Internet of Things & Cybersecurity In Manufacturing

Northwest State Community College

Manufacturing Consortium

Thursday, April 28, 2016

1

Education AA – Tiffin University BA – Ohio Northern University MA – Bowling Green State University MA – George Washington University Experience Principal Founder, President & Chairman - CentraComm CEO - Aardvark Inc.

Lynn R. Child

2

Education AA, BA, BS, MBA – University of Findlay DIA – University of Fairfax (In Progress) Security Professional Certificate – National Defense University & University of Fairfax Certified Information Security Professional Certified Six Sigma Blackbelt Developed and taught first Information Security class in 1999 Co-designed Information Assurance Major at the University of Findlay Network & Security Architect – Fortune 1000 Global Manufacturer

Experience

Loren W. Wagner

Certifications

3

Agenda

• History • Today’s Environment • Hacker’s Exploits • Security Overview In Manufacturing • Challenges and Changing Expectations • The Threat Landscape • Cyber Hygiene: 8 Tips To Follow • Invitation to the 15th Annual IA Forum

4

History

5

Evolution of Society’s Use of Technology

6

7

Today’s Environment

8

Technology is making our homes safer

9

Technology is making work smarter

10

Technology is changing society

11

Technology is connecting the world

12

Connectivity will overhaul businesses

13

GE CEO Jeff Immelt on Industrial Internet

•In a best-case scenario, "predictive" analytics translates into better products, better sales, happier customers, better service agreements, and better company profits.

•General Electric is rolling out a suite of Industrial Internet tools for locomotive haulers to improve efficiency. By GE's calculation, even a 1% gain could translate into $2.8 billion in savings annually.

14

Connectivity will overhaul businesses

15

Connectivity will integrate business units & businesses

Rank Country Devices online Relative size

1 South Korea 37.9

2 Denmark 32.7

3 Switzerland 29.0

4 United States 24.9

5 Netherlands 24.7

6 Germany 22.4

7 Sweden 21.9

8 Spain 19.9

9 France 17.6

10 Portugal 16.2

11 Belgium 15.6

12 United Kingdom 13.0

13 Canada 11.6

14 Italy 10.2

15 Brazil 9.2

16 Japan 8.2

17 Australia 7.9

18 Mexico 6.8

19 Poland 6.3

20 China 6.2

21 Colombia 6.1

22 Russia 4.9

23 Turkey 2.3

24 India 0.6

16

Connected Society:

*Organisation_for_Economic_Co-operation_and_Development

Over 75 Billion Connected

Devices by 2020!

List of countries by IoT devices online per 100 inhabitants

as published by the OECD* in 2015.

Hacker’s Exploits

17

MIT coins the term “Hackers” related to people who were typing up the phone lines.

1983 The movie War Games is released and depicts a young hacker nearly starting WWIII by accessing a military supercomputer.

18

1963

1995 The web takes off and famous hacker Kevin Mitnick steals 20,000 credit card numbers leading to a fear of e-commerce. Later caught by the FBI by utilizing a “White Hacker”.

2006 Julian Assange becomes the new face of hacking.

19

2011 CIA, PBS, Gmail, the U.S. Senate all are hacked. Anonymous rises up as a underground hacktivist community. Year was coined “The Year of the Hack.”

20

21

2013 And then there was Edward Snowden…the computer analyst whistleblower who provided the Guardian with top-secret NSA documents leading to revelations about US surveillance on phone and internet communications.

2014 A record 1 billion records were compromised. Becomes the new “Year of the Breach.” Sony Entertainment Pictures Hacked.

22

2015 Insurer Anthem – 80 Million Customer Records Exposed

23

2016 Identity Theft Resource Center (ITRC) indicates that there has been a total of 155 data breaches recorded through March 15. More than 4.3 million records have been exposed since the beginning of the year. 24

Security Overview In Manufacturing

25

Cybersecurity for Advanced Manufacturing

• A broad cross section of contributors: • National Institute of Standards & Technology • Cisco • Lockheed Martin • Rockwell Automation • Virginia Tech • Boeing • International Society of Automation • Department of Defense • The Langer Group • Exxon Mobile

26

National Defense Industrial Association’s Manufacturing Division and Cyber Division

Cybersecurity for Advanced Manufacturing

• Key findings: • The threat is real and manufacturing companies are

targets • Factory floor systems are a weak link in

safeguarding technical information • Small Business manufacturers are not well

equipped to manage the risks

27

The Threat is Real and Manufacturing Companies

are Targets

• Motivations may be: • Espionage • Financial gain • Disruption

• In an effort to compromise data • Confidentiality • Integrity • Availability

28

CIA Triad

The Threat is Real…

• Confidentiality: Theft of technical data, including critical national security information and valuable commercial intellectual property.

• Integrity: Alteration of data, thereby altering processes and products.

• Availability: Impairment or denial of process control, thereby damaging or shutting down operations.

29

30

What’s Changed - Past • ICS are long-lived lived investments

• 15+ year life cycle

• Discrete operating systems and network protocols

• Air gap

• Autonomous & proprietary

• Little tolerance for down time

• Real-time operation

• Critical safety implications

• System availability precedence over confidentiality

• Speed, functionality, reliability and safety

• Weak privilege management/access controls

31

IT-OT Architectural Considerations

32

IT-OT Architectural Considerations

33

Danger!

What’s Changed - Present • Competitive pressures driving the integration and

analysis of “big data”

• Converging information systems, engineering information systems and manufacturing systems across the supply chain.

• Organizations need to respond quickly to market changes

• Executives need timely and accurate information

• Production control systems – ICS – must feed this information to the decision makers as soon as possible

• A distinct trend toward integration of IT and OT systems 34

IT-OT Architectural Considerations

35

IT-OT Architectural Considerations

36

What Has Changed - Future • Integration of IT and OT

• Additional complexity • Internet of Things • Industrial Internet of Things

• Greater emphasis on ICS security practices

• Support for NIST Framework • Cyber Security Framework for Critical

Infrastructure Protection • Developing into a de facto standard?

37

IT-OT Architectural Considerations

38

IT-OT Architectural Considerations

39

Smart Manufacturing IoT Stack

40

Security Layer

Security Layer

Challenges & Changing Expectations

41

Top Technology Challenges

• Top 5 Concerns* • Emerging technologies & infrastructure changes

• Transformation, innovation, disruption • IT security & privacy/cyber security • Resource/staffing/skills challenges • Infrastructure management • Cloud computing/virtualization

*ISACA & Protivity 5th Annual IT Audit Benchmarking Survey with 1230 global participants

42

Regulatory Environment

• Security and Exchange Commission • Risk Alert issued by the Office of Compliance Inspections

and Examinations September 2015. The alert was a result of investigations of financial institutions but lays out what the expectations would be when investigating a data breach.

• Federal Trade Commission • "It is not only appropriate, but critical, that the FTC has

the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information” - FTC Chairwoman Edith Ramirez

43

Advisors & Consultants

• National Association of Corporate Directors • Cited benefits of a common cyber risk management language, so

that more efficient and precise discussions can be held up, down, and across a company's management structure, with auditors, and with supply chain partners.

• PricewaterhouseCoopers (PwC) • Corporate officers and boards may have a fiduciary obligation to

comply with the guidelines (NIST CSF) and demonstrate due are

44

Legal Environment

• A U.S. appeals court • Said the Federal Trade Commission has authority to regulate

corporate cyber security, and may pursue a lawsuit accusing hotel operator Wyndham Worldwide Corp of failing to properly safeguard consumers' information.

• Bloomberg BNA • Cybersecurity today is not merely the responsibility of a

company’s IT group. As with any critical function within an organization, governance over and management of cybersecurity is an essential “best practice.” Good governance not only helps companies make appropriate strategic cybersecurity decisions, but studies have shown it reduces the cost of a cyberattack.

45

Insurance

• Rationalizing Risk • Insurance companies and other industry leaders

are pushing hard to make the NIST CFS more pervasive. Companies like AIG, Apple, and Visa are already onboard.

• The NIST CSF opens the door for the insurance industry to capture, measure, and share risk metrics, which could go a long way toward policy underwriting and consistent premiums.

46 NIST CSF = National Institute of Standards & Technology Cyber Security Framework

Business Partners Expectations

• “The breach at Target Corp. that exposed credit card and PII data on more than 70MM consumers began with a malware-laced phishing attack sent to a third party vendor” KrebsOnSecurity

• “PCI 3.0, HIPAA Omnibus, OCC, CFPB, FFIEC and the Federal Reserve have changed the way organizations in many industries need to think about IT & data supply chain risk management”

• "If not managed effectively, the use of service providers may expose financial institutions to regulatory action, financial loss, litigation, and loss of reputation.“ Federal Reserve

47

The Threat Landscape

48

Security Vulnerabilities

Recent studies show:

• As many as 85% of targeted attacks are preventable

• That 83.6% of vulnerabilities in ‘All’ products, and 84.6% of vulnerabilities in products in the Top 50 portfolio have a patch available on the day of disclosure

• In 2014, 76.9% of the vulnerabilities affecting the Top 50 applications affected non-Microsoft applications, such as

• Third-party programs, including Oracle Corp.'s Java and Adobe Systems Inc.'s Flash and Reader applications

49

Be Aware of the Most Prevalent Tactics to “Hack” Information

Spearfishing: An e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. …conducted by perpetrators out for financial gain, trade secrets or military information. Example of Social Engineering.

50

Spearphishing Example: Business Email Compromise Scam (BEC) or CEO Scam •FBI states that there were over 17,000 reports from victims all over the world from October of 2013 to February of this year, accounting for over $2.3 billion in losses for affected companies.

51

Example of Business Email Compromise (CEO Scam)

52

53

Be Aware of Other Prevalent Forms of Hacks

Malware •Malicious software that interferes with normal computer functions or sends personal data about the user to unauthorized parties over the Internet or gains access to private computer systems. Includes viruses, worms, Trojan horses, etc.

54

Some Common and Prevalent Malware Includes:

• SpyWare – secretly gathers information about a person or organization. Can take partial or full control of computer without knowledge of user.

• AdWare – automatically renders advertisements in order to generate revenue for its author. Pop-ups are an example.

• RamsonWare – restricts access to your computer system and demands a ransom be paid to the creator of the malware in order for the restriction to be removed. Forms include: encrypted files, lock system/display message to pay…

55

RansomWare: Example of Cryptolocker Locked Screen

Ransomware Proliferation

57

.

58

Malware/Spyware/RansomWare What To Do

• Do Not Click upon any Links within an SMS Message or Email Message

• Do Not Download any Software from an Email Link

• Do Not Click upon any Links or Forwards within Social Media

• Go to the Authorized Marketplace for 3rd-party Applications and Downloads

• Pay Particular Attention to Popular Game Applications – Hotbed for Hackers

• Do Research with Trusted Names, i.e., Gartner, Information Week, TechTarget, etc.

Cyber Hygiene: 8 Tips to Follow

60

Tip #1: Think Before You Click

•As stated previously, beware of links and downloads within: •Email •Web •Text Message •Social Media •Other

61

Tip #2: Go to Authorized Marketplace for Downloads

62

• Marketplaces include: • Apple • Droid • Google • AWS • Azure • Other

Tip #3: Update/Patch Software Upon All Devices

• Device updates/patches are new instructions your computer can use to communicate with devices that are attached, like printers, sound systems, or cameras. Often device patches are written to fix known problems, add new functionality, increase the performance of the attached device, or fix security holes

• Examples: Adobe Reader, Java Script, Microsoft Operating System, Anti-Virus, etc.

Tip #4: Practice Password Management

• Password manager software is used by individuals to organize and encrypt many personal passwords. This is also referred to as a password wallet.

• Rule of thumb: Use “Strong Passwords” • Upper case letters • Lower case letters • Number • Symbol

• Longer Passwords are Safer

• Change Regularly

Examples

Get2NoUWell# TriKnot2Cry@Work

Ate4hotDogs! Tks4$2Eat

Tip #5: Change Default Passwords

65

Systems and Software generate general passwords that allow companies to enter a system or software with the requirement that these passwords should be changed upon receipt. Often, companies do not actually take the time to do this. Major concern as hackers know these basic passwords and can easily exploit these systems and/or software.

Tip #6: Create Dedicated Email Accounts

• Establish “Specialized Accounts” that You Use For: • Online purchases • Responding to inquiries • Taking surveys • Personal use • Business use • Other

Tip #7: Consider End-User Security Training

67

•In-House Training

•Consulting

•Online Training

•Hybrid Training

Tip #8: Don’t Surf With Administrator Accounts

•Use a normal user account to log onto your computer

•Administrator rights allow privileged access, which allows malware to install programs or make unauthorized changes to your computer

68

8 Security Tips for Manufacturing & You

Go to Authorized Marketplace for Downloads Update/Patch Software Upon your Devices Practice Password Management Change Default Passwords Create Separate Email Accounts

69

Security Tips for Your Associates & You

Consider End-User Security Training Don’t Surf With Administrator Accounts Think Before You Click If It Feels Wrong, It Probably Is!

70

A Challenge to Your Manufacturing Associates & You

Prepare your Manufacturing Associates for the Reality of a Connected Society: - Read and Research Continuously - Utilize Case Studies - Utilize Table Top Exercises - Seek Out Industry Speakers - Attend Relevant Events and Webinars - Be Willing to Watch, Learn, & Listen from Each Other!

71

Thank you! And, we hope to see you at…

72

• 2016 TIC Business Survey Results • End-User Security Training • Social Engineering Pitfalls • Social Media Do’s & Don’ts • System Settings: Going Back to Basics • Cloud Security/Mobile BYOD – Microsoft:

Office 365, Azure, & Security • Student Company & Internship

Interaction • Interactive Q & A Throughout the Day

2016 Information Assurance Forum Topics

73

Registration Opens August 1 www.IAForum.net

$35 Chamber Members | $45 Non-Chamber Members | $10 Students

Breakfast and Lunch Provided Wednesday October 26th 8:45 am – 5:00 pm

Winebrenner Auditorium, Winebrenner Seminary The University of Findlay Campus

950 North Main Street, Findlay, OH 45840

74

Presentation References & Other Resources

Connected Society/Internet of Things: https://en.wikipedia.org/wiki/Internet _of_Things

The Horizon Report-2015 Higher Education (Emerging Technologies): http://www.ictliteracy.info/rf.pdf/Horizon-report-2015.pdf

Over 75 Billion Devices Connected by 2020: http://www.businessinsider.com/75-billion-devices-will-be-connected-to-the-internet-by-2020-2013-10

World’s Biggest Data Breaches: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Jeep Car Gets Hacked: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway

Spearfishing: http://searchsecurity.techtarget.com/definition/spear-phishing

75

MalWare: http://whatis.techtarget.com/glossary/Malware GrrCon Security Summit & Hacker Conference: http://grrcon.com IAForum.net: http://IAForum.net Why the Internet of Things is Big Business:

http://harvardmagazine.com/2015/07/why-the-internet-of-things-is-big-business

NIST Cybersecurity Framework: http://www.nist.gov/cyberframework/ Online Trust Alliance: https://otalliance.org/initiatives/internet-things End-User Security Training: http://www.KnowBe4.com Societal Impact of a Connected Life Over the Next 5 Years:

http://www.gsma.com/connectedliving/wp-content/uploads/2013/02/GSMA-Connected-Life-PwC_Feb-2013.pdf

Behind GE's Vision For The Industrial Internet Of Things: http://www.fastcompany.com/3031272/can-jeff-immelt-really-make-the-world-1-better 76

Presentation References & Other Resources

Top IT Trends in 2015: http://www.entrepreneur.com.ph/technology/top-it-trends-for-businesses-in-2015-and-how-to-prepare-for-those?ref=tag

IoT in Manufacturing: http://4dm7pi3anfms2bn7sk7u16h1.wpengine.netdna-cdn.com/wp-content/uploads/2015/02/Internet-Of-Things-Manufacturing.jpg

RIPE - Robust Industrial Control Systems Planning and Evaluation: http://www.langner.com/en/wp-content/uploads/2014/10/A-RIPE-Implementation-of-the-NIST-CSF.pdf

CYBERSECURITY FOR ADVANCED MANUFACTURING: http://www.ise.vt.edu/ResearchFacilities/Centers/CenterPages/CPSSMFG/files/cyber_security_AM.pdf

The Internet of Things Will Make Manufacturing Smarter: http://www.industryweek.com/manufacturing-smarter?page=2

77

Presentation References & Other Resources

Cybersecurity and Privacy in 2015: http://www.bna.com/ cybersecurity-privacy-2015-m17179934502/ The State of Cyber Insurance:

http://www.networkworld.com/article/3005213/security/the-state-of-cyber-insurance.html

Improving Third Party Risk Management with Cyber Threat Intelligence: http://www.isaca.org/chapters11/Western-New-York/Events/Documents/2015-April/CT02-3RD-Party-Cybersecurity-NMenz.pdf

FBI reminds companies to watch out for business email compromise scams: https://www.consumeraffairs.com/news/

fbi-reminds-companies-to-watch-out-for-business-email-compromise-scams-040816.html

78

Presentation References & Other Resources

Thank you for the Honor & Privilege of Sharing Information Regarding

“IoT & Manufacturing”

Lynn R. Child, President & Chairman, CentraComm www.CentraComm.net Direct: 419-421-1284 | Lchild@CentraComm.net Loren W. Wagner, Information Assurance Professional Adjunct Senior Lecturer, University of FIndlay Cell: 419-722-2990 | Wagner@Findlay.edu Find this presentation at: http://www.slideshare.net/CentraComm/

79

Risks to Home, Business, & Careers

80

Security hacks could expose our homes

81

Security hacks could disrupt our businesses

82

Security hacks could end your business career

83

Add Sony CEO Fired (Apparently not – article on Feb, 2016 still refers to same CEO)

84