before we begin...iot / iiot suppliers why do we need to secure ot? 9 document classification: kpmg...
TRANSCRIPT
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 1
Before we beginAdministrative matters…— For the optimal webinar experience, please use headphones and close all
other applications that could interfere with the webinar.— Please keep your microphone muted throughout the whole presentation to
avoid interruption of the webinar.— However, questions can be asked throughout this presentation using the
chat functionality: domain experts are following up on questions that mightpop up in the chat during the presentation.
— At the end of the presentation a short Q&A is foreseen to address aselection of your questions to the speakers and/or experts in the live chat.
— Speakers participating in this webinar comply with the COVID-19measures, respecting the social distancing rules. The presentation desk isdisinfected each time a new speaker is participating.
Cybersecurity with an IT-OT Convergence
June 2nd, 2020
3
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 3
Content01 Setting the scene
02 How do I secure OT environments?
03 Industry insights
04 Q&A
Quick Operational Technology Overview
5
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Operational Technology
OT=
Technologies that focus on industrial processes
The evolution of OT
7
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Evolution of Operational Technology
Stand-AloneIn the past there were no requirements to have the IT and the OT environments connected; therefore, were completely separated (Air Gap) and independently governed by IT and Engineering.
Loosely Connected
Nowadays, due to efficiency and costs, advanced network connectivity between IT and OT is required. This brings confusion with regards to governance, risk management and control implementation effectiveness between IT and Engineering.
IT OT
IT OT
Highly ConnectedTomorrow the intercommunication of all components – from the supplier to the customer – will be reality. Therefore, sustainable governance, risk management and control implementation effectiveness between IT and Engineering MUST be established.
Integrated IT/OT
Industry 4.0
Customers
Manufacturing
IoT / IIoT
Suppliers
Why do we need to secure OT?
9
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Why is this important?
Discovering vulnerable OT systems is becoming more and more easy thanks to search engine like Shodan Safari – the search engine for any internet connected service/device, including Internet of Things (IoT), Power plants, building cameras, …
EU Commission is attempting to increase the overall EU cybersecurity level with the Network and Information Systems (NIS) directive. It defines requirements around incident response and technical security measures based on potential risks.
However OT infrastructure is suffering from a paradoxAustralia 2001: sewage spill
Iran • 2009: centrifuge
failure
North and Latin America2012: TelventEspionage
Germany2014: Furnace loss of control
Ukraine2015-2016 Power Outages
Saudi Arabia• 2017: (un)Safety
System
The OT paradox
11
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
What is the OT paradox?
If we look at the risks of IT and OT, the impact of OT incidents is significantly higher than that of IT incidents.
The OT paradox is that companies are investing a lot of money in securing their IT systems whereas it’s actually their OT systems that are key to their survival.
From a business perspective, OT is carrying the most critical business processes. So focus should be more on OT security than IT.
Simple example:• IT: mailbox downtime is tolerable• OT: production process downtime is lethal (24/7/365 uptime required)
Shifting the focus
How do I secure this?
13
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
5 Pillars of OT Cyber Security Outlined below are the five pillars of effective safeguarding against cyber threats for OT and IIoT environments.
Governance & Strategy
Risk Management
Security Integration
Security Implementation
Security Operations
Plan-Do-Check-Act
Accept-Treat-
Transfer
Security = Safety &
Reliability
Detect-Respond-Recover
People-Process-
Technology
Risk Management
15
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The Safety Bow-Tie Model & Cyber
Malware Infection
USE OF PORTBALE
MEDIA
CONTRACTOR
HACTIVIST
NATION STATE
LOSS OF VIEW
LOSS OF CONTROL
LOSS OF FUNCTION
BARRIERS BARRIERS
LIKELIHOOD / PROBABILITY CONSEQUENCE
16
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
HSE Swiss Cheese ModelMitigating Barriers
Pressure relief system
Heat Exchangers
MoC PPETraining
Incident
CONSEQUENCE
Hazard
Procedures
Fire Suppression
System
Human Behaviour
Poor Design
Near Miss
17
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Understanding the key differencesClassic IT Security Classic OT Security
Priorities/Focus
Consequences • Loss of (sensitive) date. • Loss of human life.• Loss of functionality of the
industrial plant.
Impact • Financial• Reputational
• Environmental• Safety
Availability
Integrity
Confidentiality
Control Design & Implementation
19
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG ICS Security FrameworkGovernance— SCADA/DCS security framework and assessments— SCADA/DCS security policies, procedures and guidelines— Risk management— SCADA/DCS criticality analysis
Process— Change management— Patch and software version management— Physical security and situational awareness— Security monitoring— Asset management— User management— Third party/vendor (contractor management)— (Security) incident management— Cyber defence— Vulnerability management— Threat management
People— Security awareness— Education on cyber security in SCADA/DCS— Commitment, integrity and adherence to client’s SCADA/DCS security
standards
Technology— System hardening and protection— Anti-virus and malware protection— System failsafe and resilience— Logical access controls— Secure failsafe infrastructure and administration— Secure remote and third party access
OT Specifics
21
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The Purdue Model
Zone 5: Enterprise
Zone 4: Site Business Planning & Logistics
Zone 3: Site Manufacturing Operations & Control
Zone 2: Area Supervisory Control
Zone 1: Basic Control
Zone 0: Process
Safety Zone
Internet Zone DMZ Email
Web FTP
Reporting Scheduling Inventory Email Phones Printers
Plant Historian IT Services
Production Systems Eng Workstations
Alarm / Alert SystemsHMI
CR Workstations
DCS PLC RTU
Pumps Actuators Sensors
Safety Systems
22
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
What does this actually look like?
3
2
1
0
Operator Workstation
Safety Sensor /
Instrument Safety Instrumented System
Process Automation System
Process Sensor /
InstrumentIndustrial ProcessControl Valve Safety Valve
Safety Engineering WorkstationEngineering
Workstation
Local Historian
ApplicationServer
Control and Safety parameters may be
connected in line with IEC 61508 and the equivalent
industry standard
3rd Party networks where the data may
be collated in the Plant Historian
3rd Party networks where the data is
required to be incorporated into the main control system
CloudInternet
IoT devices collate information from the cloud and the corporate networks for wider
analytics.
NOTE: Firewall can be two physical devices or one physical device that is
logically configured to form the DMZ
Jump Server
WSUSAnti-Virus
Plant Historian
DATA FLOW
Control and Safety parameters are kept
separate at source from IIoT devices
IIoT may collect monitoring data direct from the industrial process or receive information from the Plant historian.
If connected into the Operational Technology network as shown the device will be hardened and have now internet
access.
Mobility Worker handheld device
5
4
SZ
Industry insights
24
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Five Cyber Security Myths of OT
1 The risks OT systems face are exactly the same as for IT systems.
2
3
4
5
A single or common cyber security strategy is impossible to develop and implement for OT and IT.
A single team reporting to one Executive should be responsible for OT, IT and IIoT cyber security
OT cyber security programmes are ‘just another’ IT cyber security programme
OT vendors and suppliers will ensure cyber security needs are met every time.
25
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
IT/OT Convergence – Top 10 Challenges1
Not having a cyber security
strategy
Lack of ownership /
governance to manage cyber
risks
Lack of Secure-By-Design in products and ecosystems
Not having cyber security skills and
general cyber awareness for employees and
ecosystems
Insufficient OT cyber security and privacy resources
2 3 4 5
6
Lack of security event
identification monitoring
Insufficient operational cyber hygiene practices
Insufficient asset inventory and
systems life cycle management
Lack of vulnerability
identification and management
Lack of effective incident response
processes
7 8 9 10
Q&A
Thank you
28
Document Classification: KPMG Confidential
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
One more thing
Supply Chain and Manufactur ing4 Will existing supply chains return to normal or be reconfigured? Localisation?
Purpose, ESG6Will Purpose-driven companies take the lead? Will ESG be core to how businesses recover? Can this be done while sustaining desired economic outcomes?
Debt Burden of states and companies7
Will the large debts weaken the recovery out of the crisis? Could it trigger a financial crisis? Will it increase inequality between competitors and trigger distressed M&A?
Global izat ion8Will countries increasingly look inwards for prosperity? Will regional and national borders be strengthened?
Labor Force2Will displaced jobs come back or will automation accelerate? What about labour shortage? New bottleneck professions?
Change in customer behaviour3
Is this the tipping point for the dominance of the digital economy over the physical economy? Will consumer behavior change permanently?
Continuity and Resi l ience5How will BCP be bolstered to ensure resilience in future crises? How to increase responsiveness of an organization/ be more agile for future shocks?
Does remote work become the new normal and in office / business travel become the exception? (work / life balance) Ways of Work ing 1