VALVE MANUFACTURERS ASSOCIATION OF AMERICA–MARKET … Presentation.pdf · 2017-08-07 ·...
Transcript of VALVE MANUFACTURERS ASSOCIATION OF AMERICA–MARKET … Presentation.pdf · 2017-08-07 ·...
1 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
VALVE MANUFACTURERS ASSOCIATION OF AMERICA–MARKET OUTLOOK WORKSHOPSafeguarding the Internet of Things (IoT) in Advanced ManufacturingSean Peasley, Partner, Deloitte & Touche LLP
August 4, 2017
Copyright © 2017 Deloitte Development LLC. All rights reserved.
2 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
CYBER RISK IN ADVANCED MANUFACTURING Be Secure.Vigilant.Resilient.™
Traditional board reporting
Industrial Control Systems
50%isolate orsegment ICS networks
31%have notconducted an ICS assessment
Be Secure.
Take a top-down, risk-based approach to implementing security strategies for the most critical networks, systems, and data
Be Vigilant.Implement routine monitoringmechanisms for high-risk networks,systems, and data that will alert thecompany to abnormal activity andenable prompt action
4 of top 10 threat s involve employeesTalent and Organizational Management
Lack skilled resources75%IT/OT gap drives behavior
36%cited Intellectual Property (IP)protection as top concern
Enterprise Network &Business Systems
Connected Products
use sensors, smart products, and mobile apps
Governance and Leadership Engagement Near ly 50% of execut ives lack conf idence they a re protected
48%lack adequate funding
Cyber risk programs: A framework for leading practice board reporting
35%-45%
encrypt the data55%
50%perform ICSvulnerability testing less often than once a month
A top executive concern is increasing sophistication/proliferation of threats
77%Had performed end-to-endproduct assessment
27%do notinclude ICS in incident response plans
Be Resilient.Plan ahead before a breach occurs sothe entire organization is prepared torespond in order to quickly neutralizethreats, prevent further spread, andrecover from business impacts
only
12%
39%Experienceda breach
currently employ tactics, such as wargaming exercises
38% had losses$1–10m+
37%do not includeconnected product s inincident response plans
Sources: Cyber risk in advanced manufacturing; Deloitte and MAPI, Deloitte CISO Labs.
3 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
MAKING SENSE OF THE BUZZWORDS: WHAT IS THE INTERNET OF THINGS?Internet of Things refers to a world of intelligent, connected devices that generate data for automating business processes and enabling new services
PEOPLE ANALYTICS
Physical devices and objects intelligently connected
Delivery of the right information to the right place at the right time
Connection of people in more relevant and valuable ways
Internet of Things
THINGS PROCESS
Individual data streams are processed andanalyzed with algorithms
4 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
THE INFORMATION VALUE LOOPThis is a framework for thinking about IoT solutions and is based on recognition that value lies in the information generated by sensors and connected devices
Standards
MAGNITUDEScope | Scale | Frequency
RISKSecurity | Reliability | Accuracy
TIMELatency | Timeliness
Act
Analyze Create
CommunicateAggregate
AugmentedIntelligence
SensorsAugmented Behavior
THINGS APPLICATIONS
Network
5 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
Forrester - Predictions 2016: IoT's Impact Inside Companies –November 16, 2015
One-third of enterprises report using IoT, with another third planning to do so.
1/3Gartner Press Release: Gartner Says 6.4 Billion Connected "Things" Will Be in Use in 2016, Up 30 Percent From 2015, November 10, 2015.
In 2016, 5.5 million new things would get connected to network infrastructure each day.
5.5MIDC - IDC FutureScape: Worldwide Internet of Things 2016 Predictions
By 2019, 45% of IoT-created data will be stored, processed, analyzed, and acted upon close to, or at the edge of, the network
45%Gartner Forecast: Internet of Things — Endpoints and Associated Services, Worldwide, 2015.
Hardware spending on networked endpoints will reach $3 trillion in 2020.
$3TGartner Press Release: Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016, February 7, 2017.
Gartner forecasts billion connected things will be in use worldwide this year in 2017 up 31 percent from 2016
8.4B
IOT TRENDS
6 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
MANUFACTURING USE CASES
PREDICTIVE MAINTENANCETracking asset condition, part and
system failures, and operating performance to maximize uptime
INTELLIGENT PRODUCTSEquip products with IoT capabilities, create a new revenue stream from
existing products
ASSET MANAGEMENTTrack and optimize production asset effectiveness through introduction,
maintenance, and retirement
CONNECTED FACTORYAutomate processes on the factory floor, monitor for progress and issues remotely
SMART SUPPLY CHAINComplete visibility and monitoring of inventory as it enters the factory, gets processed and leaves the factory floor
SMART WORKFORCEUse sensor equipped wearables to ensure worker safety and improve
labor efficiency and utilization
IoT spans the manufacturing value chain and can address multiple challenges
7 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
THE EVOLUTION OF THREATS TO CONNECTED DEVICESAs connected device technology advances, the number of devices exposed to malicious threats increases, resulting in an increased risk to customer safety and information security.
Before Connectivity Internet Age Connected Age
Com
mon
Thr
eats
&
Vul
nera
bilit
ies
Theft or damage of equipment or records
Data integrity failures
Broken authentication and session
management
Hardware attacks
DNS attacks
SQL injection
Data interception
Use of a broken or risky cryptographic algorithm
Insecure storage
Insecure cloud interfaces
Service hijacking
Cross-site scripting
Use of Hard-coded credentials
Clo
ud
Tech
nolo
gy
Blue
toot
h/N
FC
Wire
less
in
tern
et
Wire
d co
nnec
tions
Mob
ile A
pps
Wor
ld w
ide
web
Dat
abas
es
IoT
netw
orks
Enab
ling
tech
nolo
gies
Note: OWASP Top 10, CWE/SANS Top 25
Website spoofing
Account hijacking
Rem
ote
acce
ss
Wide spread viruses and malware
DDoS attacks
Information sniffing & eavesdropping
Hardware attacks
Download of code without integrity
check
Evolution of threats
8 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
PRODUCTION LIFE CYCLE STAGES—CYBER RISKSThere are unique cyber risks throughout the production life cycle when considering the device ecosystem in connected factories.
Connected Object
Smart Factory
SecureProduct designMobile apps
• Employ secure software development lifecycle• Post-deployment fixes are costly and often unsuccessful
Vigilant Data protection• Safeguard sensitive data throughout the lifecycle• Monitor for potential data leakage
Resilient Maintain capabilities• Secure and vigilant measures can be a deterrent• Prioritize critical business functions including security
Secure Systems operability• Safeguard operational uptime from disruption• Maintain plant integrity
Vigilant Health and safety• Monitor system stability and safeguards• Understand threat vectors impacting employee safety
Resilient Production and process• Accelerate recovery of critical systems• Maintain manufacturing strategy and technology
• There is increased reliance on IT and operational technology (OT) technologies to achieve desired results
• Exploits occur most often when risk mitigation is absent in design and deployment
50%76%
Close to 50% of manufacturers use mobile apps for connected products
of manufacturers use Wi-Fi networks to transmit data to/from connected products
Sources: Cyber risk in advanced manufacturing; Deloitte and MAPI
9 | Copyright © 2015 Deloitte Development LLC. All rights reserved.9 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
The cyber risk landscape is inexhaustibly complex and ever changing.
CYBER THREAT LANDSCAPE
This figure provides a broad framework for identifying and managing a much wider range of risks arising from IoT implementations.
Source: Deloitte & Touche LLP
Ecosystem
10 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
SECURING THE IOT: SOLUTIONS AND CAPABILITIESOrganizations developing connected devices should adopt a secure by design mentality as part of creation and development lifecycles to deliver safer and more reliable products to market. Security discipline should also be carefully integrated into the end-to-end architecture for adoption.
Internet connected
devices
Operational technology
Interfaces, gateways
and service platforms
IoT data protection
Security should be integrated end-to-end
Incorporate “Security by Design”
• Default security settings• Modern operating
systems• Hardware with built in
security features• Fail safety features
Prevent device operational disruption
• Automatic device patching• Coordinated software
updating• Vulnerability scanning and
security testing• Vulnerability disclosure
Secure device communication
• Network segmentation• Secure application
program interfaces• Secure communication
protocols• Device authentication• Secure data flow
Secure data and manage access
• Classify information and ownership
• Protect sensitive data and information
• Comply with relevant and applicable laws and regulations
11 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
EXAMPLE ICS SECURITY SOLUTIONNSA veterans from Dragos established a first-of-its-kind mission for the US government to identify, analyze, and respond to nation-states launching cyber-attacks against ICS environments.
Deloitte powered by Dragos platform• Technology platform to collect, index, manage, and visualize data while utilizing
analytics and automation to ensure security analysts stay ahead of adversaries.
• Operates as a single pane of glass for ICS security teams.
Threat operations center• Proactive hunting engagements and incident response services
surrounding industrial environments by leading ICS security specialists.
• Data collected and threats discovered leads to increased features and automation in the Deloitte by Dragos platform and information for the global ICS intelligence platform.
Global ICS threat intelligence• Strategic, operational, and tactical level reports, feeds, and analytics.
• Largest collection of ICS cyber threat intelligence in the industry provided to customers as a subscription.
ICS Risk Creation Factors
• Loosely controlled access• Third-party access• Software security updates• Danger of destabilized infrastructure • Long life cycle (10+ years) of equipment• Lack of ICS/OT devices inventory
12 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
AN APPROACH TO CONSIDER FOR RESPONDING ICS RISKSCyber Risk Management
Resilient
Response and remediation ofincidents to reduce business impact
Provide a close loop feedback lifecycle for incidents
Define deployment teams, and incident response strategy
Analyze the organization’s Incident Response, CERT, and Field Objectives
Operate, execute, and support operations with field response, and
trained teams
Resilient
Response and remediation ofincidents to reduce business impact
Define deployment teams, and incident response strategy
Analyze the organization’s Incident Response, CERT, and Field Objectives
Operate, execute, and support operations with field response, and
trained teams
Vigilant
Proactive method to understand, predict, and defend against threats
.
Defend to threats in an agile, and business centric manner
Implement measures to predict, sense, and anticipate threats
Develop a threat/risk assessment considering the connected product
ecosystem
Detect threats that can result in disruption of services.
Validate capability throughRed Teaming
Secure
Measure, control, and processconsidering current / emerging risks
Define, plan, and execute Cyber strategy
Assess and map threat profile, and landscape
Define requirements, safety, reliability, and consistency
Develop, design, and map operational capability to threat
profile and cyber goalsOptimize
DefineCapability
Define theStrategy
Operate
Strategic PlanningManagement
Threat Defense
13 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
BE SECURE.VIGILIANT.RESILIENT.Top 10 steps to consider
Set the toneEngage leadership in the managing cyber risks01 Assess third-party risk
Inventory mission-critical ecosystem relationships and evaluate related risks06
Assess risk broadlyInclude enterprise, ICS, and connected products02 Be vigilant with monitoring
Determine whether and how quickly a breach in key areas of the company could be detected07
Socialize the risk profileShare the results with leadership and the board03 Always be prepared
Focus on incident and breach preparedness using wargaming simulations08
Build in securityHarmonize investments with the cyber risk program04 Clarify organizational responsibilities
Identify clear ownership with a leader to bring it together09
Remember data is an assetConnect business value with data and strategies to protect it05 Drive increased awareness
Get employees on board and ensure they know their role in protecting the organization10
14 | Copyright © 2015 Deloitte Development LLC. All rights reserved.14 | Copyright © 2017 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2017 Deloitte Development LLC. All rights reserved.
THANK YOU
Sean PeasleyConsumer & Industrial Products LeaderCyber Risk ServicesDeloitte & Touche [email protected]