tigerspike - cybersecurity and mobility in the energy industry

Cybersecurity and mobility in the Energy Industry Advanced Energy 2013 1 May 2013

Christian Glover Wilson"Vice President, Technology & Strategy"

Tigerspike

Cybersecurity and mobility in the Energy Industry

Abstract

Enterprise mobility has progressed from email on a BlackBerry to a vast proliferation of personal media devices in the hands of employees, engineers and the end consumers. Mobility is key to how remote teams now collaborate and access files and data with the advent of cloud computing accelerating that further. The distributed nature of energy production and distribution make this even more pronounced for the energy industry. This new ecosystem has led to a variety of new cybersecurity threats that need to be understood and prevented. The widespread adoption of smart devices and the rise of the Internet of Things need to be secured with a combination of best practice and technology – protecting but not limiting the continuous push towards anywhere and any device productivity.

Rise of Mobility

Understanding the Threats

Addressing the Problem


Contents


Rise of Mobility

Proliferation of Personal Technology Devices


•  As of late 2010, smartphone sales started surpassing those of traditional computers.

•  “By 2015 shipments of tablets will outstrip those of conventional PCs such as desktops and notebooks”-Gartner

Source: Gartner, April 2013

Proliferation of Personal Technology Devices


•  Tablets will overtake desktop and notebook shipments combined, while 'ultra-mobiles' will grow

•  Shift in device preference is coming from a shift in user behavior •  Leads to a bigger embrace of the cloud for sharing and for access

to content

Source: Gartner, April 2013

Enterprise Mobility


•  Rapidly growing adoption of BYOD

•  Easy to push real-time alerts and crucial messages to users, based on location

•  Can capture vital analytics about usage and devices used

•  Enterprise apps can provide offline access to keep using the app and entering data, with an automatic sync once the device comes back into range

Enterprise Mobility


Mobile devices empower employees to do what they need to do — whenever and wherever; enterprise mobility is not telecommuting.

A rapidly maturing ecosystem of mobile app tools, technologies and platforms.

Internet of Things


•  Growing network of IP-enabled components and appliances

•  Meters and devices reporting their usage allowing reactive modeling

•  Locks and control devices controlled over the Internet

•  Connected installations managed remotely

Internet of Things


Supply/Demand Alterna1ve Oil/Gas

Loca%ons Power Genera%on, Transmission and Distribu%on Low Voltage Power Quality Energy Management

Solar Wind Co-‐genera%on Electrochemical

Rigs Derricks Well Heads Pumps Pipelines

Devices Turbines, Windmills, UPS, BaJeries, Generators, Meters, Drills, Fuel Cells, etc.

Every industry has an individual set of uniquely

identified “things” generating data and able to

controlled remotely.

For example:

The mobile world changes with every new device and set of devices. Smartphones and tablets are being joined in the marketplace by new consumer devices. Wearable and augmented reality products will fast become widespread.

New Devices


Mobile device uses


•  Voice •  Video •  Data •  Control •  NFC Interaction (RFID, Bluetooth, etc) •  Thin client for cloud-stored data •  BigData aggregation visualization


Understanding the Threats

The Device


•  Vulnerable to malware, malicious apps posing as benign apps

•  Legitimate apps can allow data loss and data leakage if poorly-written

•  Vulnerabilities in Hardware, OS, Application and Third-Party Applications

•  Unsecured or Rogue Marketplaces

The Device


•  Malware and attacks on mobile devices are on the rise

•  Vulnerabilities found almost as soon as a device hits the market

Accidental breaches and device loss


•  68% of employees reported that they did not have their devices cleaned when upgrading

•  Access and data breaches are the most common results of lost phones... not recovery

•  Social engineering tactics lead users to click malicious URLs spammed by trusted sources via SMS, social media and email.

BYOD – Statistics around usage


0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

...user a personal electronic device for work-related functions

...who use a laptop for work will connect to the company's network via a free or public WiFi connection

...who use a personal device for work have let someone else use it

...who use personal device(s) for work have not activated the auto-lock feature

...who use their personal device for work admit that their organization's data and/or files are not encrypted

...who use a personal device for work say their organization has not implemented a "bring-your-own-device" policy

...of employees U.S. adults have been a victim of malware or hacking on a personal electronic device

81%

31%

46%

37%

33%

66%

25%

Encryption of DAR and signal


•  Given sufficient time, a brute force attack is capable of cracking any known serial encryption algorithm.

•  To crack AES with 128-bit key would take 1 billion billion years for a supercomputer of today.

•  Using quantum technology with the same throughput, exhausting the possibilities of a 128-bit AES key would take about six months

•  Encryption only ever as secure as the implementation

Connectivity weakness


•  Unsecured WiFi and rogue access points add vulnerability

•  NFC/RFID has a low threat of breach but can allow mimicry

•  Bluetooth defects allow "eavesdropping and caller "identification

Mobility introduces all these threats


Internet of Things


•  Increases exponentially the quantity of systems that will have to be protected

•  Route of data to the provider is obvious weakness

•  Multiple points of failure •  DDoS attacks on individual appliances •  Introduce vulnerability to associated financial

records

Wearable


New devices means new threats and fresh cyber security considerations


Wearable


Addressing the Problem


Securing the Device

Securing the Device


•  MDM Notification, access control, quarantine, selective wipe

•  MAM Authentication, storage control, copy/paste limitation

•  Data and apps •  Event monitoring •  Keep OS updated

People are demanding to use their own gadgets in their jobs. Trying to thwart

them is futile The Economist

92% of Fortune 500 companies are testing or deploying

the iPad Tim Cook, CEO Apple

When young employees first come across business-application screens,

they scream in horror Willem Eelman, CIO Unilever

Enterprise Mobility


Enterprise Mobility


•  BYOD vs COPE (Corporate owned, personally enabled)

•  Clear policy required •  Control non-work device use

Encryption

•  Invest in parallel solutions, be prepared for Quantum Computing

•  Encrypt data stored to cloud storage •  Encrypt any sensitive data stored on the device

as well as while being transmitted •  Pay attention to key exchange •  Harden networks


Internet of Things


•  Assume each device or appliance is the weakest part of the system

•  Protect data captured even if it caches on the device or local network

•  Consider remote control locks as insecure as those operated locally

•  Have lock passwords change"frequently and on demand to"allow temporary access

Securing mobile devices


Christian Glover WilsonVice President, Technology & Strategy"[email protected]

+1 917 310 5249

"

San Francisco 875 Howard Street"6th Floor"San Francisco, CA 94103"+1 415 562 4001"[email protected]

New York 133 W 19th St"7th Floor"New York, NY 10011"+1 646 330 4636"[email protected]

Contact me

San Francisco New York London Dubai Singapore Sydney Melbourne