seminar series cybersecurity for iot to nuclear
play

Seminar Series Cybersecurity for IoT to Nuclear Fred Cohn, Program - PowerPoint PPT Presentation

May 11, 2023 •112 likes •382 views

Seminar Series Cybersecurity for IoT to Nuclear Fred Cohn, Program Director Property of Schneider Electric Who Am I? Program Director, Schneider Electric Product Security Office Cybersecurity Strategy Process (SDL) Deployment and

  1. Seminar Series

  2. Cybersecurity for IoT to Nuclear Fred Cohn, Program Director Property of Schneider Electric

  3. Who Am I? • Program Director, Schneider Electric Product Security Office • Cybersecurity Strategy • Process (SDL) Deployment and Governance • PSIRT - Incident Response, Vulnerability Management, Threat Intelligence • Previous background: • Industrial Control, Programmable Logic Controllers, Industrial Networking • How did I get involved in security? • A funny thing happened . . . Property of Schneider Electric | Page 2

  4. Who is Schneider Electric? • Schneider Electric in figures: • ~€25 billion in sales in FY2016 • 144,000+ employees in more than 100 countries. • ~5% of revenues devoted to R&D • About our Company: • Schneider Electric is the global specialist in energy management and automation . With revenues of ~€25 billion in FY2016, our 144,000+ employees serve customers in over 100 countries, helping them to manage their energy and process in ways that are safe, reliable, efficient and sustainable. From the simplest of switches to complex operational systems , our technology, software and services improve the way our customers manage and automate their operations. Our connected technologies reshape industries, transform cities and enrich lives. Property of Schneider Electric Page 3

  5. Schneider Electric Offers • Data Centers: • Electric Utility • • UPS Protective Relays • • Power Management Substation Controllers • • Cooling Transformers • Building Management: • Industrial Control • • Temperature Control Sensors and Actuators • • Access Control Variable Speed Drives and Motor Control • • PLC’s, Motion Controllers, and RTUs Metering and Protection • DCS • Safety PLC and Shutdown Systems Property of Schneider Electric Page 4

  6. IT vs. OT – Schneider Electric Lives in Both Worlds  OT = Operations Technology  Simple answer: • IT controls electrons = bits & bytes • OT controls molecules = things  More complicated answer: ▪ OT leverages IT technologies; Ethernet, WiFi & Internet stacks, to connect intelligent devices, controllers, and software: ▪ Monitor ▪ Alarm ▪ Control ▪ Protect ▪ Control vs. Data Centric Property of Schneider Electric | Page 5

  7. OT is a “Soft” Target for Cyber -based Attackers • Why OT is a soft target? • Older systems; insecure by design • Owners don’t have same cybersec skills • OT system lifecycle 5-10x longer than IT system lifecycle • Shared systems tend to share passwords • Naivete! - “We aren’t threatened! Who would attack us? What are they going to do…change the building temperature? Security by Obscurity!” • Systems tend to remain unpatched – too risky to patch! • Good news, if there is any? • System attack requires much more process knowledge than typical IT system • Systems are designed to fail to a safe condition Property of Schneider Electric | Page 6

  8. IoT for OT = IIOT • IIoT – same principles as IoT but different (additional) risks • Industrial IoT – applying the concept of IoT to Industrial/Commercial Control: • Cloud-based Building Management System • Facility Monitoring • Remote Maintenance • Remote Asset Management • ADR - Automated Demand Response • WAGES tracking • Remote robotic surgery – Yikes! Property of Schneider Electric | Page 7

  9. Risks of IIoT • Personal data can be compromised • Equipment can be attacked and essential functions can be interrupted • Data can be manipulated or modified • Equipment can be damaged! • Life safety can be impacted! Property of Schneider Electric | Page 8

  10. Schneider’s R&D Approach – It’s a Journey • Standards-based development practices • Consistency Rules • Bricks and Platforms • Innovative Designs Suited for Our Markets • Research to apply IT Security Practices/Technologies to OT environments Property of Schneider Electric | Page 9

  11. Standards Based Development Approach • Corporate Policy that all R&D Projects must follow SDL: • Initially based on ISO 27034, while a few groups leveraged ISASecure • Migrating to IEC 62443-4-1 for all R&D • ISO 30111 for Vulnerability Management • SE IT organization embracing the methodology • Some R&D departments are SDLA certified Property of Schneider Electric | Page 10

  12. IEC 62443-4-1 Practices • Security Management • Security Requirements • Secure by Design • Secure Implementation • Secure Verification and Validation • Defect Management • Security Update Management • Security Guidelines Property of Schneider Electric | Page 11

  13. Consistency Rules • Rules that govern technical choices: • Marketing or Technical • All segments or segment-based • Factored into requirements and checked at early development stage • Examples (in development): – Robustness testing – Software signing – Firmware signing – Secure Boot Property of Schneider Electric | Page 12

  14. Bricks and Platforms • Consistency Library • Documents • Consistency Rules • Code References • Bricks • IoT Platform for Hosted Services – EcoStruxure • Communication services • User AuthN and AuthZ • Data storage • Application interface services Property of Schneider Electric | Page 13

  15. Innovative Designs – Applying IT Principles to OT Environment • Software, Device, and Patch Integrity • User to Machine Authentication and Authorization • Machine to Machine Authentication and Authorization • Device Authenticity Safety • Device Replacement • Logging and Auditing • Robustness Property of Schneider Electric | Page 14

  16. Integrity • We developed a Software Signing Utility to assist development teams. • Using Commercial MPKI; Microsoft (or Java) code Signing Techniques • Upgrade underway to keep up with Microsoft • We developed our own Firmware Signing using self-signed MPKI • Still immature, but evolving • Adoption challenges for our R&D • Issues with authentication infrastructure in customer environment • Patch Signing • Depends on Software vs. Firmware Property of Schneider Electric | Page 15

  17. Authentication and Authorization • All agree on value of certificate-based authentication for U2M and M2M • Working on standard approach to allow for interoperability • Trying to standardize designs including Secure Elements for future needs • Standard crypto library available for all developers – Biggest issue is confusion over export/import licensing • Authorization schemes vary; difficulty with convergence • Based on roles • Include role in device certificate, or… • Centralize system authorization role Property of Schneider Electric | Page 16

  18. Device Replacement • Consistently, the biggest barrier to applying security technologies and practices • “How can a failed device be replaced at 3:00AM?” • Two approaches: • System Security Appliance – Manages user access, roles, and asset inventory • Use certificates in the device – Provide a standards-based CA – Use standard mechanisms for certificate deployment through CET – Working on CET code changes and user documentation Property of Schneider Electric | Page 17

  19. Logging and Auditing • Created internal standards for logging methods and format for embedded devices. • Standard format • Protected from modification • Adoption has just started; limited experience for embedded devices Property of Schneider Electric | Page 18

  20. Secure Industrial Communications • Protect Confidentiality and Integrity • Secure Modbus • Based on TLS • Being submitted to Modbus.org • Secure EtherNet/IP • Being managed by ODVA Property of Schneider Electric | Page 19

  21. Robustness • Network protocol fuzz testing to prevent DoS • Standard TCP and UDP • Some industrial protocols • Standardized on Achilles test; certify devices • Alternative, Codenomicon, but no device certification available Property of Schneider Electric | Page 20

  22. Key Areas of Innovation • Blockchain for Asset Authenticity; what are Use Cases? • Custom fuzzers for unique industrial protocols • How U2M and M2M authentication works using certificates when system is not internet connected (or connected intermittently) ((or connected through a gateway)) • How do we validate genuineness of a device that connects to our hosted solutions? • Did we manufacture it? • Is it our firmware? • How do we validate integrity of embedded device configuration or application program • Intersection of Security and Safety Property of Schneider Electric | Page 21

  23. Property of Schneider Electric | Page 22

  24. Educate our Customers, Channel Partners, and FSE’s 1. Patch Your System 2. Separate the Network 3. Define and Enforce Contractor Guidelines 4. Secure Remote Connections 5. Password Management 6. Educate Your People 7. Monitor Your System Property of Schneider Electric | Page 23

  25. Property of Schneider Electric | Page 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Seminar Series Oil and Gas Pipeline Transmission Infrastructure Cybersecurity and Resiliency Al

Seminar Series Oil and Gas Pipeline Transmission Infrastructure Cybersecurity and Resiliency Al

Seminar Series Oil and Gas Pipeline Transmission Infrastructure Cybersecurity and Resiliency Al Rivero, PE CREDC Summer School February 5th, 2018 Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security |

469 views • 11 slides
CYBERSECURITY CYBERSECURITY SEMINAR SEMINAR STEVE RUTKOVITZ STEVE RUTKOVITZ ABOUT STEVE

CYBERSECURITY CYBERSECURITY SEMINAR SEMINAR STEVE RUTKOVITZ STEVE RUTKOVITZ ABOUT STEVE

PROTECTING YOU AND YOUR BUSINESS CYBERSECURITY CYBERSECURITY SEMINAR SEMINAR STEVE RUTKOVITZ STEVE RUTKOVITZ ABOUT STEVE RUTKOVITZ ABOUT STEVE RUTKOVITZ For over 20 years, Steve owned and operated a very successful MSP business. W ith a

516 views • 25 slides
ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity Related to Subregional Seminar on Cybersecurity for Information and Communication Networks 21 June 2005 Lima, Peru Christine Sund Christine Sund

921 views • 48 slides
Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Email Security

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Email Security

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Email Security Practices & File Encryption Content provided by Presenter: Ray Cool, CEO PBSI Technology Solutions Webinar will begin at 10:00 Page 1 Series Goals

551 views • 20 slides
Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data Content provided by Presenter: Ray Cool, CEO PBSI Technology Solutions Webinar will begin at 10:00 Page 1 Series Goals Series Goals

146 views • 13 slides
Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Password Management

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Password Management

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Password Management & Public Wi-Fi Security Content provided by Presenter: Ray Cool, CEO PBSI Technology Solutions Webinar will begin at 10:00 Page 1 Series Goals

392 views • 18 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
TPCB Research in Progress Seminar Series Overview The TPCB Research in Progress Seminar Series is

TPCB Research in Progress Seminar Series Overview The TPCB Research in Progress Seminar Series is

TPCB Research in Progress Seminar Series Overview The TPCB Research in Progress Seminar Series is an important component of our graduate training program. It provides students with opportunities to learn about chemical biology research being

419 views • 3 slides
NUCLEAR WASTE AND REMEDIATION STRATEGY Course Seminar CE 641 Presented by Aniruddh Jain Roll

NUCLEAR WASTE AND REMEDIATION STRATEGY Course Seminar CE 641 Presented by Aniruddh Jain Roll

NUCLEAR WASTE AND REMEDIATION STRATEGY Course Seminar CE 641 Presented by Aniruddh Jain Roll No: 09304018 M.Tech 1st Year WHAT IS NUCLEAR ENERGY Nuclear energy is the energy released by the splitting (fission) or merging together (fusion)

468 views • 26 slides
Cybersecurity Requirements for Federal Contracts Seminar 8/9/17, 9- noon Time Topic Speaker

Cybersecurity Requirements for Federal Contracts Seminar 8/9/17, 9- noon Time Topic Speaker

Cybersecurity Requirements for Federal Contracts Seminar 8/9/17, 9- noon Time Topic Speaker 9-9:30 Arrival and Breakfast - 9:30 Welcome Don Pital, Manager GaMEP Don.pital@innovate.gatech.edu 9:35-9:55 Ga Sponsor Introductions Karen

782 views • 39 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
PILLSBURY-NEI NUCLEAR TRADE AND INVESTMENT SEMINAR REGULATORY CAPACITY BUILDING AND THE ROLE OF

PILLSBURY-NEI NUCLEAR TRADE AND INVESTMENT SEMINAR REGULATORY CAPACITY BUILDING AND THE ROLE OF

PILLSBURY-NEI NUCLEAR TRADE AND INVESTMENT SEMINAR REGULATORY CAPACITY BUILDING AND THE ROLE OF TSOS IN EMERGENT NUCLEAR COUNTRIES Neil J. Numark, President November 17, 2014 2 TOPICS ADDRESSED Development of regulatory infrastructure

182 views • 17 slides
SIGTACS Seminar Series Metric Embeddings and Applications in Computer Science Presented by :

SIGTACS Seminar Series Metric Embeddings and Applications in Computer Science Presented by :

Introduction Embeddings into Normed Spaces Dimensionality Reduction The JL Lemma Discussion SIGTACS Seminar Series Metric Embeddings and Applications in Computer Science Presented by : Purushottam Kar January 10, 2009 SIGTACS Seminar Series

674 views • 56 slides
The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019

The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019

The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019 Vulnerable Devices Pacemakers / implantable defibrillators Insulin pumps Infusion pumps Mobile health technologies (mHealth

613 views • 40 slides
contracts Our Cybersecurity Webinar Series To help you understand the cyber risk in your legal

contracts Our Cybersecurity Webinar Series To help you understand the cyber risk in your legal

Data Governance & Contract Management: How you can build security into your contracts Our Cybersecurity Webinar Series To help you understand the cyber risk in your legal vendor portfolio: Week 1 Week 2 Week 3 Week 4 July July July

366 views • 19 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 CAMP Partners Project funded

Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 CAMP Partners Project funded

V2X Security Credential Management System (SCMS) Proof-of-Concept Implementation funded by US DOT/NHTSA Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 CAMP Partners Project funded by Supported by October 2015 2 What is

562 views • 29 slides
Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Security & Knowledge Management a.a. 2019/20 Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed just by permitted users Integrity Not tampered by not permitted users Availability

558 views • 21 slides
Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis Final talk Karthik Mathiazhagan

735 views • 18 slides
What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

Resource Certification What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ? Resource Certification is is a security framework for verifying the association between resource holders and their

569 views • 20 slides
Documentation Title II, Part A Needs Assessment and Planning Title II, Part A Needs

Documentation Title II, Part A Needs Assessment and Planning Title II, Part A Needs

Documentation Title II, Part A Needs Assessment and Planning Title II, Part A Needs Assessment Worksheet and/or documentation to support the data analysis provided in Section II of the LEA Equity Plan Meeting agendas and/or minutes,

460 views • 18 slides
Community Health Worker (CHW) Certification Application for Experienced CHWs Office of Population

Community Health Worker (CHW) Certification Application for Experienced CHWs Office of Population

Community Health Worker (CHW) Certification Application for Experienced CHWs Office of Population Health Improvement, CHW Certification Program Team Kimberly Hiner and Tina Backe November 2019 Certification Application for Experienced CHWs

914 views • 37 slides
A Component Security Infrastructure Y. David Liu Scott Smith http://www.jcells.org 9/24/15

A Component Security Infrastructure Y. David Liu Scott Smith http://www.jcells.org 9/24/15

A Component Security Infrastructure Y. David Liu Scott Smith http://www.jcells.org 9/24/15 Cells @ FCS 2002 1 Motivation Build software systems Secure software using components systems SDSI/SPKI Cells Secure software systems at the

833 views • 38 slides
Financial Management CDBG recordkeeping requirements are set in accordance with 24 CFR Part

Financial Management CDBG recordkeeping requirements are set in accordance with 24 CFR Part

2017 BCD CDBG Training Slides 9/27 9/28/2017 (WI Dells) 10/4 10/5/2017 (Eau Claire) Chap Chapter 8: 8: Financi nancial Ma Managemen gement DEHCR Bureau of Community Development Financial Management CDBG recordkeeping requirements

285 views • 24 slides

More recommend