New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Future-proofing Supply Chain against emerging Cyber-physical Threats
1. Future-proofing Supply Chain against
emerging Cyber-physical Threats
Future-Proofing Supply Chain Against Emerging Cyber-Physical Threats
Disclaimer: The views and opinions expressed in this presentation are those of the author and do not necessarily reflect the
official policy or position of any organisation
Steven Sim, VP, ISACA Singapore Chapter
5. • Threats are getting increasingly impactful and sophisticated
• All organisations that have a cyber footprint can be breached
• Not a matter of IF but WHEN incidents would happen
• How can we then future-proof against the inevitable?
New Cybersecurity Normal
Area Characteristics of Advanced Persistent
Threats (APTs)
Adv. Persistent
Threats (APTs)
Wiperworm
(NotPetya)
Ransomworm
(WannaCry )
Impact & Behavior Data leaked (Rest are Outage)
Stays persistent not detected
Intent hard to figure
Sophistication Signatureless, legitimate tools, sites
Exploits multiple vulnerabilities
Fully patched systems vulnerable
6. Now what can we do?
Know our SELF
Know our ENEMIES
A hundred BATTLES
A hundred VICTORIES
- Sun Tzu
“While cyber defences will never be
impregnable, the success of the attacker in
achieving actions on objectives is not
inevitable.” – SingHealth COI
7. Exposures, Attacks, Compromises
Technical Equivalents
Indicators of Exposure
(IOE)
Indicators of Attack
(IOA)
Indicators of Compromise
(IOC)
ISACAISACA
Know our SELF Know our ENEMIES
Tactics, Techniques, Procedures (TTP)
10. Cyber-Physical Universe
Automation is also the means
to repeat human errors with
rigor in a consistent manner.
Cybersecurity and Safety are
increasingly synonymous.
12. Perils of Patching
• How complex is your system?
• How fast can you test a patch?
• How complete is your testing?
• Can you afford to risk a self-inflicted Denial-of-Service?
ZDNet
TechRepublic
LapTopMag
13. Key current pain-points
1. Weak computing power
2. Insecurity by design
3. Insecure industrial protocols
4. Slow certification of patches
5. Hard to retrofit
Inherent Design Issues
Belden
Cyber-Physical Limitations
14. Inherent Accessibility Exposures
Internet connectivity Watering Hole Attacks
Cloud adoption, data lakes Leaky Cloud Buckets
Internet connectivity Distributed Denial-of-Service
Increased Accessibility
25. Now what can we do?
A Hundred Battles
A Hundred Victories
26. Governance key to Future-proofing
Perform threat modelling Adopt cybersecurity frameworkAdopt key principles
IIOT
Physical
Security
Change
Mgmt
Network
Security
Security
Hardenin
g
Account
Mgmt
Vuln
Mgmt
Incident
Mgmt
Security
Awarenes
s
Key Areas of IIOT Focus
Adopt IT Risk Framework
27. • Business to operation to IT risk alignment paramount
• Risk optimization is key to risk management
• Risk Owner is Accountable
• CISO cannot own Risk
Adopt IT Risk Framework
ISACA Risk IT Framework
28. 1. Tender Specs (Firewall, VPN, Common Criteria, etc)
2. Product allows Vulnerability to be Managed
3. Layered Defense Architecture
4. Architecture Security Review
1. Security Standards
2. Server Hardening i.e. Disable Unnecessary Services
3. Network-based Firewall
4. Pre-deployment Vulnerability Assessment &
Penetration Testing
1. Regular Vulnerability Scan
2. Regular Vulnerability alert Monitoring
3. Timely Vulnerability Remediation/Patching
4. Continuous Audit and Monitoring
1. Security Training and Awareness
2. Security Advisories to Custodians
3. Phishing Simulation Exercise
4. Extension to Supply Chain
Microsoft
ISACA
Adopt Key Principles
29. • Data as the new oil
• Adopt a data-
centric approach
Privacy-by-Design (as part of SbD)
ISACA
30. Patch-work is
not ideal –
addressing
flaws in pre-
existing systems
architecture
Security-by-
design has to
be done right
from start
ZDNet
31. Adopt Cyber Security Framework (1)
ISACA
COBIT
Increased Focus on
Detect, Response and Recover phases
ISACA
34. Vulnerability Management Focus
IIOT
Physical
Security
Change
Mgmt
Network
Security
Security
Hardenin
g
Account
Mgmt
Vuln
Mgmt
Incident
Mgmt
Security
Awarenes
s
Different ways of fixing a vulnerability
• Disable unnecessary services
• Network-based firewall
• Host-based firewall
• Hardening the configuration
• Virtual Patching
• Patching
Systems / Services
Vulnerability
Severity
Exploitable
remotely
from
Internet /
Building
Exploitabl
e remotely
from
Gateway /
Clients
Exploitable
only
locally on
host
Internet / Extranet-
facing
Critical / High
Medium
Low
Intranet-facing
Critical / High
Medium
Low
Vulnerability Remediation Timeline
• Risk-based
• Peace Time vs Heightened Posture
• Attack Surface Exposure
• Exploit Public Availability
Key Areas of Focus (2)
35. Optiv IR Org Model
Incident Management Focus
IIOT
Physical
Security
Change
Mgmt
Network
Security
Security
Hardenin
g
Account
Mgmt
Vuln
Mgmt
Incident
Mgmt
Security
Awarenes
s
Key Areas of Focus (3)
Key Areas of Consideration
• Black Swans
• Recovery Order
• Alternate Comms
• Crisis Management
• Cyber-Physical SOC
• Threat Hunting, Drills, Table-tops
• BCM for full automation
37. Governance key to Future-proofing
Perform threat modelling Adopt cybersecurity frameworkAdopt key principles
IIOT
Physical
Security
Change
Mgmt
Network
Security
Security
Hardenin
g
Account
Mgmt
Vuln
Mgmt
Incident
Mgmt
Security
Awarenes
s
Key Areas of IIOT Focus
Adopt IT Risk Framework
38. “… need for organizations to elevate cybersecurity as a priority to build
the foundation of its cybersecurity culture, better secure their
operations, and strengthen the global digital economic ecosystem.
Partnerships and information sharing, like ISACA’s collaboration with
Digital Manufacturing and Design Innovation Institute (DMDII) on this
study, are becoming increasingly key to accomplishing these goals.”
Frank Downs, Director of Cybersecurity Practices at ISACA
Public Private Partnership
39. 1. Be Aware of Increasing Concerns with Cyber-Physical Threats
• Emerging Cyber-Physical Threats are sophisticated. Cover all spaces.
2. Key Resilience Principles are still relevant against emerging threats
• Adopt good risk, threat modelling, principles, cybersecurity frameworks.
• Be pragmatic - Cyber Resiliency is key.
3. Good Risk Culture, Management and Governance is important
• Optimize risk. Technology is inadequate. Support with people and
processes. Connect with industry and community.
Key Take-aways (1)
40. Key Take-aways (2)
4. Need for inventory of systems and services, asset classification, risk
assessment
5. Need for architecture governance
• Not allowing excessive diverse technologies to be used in
• Having adequate diversity to mitigate supply chain concentration risk.
6. Buying technology to solve problems but with adequately trained
people and processes
41. • Industrialization 4.0 is here to stay
• Less human intervention
• Heavy reliance on cyber-physical connectivity, analytics, cloud
• Increased criticality on wireless networking
• Transiting to the New Cybersecurity Normal
• Better impact assessment and automated containment
• Elevated cybersecurity requirements and mandate – Security & Privacy by Design
• Increased commoditization of cyber insurance
41
All’s not doom and gloom
42. • Become better at your job
• Support your profession
• Increase your value to your employer by
expanding your skill set
• Expand your network of business contacts
• Highlight your expertise by earning a professional
credential
• Position yourself to participate in a global
marketplace
• Support the future of your profession
• Position yourself for management opportunities
Why you should become an ISACA memb
44. T h a n k y o u f o r a t t e n d i n g . S t a y i n t o u c h !
Editor's Notes
More on ISACA
Can anyone hazard a guess what these organisations have in common? Yes, these are organisations hacked due to a breach in their supply chain.
https://www.channelnewsasia.com/news/technology/fema-error-exposes-2-3-million-disaster-survivors-to-fraud--watchdog-11371994
https://www.bankinfosecurity.com/pentagon-data-breach-exposed-30000-travel-records-a-11600
What about this list? These are the suppliers who resulted in the breaches. Breaches can come in many forms, shapes and sizes, some through their law firms, some through their managed services, some through maintenance contractors.
https://www.techradar.com/news/hpe-and-ibm-attacked-by-chinese-hackers
https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/
https://www.csoonline.com/article/2129794/lessons-from-the-rsa-breach.html
https://bgr.com/2018/08/06/android-malware-windows-google-removes-145-apps/
https://www.smh.com.au/politics/federal/chinese-hackers-breach-anu-putting-national-security-at-risk-20180706-p4zq0q.html
https://www.icij.org/investigations/paradise-papers/
the threat of cyberattacks using an enterprise’s supply chain as a delivery vector has become a common concern within the information security community.
Locally, Singapore is not spared. More than 800,000 blood donors details exposed through a vendor who was working on a database.
https://www.infosecurity-magazine.com/news/vendor-exposes-singapore-health-1-1/
Mckenzie article has a detailed writeup on Supply Chain 4.0. However, it makes no mention of cyber risk or security in its consideration. ISACA classifies and provides a series of recommendations to manage risks associated with various systems.
https://www.mckinsey.com/industries/consumer-packaged-goods/our-insights/supply-chain-4-0-in-consumer-goods
For the purpose of today’s short presentation, I am going to narrow the focus down to Cyber-physical systems.
It is a matter of life and dealth! There are so many imperfectly written software out there. How are you going to remote patch a life-dependent device? Over and on top, there are so many vulnerabilities out there.
Ok, let’s say you are able to orchestrate patches, but how complex is your system? How fast can you test a patch? How complete is your testing and can you afford to risk a self-inflicted Denial-of-Service, which was what happened to Queensland hospitals during the WannaCry patch frenzy, and more recently when factory systems were hit by post-meltdown/spectre-patch glitches. Not to mention recent case of Windows 10 Oct update giving issues. Imagine your HMIs in your OT network being patched, getting into issues as well.
IIOT needs to ensure risk is at a minimal, therefore its underlying foundation is very much the same as OT, inheriting a large bulk of its design flaws. OT stands for Operations Technology and encompasses ICS (Industrial Control Systems) and SCADA (Supervisory Control And Data Acquisition). Unlike IT, the cybersecurity requirements of OT prioritizes differently. In OT and unlike IT, safety comes foremost, followed by availability, integrity and confidentiality. I look at IIOT as an extension of OT as it has to bring along the engineering ruggedness of OT. IIOT tends to be weaker in computing power hence even the trials of block chain have to resort to weaker hashes instead of using industrial-acceptable SHA-2 hashes, impacting the ability to comply to standards. This was partly the reason why separate IoT security standards have to be developed. Having its roots in OT, IIOT tends to be insecure by design, with hardcoded passwords and lack orchestration. Insecure industrial protocols that have no authentication and encryption are often put in place because they were originally built for closed systems. And for the reason of safety and thoroughness in testing, OS and third party security fixes are often slow in being certified by the vendors. Lastly, they are often hard to retrofit due to the scale and its tight legacy interactions. Any component change often requires extensive testing and customization.
With IoT, analytics come to play and with analytics, you would think of the use of cloud. There are 3 key concerns with the underlying accessibility. First, there is the risk of watering hole attacks that was exploited by NotPetya malware which had relied on the MeDocs accounting software. Then, there was the challenge of misconfigured leaky cloud buckets. There was a slew of news relating to misconfigured amazon web services with victims including some of the big consulting houses. Not least DDoS attacks targeting IIoT such as Mirai botnet.
GPS jamming and spoofing attacks are a serious concern if GPS is relied as the only means of navigation. Land-based navigation systems and transponders would be a consideration.
And even hobby drones can be used to effectively jam industrial access points. This is a tough problem to solve and this is where integration of physical and cyber monitoring becomes very important.
Cyber supply-chain risk management (SCRM) monitoring and response
What is at risk?
Confidentiality (intellectual property and personal and business data)
Integrity (processes, products and data)
Availability (flows, products and data)
Authenticity (products and data)
Trustworthiness (processes, products and people
The following properties enable one to assure that the risk has been adequately mitigated or avoided:10
Transparency
Quality
Accountability
Adopt a security-by-design, security-by-default, security-by deployment approach and underlying all these, strong communications as foundation is key. For instance, security-by-design entails incorporating security requirements in tender specifications right from the start. I want to highlight that it is important to cover continuous audit and monitoring under the “secure in deployment” phase and it is important to extend your awareness and phishing simulation to stakeholders down your supply chain.
Securing via an ecosystem approach than a component-based approach.
Network security should be based on layered defenses by depth and by sufficient diversity, minimally diversity between security zones or tiers such as the use of two different makes of firewalls.
Another important aspect of IIOT security focus is on vulnerability management. Notice that I don’t call it patch management because patching is just means to an end. There are different ways beside patching to fix a vulnerability and this includes as straightforward as disabling an unused service to as sophisticated as virtual patching. It is also important to establish a risk-based vulnerability remediation timeline that depends on the threat posture, attack surface exposure as well as exploit availability.
The earlier slides described about the WHY and the WHAT.
This slide indicates the HOW.
To transform the GCIRT Global Organisation into one that achieves the three PSA objectives I mentioned earlier, there are 3 key phases, norming, performing and excelling.
By the end of 2019, in accordance to CSMS, the LCIRT would have been setup and by the end of 2019, GCIRT would be transformed from a reactive state to an adaptive state.
By the end of 2020, GCIRT would be expected to evolve from an adaptive stage to a purposeful stage where incident management processes are optimized.
At the end of 2021, GCIRT would be more agile, respond to changes in threat landscape quickly and be able to integrate business risk more a lot more seamlessly.
Now, what does this mean to each BU?
Establishing a strong cybersecurity and risk culture is ever more important. Do you alert only when there are indicators of compromise or even when there are indicators of attack? What is your management’s reaction when you report false positives?
Here are some key take-aways. Be aware of increasing concerns with cyber-physical threats, key resilience principles are will still be relevant against emerging threats. Not least, good risk management and governance are absolutely essential and is the foundation of .
And sharing some of common pitfalls, good governance is key. The lack of adequate inventory is a common pain-point. Secondly, I know this sounds contradictory but the number of vulnerabilities that needs to be dealt with multiplies with every new technology in use. Therefore, do not have excessive diverse technologies, yet do not rely on only one as that would also incur supply chain concentration risk. Not least, using technology to solve problems without supporting with trained personnel and processes is a huge concern. A set of double-layered IPSes with no rules in place is as good as not having any IPSes in place.
In the foreseeable future, industrialization 4.0 is here to stay and it comes with less human intervention, heavier reliance on cyber-physical connectivity, analytics and cloud and increases the criticality on wireless networking. There is no way you can physically wire up an automated guided vehicle or automated ship for that matter.
With that, it means transiting to the new cybersecurity normal where better impact assessment and automated is required since everything is automated and real-time, elevated cybersecurity requirements will be mandated such as security by design. There will likely be increased investments in cyber security and increased commoditization of cyber insurance. Industrialization has helped us evolve from a canoe to a container ship, there are increased benefits and risks, yet it does not stop us from progressing. BIMCO standards are put in place and insurance becomes mandated. Eventually, I believe the cyber world would reach a similar maturity.
With that I end my presentation. Thank you for your attending and do stay in touch. Are there any questions? I will be glad to take up any here, later during the break or off-line. Do link up in LinkedIn. This is my LinkedIn QR code which you can simply scan using your linkedin mobile app. I would very much like to exchange notes with all of you. For all of us, it is a never-ending learning journey in the cyber security space and it is therefore important to stay in touch and synergize collective wisdom based on knowledge and experience exchanges. Thank you.