SESSION ID:SESSION ID:
#RSAC
Jesus Molina
Safety First, Strategic Solutions to Protect the Industrial Internet of Things
SBX3-R1
ConsultantJM Consulting@verifythentrust
#RSAC
A Cautionary Tale from 2014
#RSAC
Takeaways from the Building Security Breach
• No physical security for endpoints
• Incorrect network segmentation
• No protocol security
• No root of trust
• No strong identity
• Result: control of 200+ room appliances
• Safety consequences?
3
#RSAC
Industrial IoT Trustworthiness
#RSAC
Industrial Internet of Things
The 4th Industrial Revolution
Large deployments from edge to cloud
Involve diverse technologies: IoT, Cloud Computing, Machine Learning and others
Importance of safety, reliability and resilience
Affects your daily life
5
#RSAC
Evolution of System Trustworthiness
6
#RSAC
7
Industrial Internet of Things
#RSAC
Standards and Frameworks
#RSAC
IIC Security Framework News
9
IISF contains:• 174 pages• 12 chapters• 7 Annexes• 18 pages of reference lists• 177 individual references• 142 individual acronyms• 37 figures• 7 tables
• All references hyperlinked (Description & Download)• Fully Indexed• Table of contents• Table of figures• All hi-res (EPS) vector graphics• 800+ comments over the lifetime of the document• 15 version updates in one day (mid-July)
#RSAC
IIC Testbeds and Security
February 7, 2017 10
#RSAC
IIC and Industrie 4.0
Industrial Internet
Smar
t Citie
s
Retai
l
Logis
tics
Ener
gy
Wate
r
Food
Tran
spor
tation
Healt
h
MANU
FACT
URIN
G
Scope of Industrial Internet Consortium (IIC)
Cross Domain Interoperability in IIoT
#RSAC
Security Design in IIoT
#RSAC
Security Design vs. Defending
• IIoT is a mix of greenfield and brownfield
• Example of design vs defending: Google Report
• Defend your brownfield
• Security design for greenfield
February 7, 2017 13
#RSAC
IIoT security process: Brownfield
• Discover
• Threat modeling
• Segmentation
• Monitoring
• Identity
• Evolution into greenfield
14
#RSAC
IIoT security process: GreenField
• Threat modeling
• Security policy
• Data protection
• Building blocks
15
#RSAC
Endpoint
16
#RSAC
Endpoint: HW Root of Trust & Strong Identity
HW Root of Trust
Integrity & Identification
Authentication
Secured storage
True Random Number Generation & key creation & management
Platform Integrity check
#RSAC
Configuration
18
#RSAC
Configuration: Endpoint Identity Management
February 7, 2017 19
Secure Provisioning
Strong Device Identity
#RSAC
Communications & Connectivity
20
#RSACCommunication: Information Flow Protection at the Gateway
#RSAC
Monitoring
22
#RSAC
Endpoint Monitoring , Detection, and Remediation
#RSAC
Example: Communications
Unidirectional Gateways separate OT from IT networks
Current state of the art for process based networks
Andrew Ginter’s book “SCADA Security: What's Broken and How To Fix It ”
24
#RSAC
Apply
25
Next week you should:
Download the security framework at http://www.iiconsortium.org/IISF.htm
Visit http://www.iiotsecurity.com to evaluate your current solutions
In the next 3 months you should
Brownfield: Edge discovery, evaluate current segmentation
Greenfield: Design security solution following the security framework
Start a maturity model in your organization
In the next 6 months
Evolve your security model with IIoT security tools
#RSAC
Closing
26
Industrial IoT encompasses many verticals with different requirements
NIST, Industrie 4.0 and the IIC working in models based on trustworthiness
Security needs to be standardized and tools mapped correctly
ProcessGreenfield: IISF
Brownfiled: discovery, segmentation, monitoring, identity, and protocols