophisticated means and large resources

16 MILS - MULTIPLE INDEPENDENT LEVELS OF SECURITY

17 4 PRACTICAL STEPS

18 THREATS MITIGATIONS THREATS PREVENTION TRUST BASE INFRASTRUCTURE DYNAMIC SITUATIONAL AWARENESS Event Management GATEWAY ATTACK ANOMALY DETECTION Monitoring and Filtering EDGE SECURE DESIGN & IMPLEMENTATION Endpoint Security PROACTIVE DEFENSE Global Support CASE BASED PROTECTION Security Service Delivery SECURITY POLICY ENFORCEMENT Policy Enforcement TRUSTED TAMPERPROOF INTEGRATION Assessment and Integration TRUSTED TAMPERPROOF COMMUNICATIONS Connectivity Management TRUSTED TAMPERPROOF KERNEL TEE

19 THREATS MITIGATIONS THREATS PREVENTION TRUST BASE INFRASTRUCTURE GATEWAY EDGE DYNAMIC RESPONCE ATTACK/ANOMALY DETECTION APPLICATION SECURITY HCI ICS CERT ML Preproc ML Engine Whitelisting Antimaware MLAD HCI KATA Integr Asset Detection Content Filt Asset Detection SOC KICS/KATA KES PROACTIVE DEFENSE SERVICE DEPLOYMENT POLICY INFORCEMENT KATA KICS URL/DNS Filter Antimalware Temporal Logic Inter-process Communication Policy Control Security Events VPN DPI IPS/IDS RBAC Domain Isolation KSN/KPSN KL Agent KSS TRUSTED INTEGRATION TRUSTED COMMUNICATIONS TRUSTED KERNEL Assessment AAA MNGMNT PL FIREWALL TEE Trusted LC PKI MDM CONTROL PL DATA PLANE RoT CRYPTO KSC/MDM Trusted Channel KOS/KSH

20 TOOLS FOR SECURITY BY DESIGN KASPERSKYOS SECURE HYPERVISOR KSS FOR LINUX Most secure solution (all components are isolated and controlled) Requires rethinking and redevelopment of architecture of every component Requires (at least) porting of applications or complete rewriting of them Good level of security (isolation of VMs and critical functions, limited control of communications) Requires rethinking and redeveloping of applications architecture only Requires re/development some critical functions Good level of security (isolations of Linux containers, control only inter containers communications) Requires rethinking and redeveloping of applications architecture only Requires minimum re/development Limited support of hardware (embedded systems only) Wide range of hardware supported (not only embedded systems) Runs virtually on all Linux with containers support

IOT GATEWAY Malware Delivery Thru Data Storage Device Malicious Firmware Update Exploiting Software Vulnerabilities Attack on Key / Certificate Stores Attack from Downloaded Apps Server APP Database Database Smart camera Man-in-the-Middle Attack Internet Provider (ISP) Router/Gateway Smart light Laptop Smartphone Microwave oven DDoS Attack Smart socket Sniffing of User Data Attack from Mobile Device Malware Exploiting Software Vulnerabilities Smartphone Smart TV Washer Password dictionary attack

KASPERSKY SECURE IoT GATEWAY Secure Boot Secure Update Boots only verified firmware Firmware is digitally signed and encrypted Bootloader is verified Only trusted OS is loaded SECURE LIFECYCLE DEVICE MANAGEMENT Guarantee integrity and authenticity of the firmware delivery Failsafe rollback Firmware lifecycle support Kaspersky Security Network Threat Data Feeds Firmware Checking Vulnerability Assessment Security Services Secure OS Security policies enforcement by independent engine Controls interactions across the system Security domains separation

Head Unit CONNECTED CAR ATTACK VECTORS Malware through Firmware Malware through removable storage Downloaded software Man-inthe-Middle OBD2 attack ECU User Data Browser IVI Using code vulnerabilities Key storage Keypad Remote attack on the central bus Attacking actuators Attack on certificate storage Attack from the mobile device User data theft

25 5 IN CONCLUSION

26 TAKEAWAYS Market: Critical Information Infrastrucuture Regulation: National Landscape International Cooperation: ITU, IIC, GSMA, GP Principle: Security by Design Foundation: Integrated Security

LET S TALK? Kaspersky Lab HQ 39A/3 Leningradskoe Shosse Moscow, 125212, Russian Federation Tel: +7 (495) 797-8700 www.kaspersky.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback