Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Future-proofing Supply Chain against emerging Cyber-physical Threats
Similar to Future-proofing Supply Chain against emerging Cyber-physical Threats (20)
Recently uploaded
Recently uploaded (20)
Future-proofing Supply Chain against emerging Cyber-physical Threats
- 1. Future-proofing Supply Chain against emerging Cyber-physical Threats Future-Proofing Supply Chain Against Emerging Cyber-Physical Threats Disclaimer: The views and opinions expressed in this presentation are those of the author and do not necessarily reflect the official policy or position of any organisation Steven Sim, VP, ISACA Singapore Chapter
- 2. What do they have in common? (1)
- 3. What do they have in common? (2)
- 4. Infosecurity Magazine Supply Chain Risk Closer to Home
- 5. • Threats are getting increasingly impactful and sophisticated • All organisations that have a cyber footprint can be breached • Not a matter of IF but WHEN incidents would happen • How can we then future-proof against the inevitable? New Cybersecurity Normal Area Characteristics of Advanced Persistent Threats (APTs) Adv. Persistent Threats (APTs) Wiperworm (NotPetya) Ransomworm (WannaCry ) Impact & Behavior Data leaked (Rest are Outage) Stays persistent not detected Intent hard to figure Sophistication Signatureless, legitimate tools, sites Exploits multiple vulnerabilities Fully patched systems vulnerable
- 6. Now what can we do? Know our SELF Know our ENEMIES A hundred BATTLES A hundred VICTORIES - Sun Tzu “While cyber defences will never be impregnable, the success of the attacker in achieving actions on objectives is not inevitable.” – SingHealth COI
- 7. Exposures, Attacks, Compromises Technical Equivalents Indicators of Exposure (IOE) Indicators of Attack (IOA) Indicators of Compromise (IOC) ISACAISACA Know our SELF Know our ENEMIES Tactics, Techniques, Procedures (TTP)
- 8. Now what can we do? Know our SELF
- 10. Cyber-Physical Universe Automation is also the means to repeat human errors with rigor in a consistent manner. Cybersecurity and Safety are increasingly synonymous.
- 11. Star Tribune Matter of Life and Death RiskBasedSecurity
- 12. Perils of Patching • How complex is your system? • How fast can you test a patch? • How complete is your testing? • Can you afford to risk a self-inflicted Denial-of-Service? ZDNet TechRepublic LapTopMag
- 13. Key current pain-points 1. Weak computing power 2. Insecurity by design 3. Insecure industrial protocols 4. Slow certification of patches 5. Hard to retrofit Inherent Design Issues Belden Cyber-Physical Limitations
- 14. Inherent Accessibility Exposures Internet connectivity Watering Hole Attacks Cloud adoption, data lakes Leaky Cloud Buckets Internet connectivity Distributed Denial-of-Service Increased Accessibility
- 15. Now what can we do? Know our ENEMIES
- 16. Identifying and Prioritizing Threat Scenarios Threats against Supply Chain ISACA ISACA1. Defeat Device 2. Logic Bombs 3. Back Doors 4. Malware 5. Vulnerabilities
- 17. Threats towards Cyber-Physical Systems in Supply Chain 4.0 PWC
- 18. PWC
- 19. Tactics, Techniques and Procedures (TTPs) Who are our Enemies? (2) Prevent Action on Objectives
- 20. Low Barriers to Attacks (1)
- 21. Low Barriers to Attacks (2)
- 22. Low Barriers to Attacks (3)
- 23. Source: Resilient Navigation and Timing Foundation Physical-to-Cyber Threats (1) Resilient Navigation and Timing Foundation
- 24. Source: PC Magazine DreamsTime Physical-to-Cyber Threats (2)
- 25. Now what can we do? A Hundred Battles A Hundred Victories
- 26. Governance key to Future-proofing Perform threat modelling Adopt cybersecurity frameworkAdopt key principles IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of IIOT Focus Adopt IT Risk Framework
- 27. • Business to operation to IT risk alignment paramount • Risk optimization is key to risk management • Risk Owner is Accountable • CISO cannot own Risk Adopt IT Risk Framework ISACA Risk IT Framework
- 28. 1. Tender Specs (Firewall, VPN, Common Criteria, etc) 2. Product allows Vulnerability to be Managed 3. Layered Defense Architecture 4. Architecture Security Review 1. Security Standards 2. Server Hardening i.e. Disable Unnecessary Services 3. Network-based Firewall 4. Pre-deployment Vulnerability Assessment & Penetration Testing 1. Regular Vulnerability Scan 2. Regular Vulnerability alert Monitoring 3. Timely Vulnerability Remediation/Patching 4. Continuous Audit and Monitoring 1. Security Training and Awareness 2. Security Advisories to Custodians 3. Phishing Simulation Exercise 4. Extension to Supply Chain Microsoft ISACA Adopt Key Principles
- 29. • Data as the new oil • Adopt a data- centric approach Privacy-by-Design (as part of SbD) ISACA
- 30. Patch-work is not ideal – addressing flaws in pre- existing systems architecture Security-by- design has to be done right from start ZDNet
- 31. Adopt Cyber Security Framework (1) ISACA COBIT Increased Focus on Detect, Response and Recover phases ISACA
- 32. Third-party Attestations • Multi-Tiered Cloud Services • Common Criteria • CREST • CoBIT/ISO270XX/SOC2 • ABS Guidelines • OSPA (Outsource Service Provider Assessment) • PTG (Penetration Testing Guideline) • RTAASEG (Red Team Adversarial Attack Simulation Exercises Guidelines) Adopt Cyber Security Framework (2)
- 33. Network Security Focus IIOT Physical Security Change Mgmt Network Security Security Hardening Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Standards • ISA/IEC-62443 • NIST SP800-82 Layered Defenses • by depth • by diversity Key Areas of Focus (1)
- 34. Vulnerability Management Focus IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Different ways of fixing a vulnerability • Disable unnecessary services • Network-based firewall • Host-based firewall • Hardening the configuration • Virtual Patching • Patching Systems / Services Vulnerability Severity Exploitable remotely from Internet / Building Exploitabl e remotely from Gateway / Clients Exploitable only locally on host Internet / Extranet- facing Critical / High Medium Low Intranet-facing Critical / High Medium Low Vulnerability Remediation Timeline • Risk-based • Peace Time vs Heightened Posture • Attack Surface Exposure • Exploit Public Availability Key Areas of Focus (2)
- 35. Optiv IR Org Model Incident Management Focus IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of Focus (3) Key Areas of Consideration • Black Swans • Recovery Order • Alternate Comms • Crisis Management • Cyber-Physical SOC • Threat Hunting, Drills, Table-tops • BCM for full automation
- 37. Governance key to Future-proofing Perform threat modelling Adopt cybersecurity frameworkAdopt key principles IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of IIOT Focus Adopt IT Risk Framework
- 38. “… need for organizations to elevate cybersecurity as a priority to build the foundation of its cybersecurity culture, better secure their operations, and strengthen the global digital economic ecosystem. Partnerships and information sharing, like ISACA’s collaboration with Digital Manufacturing and Design Innovation Institute (DMDII) on this study, are becoming increasingly key to accomplishing these goals.” Frank Downs, Director of Cybersecurity Practices at ISACA Public Private Partnership
- 39. 1. Be Aware of Increasing Concerns with Cyber-Physical Threats • Emerging Cyber-Physical Threats are sophisticated. Cover all spaces. 2. Key Resilience Principles are still relevant against emerging threats • Adopt good risk, threat modelling, principles, cybersecurity frameworks. • Be pragmatic - Cyber Resiliency is key. 3. Good Risk Culture, Management and Governance is important • Optimize risk. Technology is inadequate. Support with people and processes. Connect with industry and community. Key Take-aways (1)
- 40. Key Take-aways (2) 4. Need for inventory of systems and services, asset classification, risk assessment 5. Need for architecture governance • Not allowing excessive diverse technologies to be used in • Having adequate diversity to mitigate supply chain concentration risk. 6. Buying technology to solve problems but with adequately trained people and processes
- 41. • Industrialization 4.0 is here to stay • Less human intervention • Heavy reliance on cyber-physical connectivity, analytics, cloud • Increased criticality on wireless networking • Transiting to the New Cybersecurity Normal • Better impact assessment and automated containment • Elevated cybersecurity requirements and mandate – Security & Privacy by Design • Increased commoditization of cyber insurance 41 All’s not doom and gloom
- 42. • Become better at your job • Support your profession • Increase your value to your employer by expanding your skill set • Expand your network of business contacts • Highlight your expertise by earning a professional credential • Position yourself to participate in a global marketplace • Support the future of your profession • Position yourself for management opportunities Why you should become an ISACA memb
- 43. 43 MANAGING RISK. EMBRACING UNCERTAINTY MAY 15, 2019 SINGAPORE PROGRAMME & SPEAKERS PROFILE Updated as of 22 Mar 2019 https://www.gtacs.sg
- 44. T h a n k y o u f o r a t t e n d i n g . S t a y i n t o u c h !
Editor's Notes
- More on ISACA
- Can anyone hazard a guess what these organisations have in common? Yes, these are organisations hacked due to a breach in their supply chain. https://www.channelnewsasia.com/news/technology/fema-error-exposes-2-3-million-disaster-survivors-to-fraud--watchdog-11371994 https://www.bankinfosecurity.com/pentagon-data-breach-exposed-30000-travel-records-a-11600
- What about this list? These are the suppliers who resulted in the breaches. Breaches can come in many forms, shapes and sizes, some through their law firms, some through their managed services, some through maintenance contractors. https://www.techradar.com/news/hpe-and-ibm-attacked-by-chinese-hackers https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/ https://www.csoonline.com/article/2129794/lessons-from-the-rsa-breach.html https://bgr.com/2018/08/06/android-malware-windows-google-removes-145-apps/ https://www.smh.com.au/politics/federal/chinese-hackers-breach-anu-putting-national-security-at-risk-20180706-p4zq0q.html https://www.icij.org/investigations/paradise-papers/ the threat of cyberattacks using an enterprise’s supply chain as a delivery vector has become a common concern within the information security community.
- Locally, Singapore is not spared. More than 800,000 blood donors details exposed through a vendor who was working on a database. https://www.infosecurity-magazine.com/news/vendor-exposes-singapore-health-1-1/
- https://www.isaca.org/Journal/archives/2017/Volume-1/Pages/indicators-of-exposure-and-attack-surface-visualization.aspx
- Mckenzie article has a detailed writeup on Supply Chain 4.0. However, it makes no mention of cyber risk or security in its consideration. ISACA classifies and provides a series of recommendations to manage risks associated with various systems. https://www.mckinsey.com/industries/consumer-packaged-goods/our-insights/supply-chain-4-0-in-consumer-goods
- For the purpose of today’s short presentation, I am going to narrow the focus down to Cyber-physical systems.
- It is a matter of life and dealth! There are so many imperfectly written software out there. How are you going to remote patch a life-dependent device? Over and on top, there are so many vulnerabilities out there.
- Ok, let’s say you are able to orchestrate patches, but how complex is your system? How fast can you test a patch? How complete is your testing and can you afford to risk a self-inflicted Denial-of-Service, which was what happened to Queensland hospitals during the WannaCry patch frenzy, and more recently when factory systems were hit by post-meltdown/spectre-patch glitches. Not to mention recent case of Windows 10 Oct update giving issues. Imagine your HMIs in your OT network being patched, getting into issues as well.
- IIOT needs to ensure risk is at a minimal, therefore its underlying foundation is very much the same as OT, inheriting a large bulk of its design flaws. OT stands for Operations Technology and encompasses ICS (Industrial Control Systems) and SCADA (Supervisory Control And Data Acquisition). Unlike IT, the cybersecurity requirements of OT prioritizes differently. In OT and unlike IT, safety comes foremost, followed by availability, integrity and confidentiality. I look at IIOT as an extension of OT as it has to bring along the engineering ruggedness of OT. IIOT tends to be weaker in computing power hence even the trials of block chain have to resort to weaker hashes instead of using industrial-acceptable SHA-2 hashes, impacting the ability to comply to standards. This was partly the reason why separate IoT security standards have to be developed. Having its roots in OT, IIOT tends to be insecure by design, with hardcoded passwords and lack orchestration. Insecure industrial protocols that have no authentication and encryption are often put in place because they were originally built for closed systems. And for the reason of safety and thoroughness in testing, OS and third party security fixes are often slow in being certified by the vendors. Lastly, they are often hard to retrofit due to the scale and its tight legacy interactions. Any component change often requires extensive testing and customization.
- With IoT, analytics come to play and with analytics, you would think of the use of cloud. There are 3 key concerns with the underlying accessibility. First, there is the risk of watering hole attacks that was exploited by NotPetya malware which had relied on the MeDocs accounting software. Then, there was the challenge of misconfigured leaky cloud buckets. There was a slew of news relating to misconfigured amazon web services with victims including some of the big consulting houses. Not least DDoS attacks targeting IIoT such as Mirai botnet.
- https://www.isaca.org/Journal/archives/2013/Volume-4/Pages/JOnline-Mitigating-Software-Supply-Chain-Risk.aspx
- https://www.recode.net/sponsored/12356344/cybersecurity-and-privacy-risks-of-industry-4-0-infographic
- GPS jamming and spoofing attacks are a serious concern if GPS is relied as the only means of navigation. Land-based navigation systems and transponders would be a consideration.
- And even hobby drones can be used to effectively jam industrial access points. This is a tough problem to solve and this is where integration of physical and cyber monitoring becomes very important.
- Cyber supply-chain risk management (SCRM) monitoring and response What is at risk? Confidentiality (intellectual property and personal and business data) Integrity (processes, products and data) Availability (flows, products and data) Authenticity (products and data) Trustworthiness (processes, products and people The following properties enable one to assure that the risk has been adequately mitigated or avoided:10 Transparency Quality Accountability
- Adopt a security-by-design, security-by-default, security-by deployment approach and underlying all these, strong communications as foundation is key. For instance, security-by-design entails incorporating security requirements in tender specifications right from the start. I want to highlight that it is important to cover continuous audit and monitoring under the “secure in deployment” phase and it is important to extend your awareness and phishing simulation to stakeholders down your supply chain.
- https://www.zdnet.com/article/boeing-737-max-software-patches-can-only-do-so-much/
- Securing via an ecosystem approach than a component-based approach.
- Network security should be based on layered defenses by depth and by sufficient diversity, minimally diversity between security zones or tiers such as the use of two different makes of firewalls.
- Another important aspect of IIOT security focus is on vulnerability management. Notice that I don’t call it patch management because patching is just means to an end. There are different ways beside patching to fix a vulnerability and this includes as straightforward as disabling an unused service to as sophisticated as virtual patching. It is also important to establish a risk-based vulnerability remediation timeline that depends on the threat posture, attack surface exposure as well as exploit availability.
- The earlier slides described about the WHY and the WHAT. This slide indicates the HOW. To transform the GCIRT Global Organisation into one that achieves the three PSA objectives I mentioned earlier, there are 3 key phases, norming, performing and excelling. By the end of 2019, in accordance to CSMS, the LCIRT would have been setup and by the end of 2019, GCIRT would be transformed from a reactive state to an adaptive state. By the end of 2020, GCIRT would be expected to evolve from an adaptive stage to a purposeful stage where incident management processes are optimized. At the end of 2021, GCIRT would be more agile, respond to changes in threat landscape quickly and be able to integrate business risk more a lot more seamlessly. Now, what does this mean to each BU?
- Establishing a strong cybersecurity and risk culture is ever more important. Do you alert only when there are indicators of compromise or even when there are indicators of attack? What is your management’s reaction when you report false positives?
- Here are some key take-aways. Be aware of increasing concerns with cyber-physical threats, key resilience principles are will still be relevant against emerging threats. Not least, good risk management and governance are absolutely essential and is the foundation of .
- And sharing some of common pitfalls, good governance is key. The lack of adequate inventory is a common pain-point. Secondly, I know this sounds contradictory but the number of vulnerabilities that needs to be dealt with multiplies with every new technology in use. Therefore, do not have excessive diverse technologies, yet do not rely on only one as that would also incur supply chain concentration risk. Not least, using technology to solve problems without supporting with trained personnel and processes is a huge concern. A set of double-layered IPSes with no rules in place is as good as not having any IPSes in place.
- In the foreseeable future, industrialization 4.0 is here to stay and it comes with less human intervention, heavier reliance on cyber-physical connectivity, analytics and cloud and increases the criticality on wireless networking. There is no way you can physically wire up an automated guided vehicle or automated ship for that matter. With that, it means transiting to the new cybersecurity normal where better impact assessment and automated is required since everything is automated and real-time, elevated cybersecurity requirements will be mandated such as security by design. There will likely be increased investments in cyber security and increased commoditization of cyber insurance. Industrialization has helped us evolve from a canoe to a container ship, there are increased benefits and risks, yet it does not stop us from progressing. BIMCO standards are put in place and insurance becomes mandated. Eventually, I believe the cyber world would reach a similar maturity.
- With that I end my presentation. Thank you for your attending and do stay in touch. Are there any questions? I will be glad to take up any here, later during the break or off-line. Do link up in LinkedIn. This is my LinkedIn QR code which you can simply scan using your linkedin mobile app. I would very much like to exchange notes with all of you. For all of us, it is a never-ending learning journey in the cyber security space and it is therefore important to stay in touch and synergize collective wisdom based on knowledge and experience exchanges. Thank you.