lighting europe, brussels, 6.11.2018 ul it-security ... · – ddos: distributed denial of service...

UL and the UL logo are trademarks of UL LLC © 2018. Proprietary & Confidential.

Lighting Europe, Brussels, 6.11.2018

UL IT-Security / Cybersecurity

Partnering for growth

Alexander W. Koehler, Dipl.Math, CISSP; BDM Cybersecurity, Neu-Isenburg

Lighting Goes “Smart” – Should We Care About Cybersecurity?

Alexander W. Koehler, Dipl.Math, CISSP, CCSK

Cybersecurity Business Development Manager

UL International Germany GmbH

UL International Germany GmbH UL and the UL logo are trademarks of UL

LLC © 2018

Underwriters Laboratories


• Founded in 1894

• Safety, security, quality, sustainability

• 143 countries

– German HQ: Neu-Isenburg (Frankfurt)– Cybersecurity lab for IoT, IIoT, Industry 4.0

• > 20 industries

• > 14,000 FTE– > 400 FTE in information security / cybersecurity

• UL SDO: >1600 standards

• IT-Security Systems House

– IT-security standards development

– IT-security technical specifications development

– IT-security research

– Consulting• Security architectures (design reviews)

• Security processes

– Software development (it-security, test tools)

– Training

– Testing• Pentesting

• Souce Code Analysis

– Certification• All relevant industry standards

– Leadership in IECEE CB certifications

– 5 cybersecurity labs w/w

– > 20 years IT-security / cybersecurity


LLC © 2018

Science and

global expertise

UL operates

in more than

143COUNTRIES

20

and across

more than

INDUSTRIES

UL’S SUSTAINABILITY CERTIFICATIONS are referenced in

sustainable product specifications or

purchasing guidelines around the globe 900+

UL HAS ENHANCED TRANSACTION SECURITY FOR:

500+ banks

20+ payment

schemes

60+ mobile network operators

50+ governments/

transport operators

UL SERVES

Fortune 500 companies

OUT OF 1 3

ORGANIZATIONS inOVER 10 INDUSTRIES

UL software is used by

10,000+

1,600standards defining safety,

security, quality and sustainability

UL has helped to set

MORE THAN

Current 2018 Locations

Certification

Industrial

Lighting IoT

Access Control & Video

Advisory OT Assessment

CHICAGO2015

FRANKFURT, GERMANY2018

Industrial

IoT

Automotive

Lighting

Access Control & Video

Smart Home

Building Automation

Factory Automation

Energy

Energy

SILICON VALLEY2017

LEIDEN, NETHERLANDS

2012

SUZHOU, CHINA2017

Medical

Medical

Lighting Goes “Smart” – Should We Care About Cybersecurity?

Alexander W. Koehler, Dipl.Math, CISSP, CCSK

Cybersecurity Business Development Manager

UL International Germany GmbH


LLC © 2018


What Can Cybersecurity Do For Your Business ?


LLC © 2018

Bright Side: Cybersecurity Landscape


LLC © 2018

SMART CITIES

CRITICAL INFRASTRUCTURE

The world is becoming more connected

BUILDING AUTOMATION

& SECURITY

HEALTHCARE

30 BILLIONconnected devices by

2020

AUTOMOTIVE

FACTORY AUTOMATION

SMART HOME

(EMC 2015)

Lighting Systems And Cybersecurity 1

• Two classes of functionality• Light emitting devices with smart control

capabilites (on/off, brightness, color, sequenced)• Central management, usually cloud,

• Resilience, security, safety,

• Cross device communication: ZigBee, BT Mesh

• Light emitting devices with enhancedcapabilities, based on available energy, connectivity

• Sensors: microphones, cameras (pattern recognition)motion, chemical sensors, radar,

• Central management, usually cloud,

• Cross device communication: ZigBee, BT Mesh, 5G, etc.

• Resilience, security, safety: requirements dependon use case.

• „Smart“: added value or the primary added value?


LLC © 2018

Dark Side: Threats And Danger


LLC © 2018

10

>94,000

of companies think83%

CYBERATTACKS ARE ONE OF

THE 3 BIGGEST THREATS

KNOWN PUBLIC VULNERABILITIES

Security is not promised with IoT

(NIST NVD 9/8/17)

to their organization(ISACA, 2015, Global Cybersecurity Status Report);

Lighting Systems And Cybersecurity 2


LLC © 2018

• X percent of lighting devices will become „smart“.

• Amount of devices: y million.

• Revenues & profits generated by „smart“: € z million.

• „Smart“ business models.

• Needs to get protected to prevent malfunction

– Darkness, wrong guidance, wrong data from sensors, extracted data (motion profiles, confidential/privacy data),

• Cybersecurity: limitation or business enabler?

• Anything missing?

• Most important: Misuse of IoT devices

– DDoS: Distributed Denial of Service Attack

– DDoS as ultimate data processing power to attack major sites (German Telekom, Netflix, …)

– Mirai-based IoT botnet, DDoS, 21st October, 2016

– Telekom Germany 2017: turned down 800.000 connected devices

– Liabilities

Outsourcing


LLC © 2018

2 millionUNFILLED GLOBAL

CYBERSECURITY

POSITIONS BY 2019

(ISACA 2016)

Expertise is limited & in high demand


LLC © 2018

The Fundamental Process

NIS Directive, „Cybersecurity Act“, ENISA

PROPOSAL FOR A REGULATION OF THE EUROPEAN

PARLIAMENT AND OF THE COUNCIL on ENISA, the "EU

Cybersecurity Agency", and repealing Regulation (EU) 526/2013:

“Cybersecurity Act”

Establishment of European Cybersecurity Certification Framework

3 assurance levels,

certification schemes.

Granting permanent mandate to European Union Agency for Network

and Information Security (ENISA).

DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN

PARLIAMENT AND OF THE COUNCIL of 6 July 2016

concerning measures for a high common level of security of

network and information systems across the Union.

Regulation Or Not – Cybersecurity Is Serious Stuff !

Impact of Security Issues

Critical Infrastructures

Electricity

Gas

Water

Financial Services

Cities

Medical operations

Transport

Supply chain

In case of, it does not matter who has done a bad job

Privacy violations

Reliability and sustainability -> Trust

Risk Management, Trust: core business of UL for > 125 years


Self-declaration works for cybersecurity as it does already for product safety?

Wrong. It does not, sorry.

Why:

IoThings: The „Thing“ is something within the perimeter of competence of

the manufacturer or system integrator (machine, toy, …).

Cybersecurity is not (in most cases).

Compromised product safety is limited in doing harm to the product

(hairdryer), the operator (electrical shock) or the close environment (burn

down the house). Cybersecurity is not (always).

The solution:

Do it right: PDCA: Plan, Do, Check, Act.

Check: 3rd party testing, design review, certification.


Self-declaration works for cybersecurity as it does already for product safety?

Dead wrong, it does not! Why:

IoThings: The „Thing“ is something within the perimeter of competence of

the manufacturer or system integrator (machine, toy, …).

Cybersecurity is not (in most cases).

Compromised product safety is limited in doing harm to the product

(hairdryer), the operator (electrical shock) or the close environment (burn

down the house). Cybersecurity is not (always).

The solution:

Do it right: PDCA: Plan, Do, Check, Act.

Check: 3rd party testing, design review, certification.

https://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-attack-cause-outage-status-explained

Mirai-based IoT botnet, DDoS, 21st October, 2016

lighting europe, brussels, 6.11.2018 ul it-security ... · – ddos: distributed denial of service...

Documents