SlideShare a Scribd company logo

Implications of Cybersecurity on Small and Medium Manufacturers

Highervista
Highervista

Cyber Security Concerns for Manufacturers - presentation by Ron McFarland, Ph.D.

Education
1 of 70
Download to read offline
1 Implications of Cybersecurity on the Small and Medium-sized manufacturer: Risk Management and Compliance Dr. Ron McFarland, Ph.D., PMP, CISSP – Post Doctorate Fellow, University of Maryland University College Dean, School of Applied Technologies – College of the Canyons Center for Security Studies Funding provided by CAE Cybersecurity Grant Program - S-004-2017 CAE Cybersecurity (CAE-C) “Investment in Expansion of CAE-C Education Programs” Dr. Loyce Best Pailen, Principal Investigator
2 Topics 1. Compliant, but breeched 2. Cyber Security and Industrial Control Systems 3. DFARS Requirements
3 Compliant, but breeched
4 Hackers focus on beating security controls Security and compliance teams focus on adhering to laws and regulations The Essence of the problem
5 Compliant with Certifications -- but Breached • Target • Verizon • SecurePay • Experian • Sally Beauty • FedEx • Staples • Dairy Queen • KMart According to the SANS Institute: “The Payment Card Industry published the Data Security Standard 11 years ago; however, criminals are still breaching companies and getting access to cardholder data. The number of security breaches in the past two years has increased considerable, even among the companies for which assessors deemed compliant.”
6 • Compliance – the act or process of complying to a desire, demand, proposal, regimen or coercion to achieve security • Security – the state of being free from danger or threat What is Compliance and Security?
7 • Possible combinations: 1. Neither compliant with any standards or secure 2. Secure in a limited way but not compliant with any standards 3. Compliant with standards but insecure 4. Secure and compliant • Best option is to achieve security via compliance  Treat certifications of products and processes or regulatory compliance as assets Possible Combinations
8 • Established security standards for certain types of health information  regulated by Department of Health and Human Services • Procedural and technical measures to protect information and track the people using that information  User identification and authentication  Include auto logoff and emergency access procedures  System logging for security events  Personal Health Information (PHI) must be encrypted  Integrity controls Health Insurance Portability and Accountability Act (HIPAA)
9 • Established security standards for certain types of health information  regulated by Department of Health and Human Services • Procedural and technical measures to protect information and track the people using that information  User identification and authentication  Include auto logoff and emergency access procedures  System logging for security events  Personal Health Information (PHI) must be encrypted  Integrity controls Health Insurance Portability and Accountability Act (HIPAA)
10 • Organizations that issue and process credit and debit cards  regulated by VISA, MasterCard, Discover, JCB and American Express • Organizations track all access to network resources and cardholder data  Requires external assessments be performed  Vulnerability scans aka penetration testing  Become “certified” Payment Card Industry – Data Security Standards (PCI DSS)
11 PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti- virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Payment Card Industry – Data Security Standards (PCI DSS)
12 • Requires financial institutions to protect customer information against security threats  Regulated by FTC • Privacy notice includes what they collect, where it is shared and how it is protected • SSN, financial account numbers, credit card numbers, DOB, Name, address, phone number, details of financial transactions Gramm-Leach-Bliley Act (GLBA)
13 • Information security program assigned to an employee • Risk assessments to identify risks • Assess safeguards to ensure they function properly and as intended • Design and implement safeguards • Service provider contracts include terms to protect customer information • Periodic review of information security policy Gramm-Leach-Bliley Act (GLBA)
14 • Requirements for financial and accounting practices for publicly-held companies  Regulated by the SEC • Auditor independence • Corporate governance (oversight) includes IT • Internal control assessment • Enhanced financial disclosure Sarbanes-Oxley Act (SOX)
15 • Financial reports, records, and data are accurately maintained • Transactions are prepared per GAAP rules and properly recorded • Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner • Records retention Sarbanes-Oxley Act (SOX)
16 • Schools receiving federal funds • Personal for students as it provides protection over:  Demographic information  Address and contact information  Parental demographic information  Parental address and contact information  Grade information  Disciplinary information Family Educational Rights and Privacy Act (FERPA)
17 Defense Federal Acquisition Regulation Supplement (DFARS)
18 Cyber Security and Industrial Control Systems
19 • The need to improve the security for ICS cannot be overstated. • Many industrial systems are built using  legacy devices  Running legacy protocols that have evolved to operate in routable networks. • Before the expansion of Internet connectivity, web-based applications, and real-time business information systems, energy systems were built for reliability. • Physical security was always a concern, but information security was not a concern, because  the control systems were air-gapped—that is physically separated with no common system (electronic or otherwise) crossing that gap Importance of Securing Industrial Networks
20 Before – Air Gap Separation
21 • The problem is that regardless of how justified or well intended the action the air gap ( from previous slide), it is no longer exists. Why?? • There is now a path into critical systems, and any path that exists can be found and exploited. Need to connect
22 Reality of the Air Gap
23 • Security consultants at Red Tiger Security presented research in 2010 that clearly indicates the current state of security in industrial networks. • Penetration tests were performed on approximately 100 North American electric power generation facilities. • Results: more than 38,000 security warning and vulnerabilities. Red Tiger Research
24 • Understanding the basic nature of industrial networks, and examining the many regulations and recommendations put forth by NERC, NIST, NRC, ISA, the ISO/IEC, and other organizations is the foundation of industrial network security. • By evaluating an industrial network, identifying and isolating its systems into functional groups ( Segmentation ), and applying a structured methodology of defense in depth and strong access control, the security of the network as a whole will be greatly improved Foundation to Securing ICS
25 • An industrial network is most typically made up of several distinct areas, which are simplified as  a business network or enterprise  business operations  a supervisory network  and process and control networks General Terms
26 • SCADA - Supervisory Control and Data Acquisition • ICS - Industrial Control Systems • DCS - Distributed Control Systems or Process Control Systems (PCS). • Each area has its own physical and log- ical security considerations, and each has its own policies and concerns. ICS Terms
27 • Industrial Network  is referring to any network operating some sort of automated control system that communicates digitally over a network. • Critical Infrastructure  is referring to critical network infrastructure, including any network used in the direct operation of any system upon which one of “critical infrastructures” depends. Industrial Network vs. Critical Infrastructure
28 Industrial Control Network
29 • Utilities  Utilities—water, gas, oil, electricity, and communications  Financial ?? • Nuclear Facilities  Nuclear facilities represent unique safety and security challenges  due to their inherent danger in the fueling and operation,  as well as the national security implications of the raw materials used. Critical Infrastructure examples
30 • Chemical Facilities  Chemical manufacture and distribution represent speci c challenges to securing an industrial manufacturing network. Critical Infrastructure examples - continued
31 • Homeland Security Presidential Directive Seven (HSPD-7) • North American Electric Reliability Corporation (NERC) has created a reliability standard called “Critical Infrastructure Protection” and enforces it heavily throughout the United States and Canada.  The NERC CIP reliability standard identifies security measures for protecting critical infrastructure with the goal of ensuring the reliability of the bulk power system.  Compliance is mandatory for any power generation facility  Fines for noncompliance can be steep. Standards and Organizations
32 • Nuclear Regulatory Commission (NRC).  The NRC was formed as an independent agency by Congress in 1974  The goal: attempt to guarantee the safe operation of nuclear facilities and to protect people and the environment.  This includes regulating the use of nuclear material including by-product, source, and special nuclear materials, as well as nuclear power.  NRC requires and enforces the cyber security of nuclear power facilities. Ultimately, all other industries rely upon energy to operate, and so the security of the energy infrastructure (and the development of the smart grid) impacts everything else, so that talking about securing industrial networks without talking about energy is practically impossible.  The NRC is responsible for ensuring the safe use of radioactive materials for ben- e cial civilian (nonmilitary) purposes by licensed nuclear facilities. Standards and Organizations - continued
33 • Homeland Security Presidential DirectiveSeven/HSPD-7  The HSPD-7 attempts to distinguish the critical versus noncritical systems.  HSPD-7 does not include specific security recommendations  relying instead upon other federal security recommendations such as those by the NIST on the security of both enterprise and industrial networks, as well as the Homeland Security Risk- Based Performance Standards used in securing chemical facilities. Standards and Organizations - continued
34 • NIST Special Publications (800 Series)  NIST’s 800 series documents provide best practices and information of general interest to information security.  All 800 series documents concern information security  It should be used as references where applicable.  Particular relevance to industrial network security is  SP 800-53 (“Recommended Security Controls for Federal Information Systems”)  SP 800-82 (“Guide to Supervisory Control and Data Acquisition [SCADA] and Industrial Control Systems Security”) Standards and Organizations - continued
35 • Other standards addresses security recommendations and best practices:  Federal Information Security Management Act -FISMA  Chemical Facility Anti-Terrorism Standards – CFATS  ISA-99  ISO 27002 Standards and Organizations - continued
36 • The separation of assets into functional groups allows specific services to be tightly locked down and controlled • This is one of the easiest methods of reducing the attack surface that is exposed to attackers. • Simply by disallowing all unnecessary ports and services, we also eliminate all of the vulnerabilities—known or unknown—that could potentially allow an attacker to exploit those services. • Control communications in both directions through a firewall ( key area) study your network??  Not all threats originate from outside. Open, outbound traffic policies can facilitate an insider attack, enable the internal spread of malware, enable outbound command and control capabilities, or allow for data leakage or information theft. Network Segmentation - isolation
37 Network Segmentation - isolation
38 Network Segmentation - isolation
39 Defense in Depth – Provision of additional layers of protection
40 Defense in Depth – Protective Measures
41 • Additional measures related to Access Control:  Only allow a user to log in to an HMI if the user has successfully badged into the control room (user credentials combined with physical access controls)  Only allow a user to operate a given control from a specific controller (user credentials limited within a security group)  Only allow a user to authenticate during that user’s shift (user credentials combined with personnel management) Additional Measures
42 • A routable network  Typically means Ethernet and TCP/IP,  “Routable” networks also include routable variants of SCADA and ICS protocols that have been modified to operate over TCP/IP, such as Modbus/TCP or ICCP over TCP/IP. • A non-routable network  Refers to those serial, bus, and point-to-point communication links that utilize Modbus/RTU, point-to-point ICCP, fieldbus, and other networks.  They are still networks: they interconnect devices and provide a communication path between digital devices  In many cases are designed for remote command and control. Routable and non-routable
43 Routable and non-routable
44 • An asset is a unique device that is used within an industrial control system. • Assets  computers, network switches, routers, firewalls, printers, alarm systems, Human–Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and the various relays, actuators, sensors, and other devices that make up a typical control loop. Assets in Industrial Control Systems
45 • A “cyber asset”  as any device connected via a routable protocol • A “critical cyber asset,”  is a cyber asset whose operation can impact the bulk energy system Assets (as defined by NERC CIP)
46 • In 2000, a disgruntled man in Australia who was rejected for a government job was accused of using a radio transmitter to alter electronic data within a sewerage pumping station, causing the release of over two hundred thousand gallons of raw sewage into nearby rivers. Example of Industrial Network Incidents
47 • In 2007, there was the Aurora Project: a controlled experiment by the Idaho National Laboratories (INL), which successfully demonstrated that a controller could be destroyed via a cyber attack. The vulnerability allowed hackers—which in this case were white-hat security researchers at the INL—to successfully open and close breakers on a diesel generator out of synch, causing an explosive failure. In September 2007, CNN reported on the experiment, bringing the security of our power infrastructure into the popular media. • The Aurora vulnerability remains a concern today. Although the North American Electric Reliability Corporation (NERC) first issued an alert on Aurora a few months before CNN’s report in June 2007, it has since provided additional alerts, as recent as an October 2010 alert that provides clear mitigation strategies for dealing with the vulnerability. Example of Industrial Network Incidents - continued
48 • In 2008, the agent.btz worm began infecting U.S. military machines and was reportedly carried into CENTCOM’s classified network on a USB thumb drive later that year. Although the CENTCOM breach, reported by CBS’ 60 Minutes in November 2009, was widely publicized, the specifics are difficult to ascertain and the damages and intentions remain highly speculative. Example of Industrial Network Incidents - continued
49 • The new weapon of cyber war • Which began to infect industrial control systems in 2010. • After Stuxnet, any speculation over the possibility of a targeted cyber attack against an industrial network has been overruled by this extremely complex and intelligent collection of malware Example of Industrial Network Incidents - Stuxnet
50 • Stuxnet looks for SIMATIC WinCC and PCS 7 programs from Siemens, and then using default SQL account credentials to infect connected Programmable Logic Controllers (PLCs) by injecting a rootkit via the Siemens fieldbus protocol, Profibus. • Stuxnet then looks for automation devices using a frequency converter that controls the speed of a motor. If it sees a controller operating within a range of 800–1200 Hz, it attempts to sabotage the operation Example of Industrial Network Incidents – Stuxnet (continued)
51 • In February 2011, McAfee announced the discovery of a series of coordinated attacks against oil, energy, and petrochemical companies. The attacks, which originated primarily in China, were believed to have originated in 2009, operating continuously and covertly for the purpose of information extraction • Night Dragon is further evidence of how an outside attacker can (and will) infiltrate critical systems. • Although the attack did not result in sabotage, as was the case with Stuxnet, it did involve the theft of sensitive information. Example of Industrial Network Incidents – Night Dragon
52 • Understanding how industrial networks operate requires a basic understanding of the underlying communications protocols that are used, where they are used, and why. • Designed for efficiency and reliability to support the economic and operational requirements of large distributed control systems. • Similarly, most industrial protocols are designed for real-time operation to support precision operations. Industrial Network Controls
53 • So for the sake of efficiency. Often not includes security features such as authentication and encryption, both of which require additional overhead. • To further complicate matters, many of these protocols have been modified to run over Ethernet and Internet Protocol (IP) networks in order to meet the evolving needs of business, potentially exposing these vulnerable protocols to attack. Industrial Network Protocols
54 • Industrial Network Protocols are real-time communications protocols. • Developed to interconnect the systems, interfaces, and instruments that make up an industrial control system. • Most were designed initially to communicate serially over RS- 232, RS-485, or other serial connections but have since evolved to operate over Ethernet networks using routable protocols such as TCP/IP. Industrial Network Protocols
55 • Modicon Communication Bus (Modbus) • Inter Control Center Protocol (ICCP, also known as TASE.2 or Telecontrol Application Service Element-2) • Distributed Network Protocol (DNP3) • Object Linking and Embedding for Process Control (OPC) Other Protocols
56 • The oldest and perhaps the most widely deployed industrial control communications protocol. • It was designed in 1979 by Modicon (now part of Schneider Electric) that invented the first Programmable Logic Controller (PLC). • Modbus has been widely adopted as a de facto standard and has been enhanced over the years into several distinct variants. MODBUS
57 • Modbus is an application layer messaging protocol, meaning that it operates at layer 7 of the OSI model. • It allows for efficient communications based on a request/reply methodology. • It can be used by extremely simple devices such as sensors or motors to communicate with a more complex computer, MODBUS - Continued
58 MODBUS - Continued
59 • Modbus RTU • Modbus ASCII • Modbus TCP • Modbus Plus MODBUS - Variants
60 • Lack of authentication.  Modbus sessions only require the use of a valid Modbus address and valid function code.  Can be easily guessed or spammed, whereas the other is easily obtainable information. • Lack of encryption  Commands and addresses are transmitted in clear text and can therefore be easily captured and spoofed due to the lack of encryption. • Lack of message checksum (Modbus TCP only).  A spoofed command is even easier over some implementations of Modbus TCP, as the checksum is generated at the transmission layer, not the application layer. Security Concerns
61 • Lack of broadcast suppression (serial Modbus variants only).  All serially connected devices will receive all messages, meaning a broadcast of unknown addresses can be used for effective denial of service (DoS) to a chain of serially connected devices. • Programmability. By far, the most dangerous quality of Modbus—which is shared with many industrial protocols—is that it is intentionally designed to program controllers, and could be used to inject malicious logic into an RTU or PLC. Security Concerns - continued
62 Modbus TCP
63 • Modbus, like many industrial control protocols  should only be used to communicate between sets of known devices  using expected function codes, and as such it is easily monitored by establishing clear groupings / separation  baselining acceptable behavior. Modbus – Security Recommendations
64 • Ethernet/IP uses standard Ethernet frames (ethertype 0x80E1) in conjunction with the Common Industrial Protocol (CIP) suite to communicate with nodes. • Communication is typically  client/server  although an “implicit” mode is supported to handle real-time requirements. • Implicit mode uses connectionless transport specifically the User Datagram Protocol (UDP) and multicast transmissions to minimize latency and jitter. Ethernet Industrial Protocol – Ethernet/IP
65 • The CIP uses object models to de ne the various qualities of a device. • There are three types of objects:  Required Objects, which define attributes such as device identifiers, routing identifiers, and other attributes of a device such as the manufacturer, serial number, date of manufacture, etc.;  Application Objects, which define input and output profiles for devices;  Vendor specific Objects, which enable vendors to add proprietary objects to a device. Objects (other than vendor-speci c objects) are standardized by device type and function, to facilitate interoperability: Common Industrial Protocol (CIP)
66 • Ethernet/IP is  a real-time Ethernet protocol  it is susceptible to any of the vulnerabilities of Ethernet. • Ethernet/IP over UDP is transaction-less and so there is no inherent network-layer mechanism for reliability, ordering, or data integrity checks. • The CIP also introduces some specific security concerns, due to its well-defined object model. Security Concerns
67 • The CIP does not define any explicit or implicit mechanisms for security. • The use of common “Required Objects” for device identification can facilitate device identification and enumeration, facilitating an attack. • The use of common “Application Objects” for device information exchange and control can enable broader industrial attacks, able to manipulate a broad range of industrial devices. • Ethernet/IP’s use of UDP and Multicast traffic—both of which lack transmission control—for real-time transmissions facilitate the injection of spoofed traffic or (in the case of multicast traffic) the manipulation of the transmission path using injected IGMP controls. Ethernet/IP Security Concerns
68 • Because Ethernet/IP is a real-time Ethernet protocol using UDP and IGMP, it is necessary to provide Ethernet and IP- based security at the perimeter of any Ethernet/IP network. • It is also recommended that passive network monitoring be used to ensure the integrity of the Ethernet/IP network, ensuring that the Ethernet/IP protocol is only being used by explicitly identified devices and that no Ethernet/IP traffic is originating from an unauthorized, outside source. This can be accomplished using a SCADA-IDS/IPS or other network monitoring device capable of detecting and interpreting the Ethernet/IP protocol. Security Recommendations
69 • Monitoring your network including ICS traffic • Creating Baseline • Security awareness program • Network isolation • Firmware update ( very challanging) • ID/IPS • Test network ( Pentesting ) never on production network Final Recommendations
70 • Failsafe • May apply forensics if needed • Implement security best practices • Connect with others who are expert in the filed Final Recommendations - continued

Recommended

Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsGovernment Technology and Services Coalition
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsGovernment Technology and Services Coalition
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsIgnyte Assurance Platform
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 

Recommended

Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsGovernment Technology and Services Coalition
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsGovernment Technology and Services Coalition
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsIgnyte Assurance Platform
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Asset Security
Asset Security Asset Security
Asset Security Jagbir Singh
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI WorkshopCondition Zebra (CONZebra)
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2Kyle Lai
 
Computing safety
Computing safetyComputing safety
Computing safetytitoferrus
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsDan Michaluk
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 

More Related Content

What's hot

New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2Kyle Lai
 
Computing safety
Computing safetyComputing safety
Computing safetytitoferrus
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsDan Michaluk
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 

What's hot (20)

Asset Security
Asset Security Asset Security
Asset Security
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
Computing safety
Computing safetyComputing safety
Computing safety
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 

Similar to Implications of Cybersecurity on Small and Medium Manufacturers

Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorKaspersky
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviSharique Rizvi
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilitiesNirmal Thaliyil
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferenceBill Despo
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
 
Network Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.pptNetwork Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.pptAkfeteAssefa
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesJohn Gilligan
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 

Similar to Implications of Cybersecurity on Small and Medium Manufacturers (20)

Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
 
Network Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.pptNetwork Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.ppt
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 

More from Highervista

Cyber security training using virtual labs 3 cs umuc presentation august 2018
Cyber security training using virtual labs 3 cs umuc presentation august 2018Cyber security training using virtual labs 3 cs umuc presentation august 2018
Cyber security training using virtual labs 3 cs umuc presentation august 2018Highervista
 
Intro infosec version 2
Intro infosec version 2Intro infosec version 2
Intro infosec version 2Highervista
 
How to create a maker space v2 ebook
How to create a maker space v2 ebookHow to create a maker space v2 ebook
How to create a maker space v2 ebookHighervista
 
Love and silence v3 scribd slide share
Love and silence v3 scribd slide shareLove and silence v3 scribd slide share
Love and silence v3 scribd slide shareHighervista
 

More from Highervista (13)

Sq lite module1
Sq lite module1Sq lite module1
Sq lite module1
 
Sq lite module2
Sq lite module2Sq lite module2
Sq lite module2
 
Sq lite module3
Sq lite module3Sq lite module3
Sq lite module3
 
Sq lite module4
Sq lite module4Sq lite module4
Sq lite module4
 
Sq lite module5
Sq lite module5Sq lite module5
Sq lite module5
 
Sq lite module6
Sq lite module6Sq lite module6
Sq lite module6
 
Sq lite module7
Sq lite module7Sq lite module7
Sq lite module7
 
Sq lite module8
Sq lite module8Sq lite module8
Sq lite module8
 
Sq lite module9
Sq lite module9Sq lite module9
Sq lite module9
 
Cyber security training using virtual labs 3 cs umuc presentation august 2018
Cyber security training using virtual labs 3 cs umuc presentation august 2018Cyber security training using virtual labs 3 cs umuc presentation august 2018
Cyber security training using virtual labs 3 cs umuc presentation august 2018
 
Intro infosec version 2
Intro infosec version 2Intro infosec version 2
Intro infosec version 2
 
How to create a maker space v2 ebook
How to create a maker space v2 ebookHow to create a maker space v2 ebook
How to create a maker space v2 ebook
 
Love and silence v3 scribd slide share
Love and silence v3 scribd slide shareLove and silence v3 scribd slide share
Love and silence v3 scribd slide share
 

Recently uploaded

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 

Recently uploaded (20)

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 

Implications of Cybersecurity on Small and Medium Manufacturers

  • 1. 1 Implications of Cybersecurity on the Small and Medium-sized manufacturer: Risk Management and Compliance Dr. Ron McFarland, Ph.D., PMP, CISSP – Post Doctorate Fellow, University of Maryland University College Dean, School of Applied Technologies – College of the Canyons Center for Security Studies Funding provided by CAE Cybersecurity Grant Program - S-004-2017 CAE Cybersecurity (CAE-C) “Investment in Expansion of CAE-C Education Programs” Dr. Loyce Best Pailen, Principal Investigator
  • 2. 2 Topics 1. Compliant, but breeched 2. Cyber Security and Industrial Control Systems 3. DFARS Requirements
  • 4. 4 Hackers focus on beating security controls Security and compliance teams focus on adhering to laws and regulations The Essence of the problem
  • 5. 5 Compliant with Certifications -- but Breached • Target • Verizon • SecurePay • Experian • Sally Beauty • FedEx • Staples • Dairy Queen • KMart According to the SANS Institute: “The Payment Card Industry published the Data Security Standard 11 years ago; however, criminals are still breaching companies and getting access to cardholder data. The number of security breaches in the past two years has increased considerable, even among the companies for which assessors deemed compliant.”
  • 6. 6 • Compliance – the act or process of complying to a desire, demand, proposal, regimen or coercion to achieve security • Security – the state of being free from danger or threat What is Compliance and Security?
  • 7. 7 • Possible combinations: 1. Neither compliant with any standards or secure 2. Secure in a limited way but not compliant with any standards 3. Compliant with standards but insecure 4. Secure and compliant • Best option is to achieve security via compliance  Treat certifications of products and processes or regulatory compliance as assets Possible Combinations
  • 8. 8 • Established security standards for certain types of health information  regulated by Department of Health and Human Services • Procedural and technical measures to protect information and track the people using that information  User identification and authentication  Include auto logoff and emergency access procedures  System logging for security events  Personal Health Information (PHI) must be encrypted  Integrity controls Health Insurance Portability and Accountability Act (HIPAA)
  • 9. 9 • Established security standards for certain types of health information  regulated by Department of Health and Human Services • Procedural and technical measures to protect information and track the people using that information  User identification and authentication  Include auto logoff and emergency access procedures  System logging for security events  Personal Health Information (PHI) must be encrypted  Integrity controls Health Insurance Portability and Accountability Act (HIPAA)
  • 10. 10 • Organizations that issue and process credit and debit cards  regulated by VISA, MasterCard, Discover, JCB and American Express • Organizations track all access to network resources and cardholder data  Requires external assessments be performed  Vulnerability scans aka penetration testing  Become “certified” Payment Card Industry – Data Security Standards (PCI DSS)
  • 11. 11 PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti- virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Payment Card Industry – Data Security Standards (PCI DSS)
  • 12. 12 • Requires financial institutions to protect customer information against security threats  Regulated by FTC • Privacy notice includes what they collect, where it is shared and how it is protected • SSN, financial account numbers, credit card numbers, DOB, Name, address, phone number, details of financial transactions Gramm-Leach-Bliley Act (GLBA)
  • 13. 13 • Information security program assigned to an employee • Risk assessments to identify risks • Assess safeguards to ensure they function properly and as intended • Design and implement safeguards • Service provider contracts include terms to protect customer information • Periodic review of information security policy Gramm-Leach-Bliley Act (GLBA)
  • 14. 14 • Requirements for financial and accounting practices for publicly-held companies  Regulated by the SEC • Auditor independence • Corporate governance (oversight) includes IT • Internal control assessment • Enhanced financial disclosure Sarbanes-Oxley Act (SOX)
  • 15. 15 • Financial reports, records, and data are accurately maintained • Transactions are prepared per GAAP rules and properly recorded • Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner • Records retention Sarbanes-Oxley Act (SOX)
  • 16. 16 • Schools receiving federal funds • Personal for students as it provides protection over:  Demographic information  Address and contact information  Parental demographic information  Parental address and contact information  Grade information  Disciplinary information Family Educational Rights and Privacy Act (FERPA)
  • 17. 17 Defense Federal Acquisition Regulation Supplement (DFARS)
  • 18. 18 Cyber Security and Industrial Control Systems
  • 19. 19 • The need to improve the security for ICS cannot be overstated. • Many industrial systems are built using  legacy devices  Running legacy protocols that have evolved to operate in routable networks. • Before the expansion of Internet connectivity, web-based applications, and real-time business information systems, energy systems were built for reliability. • Physical security was always a concern, but information security was not a concern, because  the control systems were air-gapped—that is physically separated with no common system (electronic or otherwise) crossing that gap Importance of Securing Industrial Networks
  • 20. 20 Before – Air Gap Separation
  • 21. 21 • The problem is that regardless of how justified or well intended the action the air gap ( from previous slide), it is no longer exists. Why?? • There is now a path into critical systems, and any path that exists can be found and exploited. Need to connect
  • 22. 22 Reality of the Air Gap
  • 23. 23 • Security consultants at Red Tiger Security presented research in 2010 that clearly indicates the current state of security in industrial networks. • Penetration tests were performed on approximately 100 North American electric power generation facilities. • Results: more than 38,000 security warning and vulnerabilities. Red Tiger Research
  • 24. 24 • Understanding the basic nature of industrial networks, and examining the many regulations and recommendations put forth by NERC, NIST, NRC, ISA, the ISO/IEC, and other organizations is the foundation of industrial network security. • By evaluating an industrial network, identifying and isolating its systems into functional groups ( Segmentation ), and applying a structured methodology of defense in depth and strong access control, the security of the network as a whole will be greatly improved Foundation to Securing ICS
  • 25. 25 • An industrial network is most typically made up of several distinct areas, which are simplified as  a business network or enterprise  business operations  a supervisory network  and process and control networks General Terms
  • 26. 26 • SCADA - Supervisory Control and Data Acquisition • ICS - Industrial Control Systems • DCS - Distributed Control Systems or Process Control Systems (PCS). • Each area has its own physical and log- ical security considerations, and each has its own policies and concerns. ICS Terms
  • 27. 27 • Industrial Network  is referring to any network operating some sort of automated control system that communicates digitally over a network. • Critical Infrastructure  is referring to critical network infrastructure, including any network used in the direct operation of any system upon which one of “critical infrastructures” depends. Industrial Network vs. Critical Infrastructure
  • 29. 29 • Utilities  Utilities—water, gas, oil, electricity, and communications  Financial ?? • Nuclear Facilities  Nuclear facilities represent unique safety and security challenges  due to their inherent danger in the fueling and operation,  as well as the national security implications of the raw materials used. Critical Infrastructure examples
  • 30. 30 • Chemical Facilities  Chemical manufacture and distribution represent speci c challenges to securing an industrial manufacturing network. Critical Infrastructure examples - continued
  • 31. 31 • Homeland Security Presidential Directive Seven (HSPD-7) • North American Electric Reliability Corporation (NERC) has created a reliability standard called “Critical Infrastructure Protection” and enforces it heavily throughout the United States and Canada.  The NERC CIP reliability standard identifies security measures for protecting critical infrastructure with the goal of ensuring the reliability of the bulk power system.  Compliance is mandatory for any power generation facility  Fines for noncompliance can be steep. Standards and Organizations
  • 32. 32 • Nuclear Regulatory Commission (NRC).  The NRC was formed as an independent agency by Congress in 1974  The goal: attempt to guarantee the safe operation of nuclear facilities and to protect people and the environment.  This includes regulating the use of nuclear material including by-product, source, and special nuclear materials, as well as nuclear power.  NRC requires and enforces the cyber security of nuclear power facilities. Ultimately, all other industries rely upon energy to operate, and so the security of the energy infrastructure (and the development of the smart grid) impacts everything else, so that talking about securing industrial networks without talking about energy is practically impossible.  The NRC is responsible for ensuring the safe use of radioactive materials for ben- e cial civilian (nonmilitary) purposes by licensed nuclear facilities. Standards and Organizations - continued
  • 33. 33 • Homeland Security Presidential DirectiveSeven/HSPD-7  The HSPD-7 attempts to distinguish the critical versus noncritical systems.  HSPD-7 does not include specific security recommendations  relying instead upon other federal security recommendations such as those by the NIST on the security of both enterprise and industrial networks, as well as the Homeland Security Risk- Based Performance Standards used in securing chemical facilities. Standards and Organizations - continued
  • 34. 34 • NIST Special Publications (800 Series)  NIST’s 800 series documents provide best practices and information of general interest to information security.  All 800 series documents concern information security  It should be used as references where applicable.  Particular relevance to industrial network security is  SP 800-53 (“Recommended Security Controls for Federal Information Systems”)  SP 800-82 (“Guide to Supervisory Control and Data Acquisition [SCADA] and Industrial Control Systems Security”) Standards and Organizations - continued
  • 35. 35 • Other standards addresses security recommendations and best practices:  Federal Information Security Management Act -FISMA  Chemical Facility Anti-Terrorism Standards – CFATS  ISA-99  ISO 27002 Standards and Organizations - continued
  • 36. 36 • The separation of assets into functional groups allows specific services to be tightly locked down and controlled • This is one of the easiest methods of reducing the attack surface that is exposed to attackers. • Simply by disallowing all unnecessary ports and services, we also eliminate all of the vulnerabilities—known or unknown—that could potentially allow an attacker to exploit those services. • Control communications in both directions through a firewall ( key area) study your network??  Not all threats originate from outside. Open, outbound traffic policies can facilitate an insider attack, enable the internal spread of malware, enable outbound command and control capabilities, or allow for data leakage or information theft. Network Segmentation - isolation
  • 39. 39 Defense in Depth – Provision of additional layers of protection
  • 40. 40 Defense in Depth – Protective Measures
  • 41. 41 • Additional measures related to Access Control:  Only allow a user to log in to an HMI if the user has successfully badged into the control room (user credentials combined with physical access controls)  Only allow a user to operate a given control from a specific controller (user credentials limited within a security group)  Only allow a user to authenticate during that user’s shift (user credentials combined with personnel management) Additional Measures
  • 42. 42 • A routable network  Typically means Ethernet and TCP/IP,  “Routable” networks also include routable variants of SCADA and ICS protocols that have been modified to operate over TCP/IP, such as Modbus/TCP or ICCP over TCP/IP. • A non-routable network  Refers to those serial, bus, and point-to-point communication links that utilize Modbus/RTU, point-to-point ICCP, fieldbus, and other networks.  They are still networks: they interconnect devices and provide a communication path between digital devices  In many cases are designed for remote command and control. Routable and non-routable
  • 44. 44 • An asset is a unique device that is used within an industrial control system. • Assets  computers, network switches, routers, firewalls, printers, alarm systems, Human–Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and the various relays, actuators, sensors, and other devices that make up a typical control loop. Assets in Industrial Control Systems
  • 45. 45 • A “cyber asset”  as any device connected via a routable protocol • A “critical cyber asset,”  is a cyber asset whose operation can impact the bulk energy system Assets (as defined by NERC CIP)
  • 46. 46 • In 2000, a disgruntled man in Australia who was rejected for a government job was accused of using a radio transmitter to alter electronic data within a sewerage pumping station, causing the release of over two hundred thousand gallons of raw sewage into nearby rivers. Example of Industrial Network Incidents
  • 47. 47 • In 2007, there was the Aurora Project: a controlled experiment by the Idaho National Laboratories (INL), which successfully demonstrated that a controller could be destroyed via a cyber attack. The vulnerability allowed hackers—which in this case were white-hat security researchers at the INL—to successfully open and close breakers on a diesel generator out of synch, causing an explosive failure. In September 2007, CNN reported on the experiment, bringing the security of our power infrastructure into the popular media. • The Aurora vulnerability remains a concern today. Although the North American Electric Reliability Corporation (NERC) first issued an alert on Aurora a few months before CNN’s report in June 2007, it has since provided additional alerts, as recent as an October 2010 alert that provides clear mitigation strategies for dealing with the vulnerability. Example of Industrial Network Incidents - continued
  • 48. 48 • In 2008, the agent.btz worm began infecting U.S. military machines and was reportedly carried into CENTCOM’s classified network on a USB thumb drive later that year. Although the CENTCOM breach, reported by CBS’ 60 Minutes in November 2009, was widely publicized, the specifics are difficult to ascertain and the damages and intentions remain highly speculative. Example of Industrial Network Incidents - continued
  • 49. 49 • The new weapon of cyber war • Which began to infect industrial control systems in 2010. • After Stuxnet, any speculation over the possibility of a targeted cyber attack against an industrial network has been overruled by this extremely complex and intelligent collection of malware Example of Industrial Network Incidents - Stuxnet
  • 50. 50 • Stuxnet looks for SIMATIC WinCC and PCS 7 programs from Siemens, and then using default SQL account credentials to infect connected Programmable Logic Controllers (PLCs) by injecting a rootkit via the Siemens fieldbus protocol, Profibus. • Stuxnet then looks for automation devices using a frequency converter that controls the speed of a motor. If it sees a controller operating within a range of 800–1200 Hz, it attempts to sabotage the operation Example of Industrial Network Incidents – Stuxnet (continued)
  • 51. 51 • In February 2011, McAfee announced the discovery of a series of coordinated attacks against oil, energy, and petrochemical companies. The attacks, which originated primarily in China, were believed to have originated in 2009, operating continuously and covertly for the purpose of information extraction • Night Dragon is further evidence of how an outside attacker can (and will) infiltrate critical systems. • Although the attack did not result in sabotage, as was the case with Stuxnet, it did involve the theft of sensitive information. Example of Industrial Network Incidents – Night Dragon
  • 52. 52 • Understanding how industrial networks operate requires a basic understanding of the underlying communications protocols that are used, where they are used, and why. • Designed for efficiency and reliability to support the economic and operational requirements of large distributed control systems. • Similarly, most industrial protocols are designed for real-time operation to support precision operations. Industrial Network Controls
  • 53. 53 • So for the sake of efficiency. Often not includes security features such as authentication and encryption, both of which require additional overhead. • To further complicate matters, many of these protocols have been modified to run over Ethernet and Internet Protocol (IP) networks in order to meet the evolving needs of business, potentially exposing these vulnerable protocols to attack. Industrial Network Protocols
  • 54. 54 • Industrial Network Protocols are real-time communications protocols. • Developed to interconnect the systems, interfaces, and instruments that make up an industrial control system. • Most were designed initially to communicate serially over RS- 232, RS-485, or other serial connections but have since evolved to operate over Ethernet networks using routable protocols such as TCP/IP. Industrial Network Protocols
  • 55. 55 • Modicon Communication Bus (Modbus) • Inter Control Center Protocol (ICCP, also known as TASE.2 or Telecontrol Application Service Element-2) • Distributed Network Protocol (DNP3) • Object Linking and Embedding for Process Control (OPC) Other Protocols
  • 56. 56 • The oldest and perhaps the most widely deployed industrial control communications protocol. • It was designed in 1979 by Modicon (now part of Schneider Electric) that invented the first Programmable Logic Controller (PLC). • Modbus has been widely adopted as a de facto standard and has been enhanced over the years into several distinct variants. MODBUS
  • 57. 57 • Modbus is an application layer messaging protocol, meaning that it operates at layer 7 of the OSI model. • It allows for efficient communications based on a request/reply methodology. • It can be used by extremely simple devices such as sensors or motors to communicate with a more complex computer, MODBUS - Continued
  • 59. 59 • Modbus RTU • Modbus ASCII • Modbus TCP • Modbus Plus MODBUS - Variants
  • 60. 60 • Lack of authentication.  Modbus sessions only require the use of a valid Modbus address and valid function code.  Can be easily guessed or spammed, whereas the other is easily obtainable information. • Lack of encryption  Commands and addresses are transmitted in clear text and can therefore be easily captured and spoofed due to the lack of encryption. • Lack of message checksum (Modbus TCP only).  A spoofed command is even easier over some implementations of Modbus TCP, as the checksum is generated at the transmission layer, not the application layer. Security Concerns
  • 61. 61 • Lack of broadcast suppression (serial Modbus variants only).  All serially connected devices will receive all messages, meaning a broadcast of unknown addresses can be used for effective denial of service (DoS) to a chain of serially connected devices. • Programmability. By far, the most dangerous quality of Modbus—which is shared with many industrial protocols—is that it is intentionally designed to program controllers, and could be used to inject malicious logic into an RTU or PLC. Security Concerns - continued
  • 63. 63 • Modbus, like many industrial control protocols  should only be used to communicate between sets of known devices  using expected function codes, and as such it is easily monitored by establishing clear groupings / separation  baselining acceptable behavior. Modbus – Security Recommendations
  • 64. 64 • Ethernet/IP uses standard Ethernet frames (ethertype 0x80E1) in conjunction with the Common Industrial Protocol (CIP) suite to communicate with nodes. • Communication is typically  client/server  although an “implicit” mode is supported to handle real-time requirements. • Implicit mode uses connectionless transport specifically the User Datagram Protocol (UDP) and multicast transmissions to minimize latency and jitter. Ethernet Industrial Protocol – Ethernet/IP
  • 65. 65 • The CIP uses object models to de ne the various qualities of a device. • There are three types of objects:  Required Objects, which define attributes such as device identifiers, routing identifiers, and other attributes of a device such as the manufacturer, serial number, date of manufacture, etc.;  Application Objects, which define input and output profiles for devices;  Vendor specific Objects, which enable vendors to add proprietary objects to a device. Objects (other than vendor-speci c objects) are standardized by device type and function, to facilitate interoperability: Common Industrial Protocol (CIP)
  • 66. 66 • Ethernet/IP is  a real-time Ethernet protocol  it is susceptible to any of the vulnerabilities of Ethernet. • Ethernet/IP over UDP is transaction-less and so there is no inherent network-layer mechanism for reliability, ordering, or data integrity checks. • The CIP also introduces some specific security concerns, due to its well-defined object model. Security Concerns
  • 67. 67 • The CIP does not define any explicit or implicit mechanisms for security. • The use of common “Required Objects” for device identification can facilitate device identification and enumeration, facilitating an attack. • The use of common “Application Objects” for device information exchange and control can enable broader industrial attacks, able to manipulate a broad range of industrial devices. • Ethernet/IP’s use of UDP and Multicast traffic—both of which lack transmission control—for real-time transmissions facilitate the injection of spoofed traffic or (in the case of multicast traffic) the manipulation of the transmission path using injected IGMP controls. Ethernet/IP Security Concerns
  • 68. 68 • Because Ethernet/IP is a real-time Ethernet protocol using UDP and IGMP, it is necessary to provide Ethernet and IP- based security at the perimeter of any Ethernet/IP network. • It is also recommended that passive network monitoring be used to ensure the integrity of the Ethernet/IP network, ensuring that the Ethernet/IP protocol is only being used by explicitly identified devices and that no Ethernet/IP traffic is originating from an unauthorized, outside source. This can be accomplished using a SCADA-IDS/IPS or other network monitoring device capable of detecting and interpreting the Ethernet/IP protocol. Security Recommendations
  • 69. 69 • Monitoring your network including ICS traffic • Creating Baseline • Security awareness program • Network isolation • Firmware update ( very challanging) • ID/IPS • Test network ( Pentesting ) never on production network Final Recommendations
  • 70. 70 • Failsafe • May apply forensics if needed • Implement security best practices • Connect with others who are expert in the filed Final Recommendations - continued