True Cost and Real Benefits of @bsidesvienna 07e1 IIoT Security - - PowerPoint PPT Presentation

true cost and real benefits of
SMART_READER_LITE
LIVE PREVIEW

True Cost and Real Benefits of @bsidesvienna 07e1 IIoT Security - - PowerPoint PPT Presentation

Mar 30, 2023 406 likes •692 views

Herbert Dirnberger True Cost and Real Benefits of @bsidesvienna 07e1 IIoT Security Verein zur Frderung der Sicherheit in sterreichs strategischer Infrastruktur Agenda Digital Darwinism Risks Scenario based IIoT Security Use Case

slide-1
SLIDE 1 Verein zur Förderung der Sicherheit in Österreichs strategischer Infrastruktur

True Cost and Real Benefits of IIoT Security

Herbert Dirnberger

@bsidesvienna 07e1

slide-2
SLIDE 2

Agenda

Digital Darwinism Risks Scenario based IIoT Security Use Case Summary

slide-3
SLIDE 3

Digitalization @home

slide-4
SLIDE 4

Smart Cats @home

RFID RFID-Reader Smart Door IoT Hub Cloud Mobile

slide-5
SLIDE 5 Alle Inhalte dieser Präsentation unterliegen der Creative Common License. 2012 Herbert Dirnberger

I CYBORG

Google Glass Kevin Marvick Steve Mann

http://www.csmonitor.com/Innovation/Latest-News-Wires/2012/0718/Cyborg-allegedly-attacked-over-camera- implants http://www.zeit.de/digital/internet/2012-08/cyborg-neil-harbisson-biohacking-campus-party http://dailynoise.blogspot.co.at/2011/10/what-is-cyborg-anthropology.html http://en.wikipedia.org/wiki/Steve_Mann http://www.kevinwarwick.com/ICyborg.htm

Smart Humans @world

slide-6
SLIDE 6

b0111 1110 0001: 0.15 7 E 1 1024 + 512 + 256 +128+ 64+32 + 1

slide-7
SLIDE 7

200 years digital, 70 years computer, 6 years Industrie 4.0/IIoT

PLC 1805 1941 1969

Technical Progress of Industry

2017 Apollo 11 Robot PC Internet mobil Cloud IIoT Loom with punched cards 2011

Markus Schweiß [GFDL (http://www.gnu.org/copyleft/ fdl.html) or CC-BY-SA-3.0 (http://creativecommons.org/ licenses/by-sa/3.0/)], via Wikimedia Commons

Zuse Z3 I n d u s t r i a l I n t e r n e t

  • f

T h i n g s a n d S e r v i c e s I n d u s t r i e 4 . How do we call this kind

  • f nerds and geeks in

the industry?

slide-8
SLIDE 8 Alle Inhalte dieser Präsentation unterliegen der Creative Common License. 2012 Herbert Dirnberger

Industrial Automation in 2 min

Actor Sensor Controller SCADA Operator Industrial Network HMI Physical Process

slide-9
SLIDE 9

Industrial Actors

Robots Power Plants …

slide-10
SLIDE 10

Digital Transformation

Disruption and Digital Darwinism

Customer need Player A Player B (innovativ) Time Player C (innovativ + disruptive)

top management of medium-sized companies believes that their company has nothing to do with digitalization.

Arno Martin Fast 2017 - Phoenix Contact - Industrial Cloud Computing

The new form of creative destruction "Disruptive self-attack!" Let us ask ourselves, what is the business model that would destroy us ?!

42

slide-11
SLIDE 11

IIoT

business process physical process services

Don’t think in Camps and Silos!

slide-12
SLIDE 12

(some) IIoT Benefits

Business Model pay per use contracting data as service Employee ergonomics better decisions meaningful work Machine higher availabity reduced service costs longer lifetime Process reduced costs better quality

  • ptimized cycle time

customized products

Slide to flip very fast

  • ver!!
slide-13
SLIDE 13

Business Risks Risk Management

exposed wireless networks exposed physical access no secure passwords no backups

  • pen

system found in shodan.io web access with cross site scripting The IoT is extremely insecure and not patchable

Bruce Schneier

slide-14
SLIDE 14

Traditional Risk Management Program

13708

01100

Asset Management Business Impact Analysis Threat Analysis Risk Management Business Continuity Mgt. Vuln Analysis Risk Mitigation Incident Management

Program

Controls

ROI

Risk Monitoring

Typical Scope: 1 year - balancing cost and risk

Strategy Alignment

B a c k u p Slide to flip very fast

  • ver!!
slide-15
SLIDE 15

BSI Top 10 Threats to IIoT/ICS Systems

Data Leak Compliance Integrity Availability Confidentiality Realtime Privacy

Malware Social Engineering Phishing Human Error / Sabotage

Safety Cost

Intrusion via Remote Access Internet Technical Malfunctions Force majeur Compromised Cloud Compromised Smartphones (D)DOS

Collateral Damages Enterprise Value Value Add unauthorized Access/Ownership

  • to/of Buildings
  • to/of Systems
  • and Transfer/Manipulation of

Information BSI: Top 10 Threats and Countermeasure 2016

slide-16
SLIDE 16

Controls for IIoT Security

Restricted Access to Internet, VPN, Industrial Firewalls (micro Segmentation) are the basics.

Guards SLA NDA Vendor (BDEW) no Interne t i n Control Networ ks Need to Know (Files, PW, DB) Awarre nss + Training Securit y Policy & Proced ures Busines s Cont. Manage ment Scan Logs Audits IDS Hardeni ng Update sPatch VPN+2F aktor
 Encrypt ion DMZ, Segmen Backup Redund anz Diversit y Secure Appstor e MDM Social Engineering / Phisihing + + + + + + + + + + Human Error / Sabotage + + + + + + + + + Malware + + + + + + + + + Malfunctions / Force Majeur + + + + Compromised Cloud + + + + Intrusion via Remote Access + + + + + Compromised Smartphones + + + + + DDOS + + + SLA, NDA
 Vendor Management Fences, Guards restricted Internet for Control Network Need to Know Passwords, Files, DB Awareness Training Anti Malware Sandbox, Whitelists Policies, Procedures Business Continuity Scan, Log, IDS Monitoring, Audits Hardening Security Updates Patches VPN, 2 Faktor Encryption DMZ, Network Segments, Firewall Backup, Diversity Redundancy Secure Appstores MDM

BSI: Top 10 Threats and Countermeasure 2016

B a c k u p

slide-17
SLIDE 17

Use Case: IIoT in manufacturing

Physical Security IT Security Information Security ICS Security IIOT Security Focus: Business Interruption and Cyber Security

slide-18
SLIDE 18

IIoT Security is about DEFENSE and ENABLER

VS

Physical Security IT Security Information Security ICS/IOT Security Cyber Security Safety & R i s k M a n a g e m e n t B u s i n e s s C

  • n

t i n u i t y M a n a g e m e n t M a i n t e n a n c e I n c i d e n t M a n a g e m e n t

Attacks

(Scan, Tests, Enumeration, … Exploits)

Unauthorised use Human Misbehaviour Sabotage, Theft, Fraud Malicious Code Technical Misbehaviour

(uncontrolled Patches, Software Bugs, Protocol Error)

Force majeure

Industrial Users

S e r v i c e Processes Ressources

C Costs VA Value Add

slide-19
SLIDE 19

Use Case: IIoT in manufacturing

Manufacturing Execution System 
 Enterprise Ressource Planning System 
 Order Program ID Article to produce Article produced Energy consumed Production data RFID KPI Availability Maintenance External services

5 Robots, 2 CNC 3 HMI/SCADA, 4 PLC, 20 IED 5 automatic transport vehicle 3 Network cells, 1 Industrial DMZ 10 MES Clients, 100 Office Clients, 25 Notebooks, 50 mobile, 200 User, 2 IT Admins, 1 Automation Engineer, 2 Maintenance, CISO + managed security services 15 VPN Accounts (10 internal 5 external)

Industrial user, 200 employees, 50 m € sales/year, 1 m € profit/year

slide-20
SLIDE 20 13708

What we will expect, because it happened last years

20 malware / Crypto 20 hardware malfunctions 4 orders in Junk 40 locked User (10 leaks) 25 network outage > 1d 1 data breach > 15000 EUR 20 lost - 5 stolen devices 45 software defects / updates

Scope: 5 years Damage: 100.000 EUR

10 power breakdown 10 lost encryption keys 20 problems with VPN

Industrial user, 200 employees, 50 m € sales/year, 1 m € profit/year

slide-21
SLIDE 21

Comparing Costs and Value Add

Costs in TSD € CAPEX Industrial FWs, VPN Router incl. Config and Licenses 8 Enterprise FW inkl. Config and Licenses 12 OPEX Managed prof. ICS Security Services 24 Managed basic ICS Security Services 6 Managed Client Security Services 60 Managed mobile Security Services 10 CISO as a Service Incl. Damage Costs in TSD € Hardware/Software Malfunctions 40 Power Breakdown/Network Outage 10 Unrealized Orders 10 Data Breach 15 Stolen Devices 5 Crypto/Ransomware 15 Mini Problems 5

no Data Leak Compliance Integrity Availability Confidentiality Realtime Privacy Safety

Value add in TSD € Value Add 250 CAPEX
  • 20
OPEX
  • 100
Damage Costs
  • 100

Real Benefit

Value add > Costs

+30

Direct „measurable" Value Add ~ 0.1% of sales/year 100 20 100

Industrial user, 200 employees, 50 m € sales/year, 1 m € profit/year

Scope: 5 years

slide-22
SLIDE 22 13708

Social Engineering Phishing (Accounts)

If we not directly notice, we will not handle in risk management!

Manipulation (Integrity) DDOS (Availability) Friendly Malware Industrial Spionage Sabotage (Availability) etc. Manipulation (IIOT in Internet) BSI: Top 10 Threats and Countermeasure 2016

What we will not see, but it will happen.

Industrial user, 200 employees, 50 m € sales/year, 1 m € profit/year

slide-23
SLIDE 23

Life Cycle Costs

Szenario based Enterprise Values

time

Idea „running“ EOL LCC VA Value Add Enterprise Value EV

IIoT security costs are part of LCC

LCC, OPEX, service and security costs are mostly defined in the concept and investment.

Concept Investment

„The best way to predict the future is to invent it.“ Alan Curtis Kay

slide-24
SLIDE 24

The Reality about Industrial Security

10%

90%

Hackers, Script Kiddies, APT, Cybercrime … Wrong documentation, no backups, protocol errors, no time, no awareness, legacy …

slide-25
SLIDE 25

Picture taken at Security of Things Conference 2017 - Berlin

1 typical Lifecycle … 25 years

2010 Stuxnet 2035 all problems solved 2017 Wannacry, NonPeyta 2042+

slide-26
SLIDE 26

Summary

Disruptive self-attack Don’t think in camps and silos, but in lifecycle! IIoT security is about defense and enabler. What we will not see, but it will happen. „The best way to predict the future is to invent it.“ 2042+

slide-27
SLIDE 27 Verein zur Förderung der Sicherheit in Österreichs strategischer Infrastruktur

Think big, start small, secure and now