View
5
Download
0
Category
Preview:
Citation preview
Internet of Things (IoT)
Securing the Connected Ecosystem
June 2018
Copyright © 2018 Deloitte Development LLC. All rights reserved. 2
People Analytics
Physical devices and objects intelligently connected
Delivery of the right information to the right place at the right time
Connection of people in more relevant and valuable ways
IoT
Things Process
Individual data streams are processed andanalyzed with algorithms
Making sense of the buzzwords: What is the Internet of ThingsInternet of Things (IoT) refers to a world of intelligent, connected devices that generate data for automating business processes and enabling new services
Copyright © 2018 Deloitte Development LLC. All rights reserved. 3
IoT and The information value loopIncreasingly, organizations are developing approaches to managing data, leveraging “brownfield” infrastructure, and developing new business models.
Standards
MAGNITUDEScope | Scale |
Frequency
RISKSecurity | Reliability |
Accuracy
TIMELatency | Timeliness
Act
Analyze Create
CommunicateAggregate
NetworkAugmentedIntelligence
SensorsAugmented Behavior
THINGS APPLICATIONS
Copyright © 2018 Deloitte Development LLC. All rights reserved. 4
Challenges Facing IoT and Industry 4.0 StrategiesThe need to digitalize and automate operations is now widely recognized as an opportunity for competitive advantage, but various challenges are impacting adoption.
Source: Siemens Financial Services, Practical Pathways to Industry 4.0, Spring 2018
Lack of access to proof points
Lack of a clear, phased, strategic plan
Lack of collaboration within the culture
Need for large-scale and rapid investment
Skills shortage and resistance to outsourcing
Concerns over cybersecurity and
data
Copyright © 2018 Deloitte Development LLC. All rights reserved. 5
IoT and Increased Cyber Risk
Copyright © 2018 Deloitte Development LLC. All rights reserved. 61 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
Innovations driving rapid growth also create complex cyber risks
Before interconnectivity, exposure involved breaching the physical security associated with the device (e.g., physical theft, physical damage to equipment, or product espionage)
As systems advanced and were attached to networks, newer points of exposure were introduced to the already vulnerable systems.
Technology now includes ever more complex, configurable, embedded processors and increased interconnectivity creating a myriad of newer innovative yet significant threats.
Cyberspace New assets Cyber attacksThe interconnected network of systems and assets (physical or virtual), that includes data, human resources, telecommunications networks, computer systems, etc.
The continuously evolving complexity of hardware/software components of cyberspace makes these assets the crown jewels of an organization; particularly data that once used to be physical such as personal information, intellectual property, etc.
Having recognized the value of these assets and the difficulty faced by organizations in dealing with the new threats, various actors are seizing the opportunities to exploit weaknesses to gain access to sensitive information.
Before interconnectivity Evolution Present Day
Evolution of Internet of Things (IoT) Innovations
In a world increasingly driven by inter-connected digital technologies and information, cybersecurity is more than just a strategic imperative, it is a fundamental part of doing business.
Copyright © 2018 Deloitte Development LLC. All rights reserved. 71 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
The rise of IoT cyber risks today
Complacency
Lack of awareness
Increased connectivity
New valuable digital assets
Motivated attackers
Limited resources
Unsecure technology &
processesEnvironmental and industry factorsIncreased connectivity: Organizations are moving toward IoT by adding more complex features and network connectivity to their products to stay competitive and meet customer demand.
New valuable digital assets: “Digital assets” including customer data, employee data, intellectual capital, etc., are increasing in size and number as the systems on which they are stored become virtualized and interconnected. As more data accumulates through the use of IoT devices, it often also becomes more valuable.
Motivated attackers:Adversaries have promptly recognized the value of digital assets and have become more and more motivated to steal that data or disrupt operations for their own advantage.
Factors that lead to security weaknessesUnsecure technology & processes: Many organizations often do not take security into account for their processes and technology.
Lack of awareness Many organizations lack an understanding of cyber threats and the need for proper cyber security to protect against threats.
Complacency: Many organizations have an over reliance on existing IT security processes and tools that may not apply well to new IoT technologies.
Limited resources: Many organizations lack appropriately skilled resources or strength in the existing IT organization to focus on addressing IoT-related cyber security issues.IoT Cyber Risk
Copyright © 2018 Deloitte Development LLC. All rights reserved. 81 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
The four attack vectors of the cyber threat actor
Logical
Periphery – Adjacent to Network Perimeter: The ability to leverage access and attack methodologies against an organization’s network perimeter and firewall settings in order to find holes and infiltration vectors.
Local – Inside the Network: The ability to compromise applications, operating systems, and computing equipment that resides within the boundaries of an organization’s network.
External – Outside the Network: The ability to compromise an organization by determining which external websites are used; subsequently compromising those sites and using them as infiltration vectors.
Human
Social Engineering: The use of three virtual, physical, and interpersonal techniques designed to deceive an organization into taking an unintended action.
The Insider: The ability to leverage pre-existing personnel within an organization or to physically insert operators into an organization in order to directly carry out threat operations.
Coercion: The ability to leverage threats, bribery, emotional appeals, and ideological reasoning to infiltrate organizations with highly sensitive information contained within their networks.
Physical
Supply Chain: The ability to sabotage the supply chain in order to compromise computer equipment.
Physical Infrastructure Nodes: The technology and capabilities to compromise physical nodes to include cell infrastructure, switching centers, SATCOM, WiMax, Antennas, Radio Relay, etc.
Physical Infrastructure Links: The technology and capabilities to compromise physical links to include fiber optic cable, RF signals, wireless signals, coaxial cable, telephone lines, satellite signals, microwave signals, etc.
Economic
Acquisition: The process of acquiring needed access through mergers, buy outs, or the use of monetary instruments to buy access to a select network or type of data via the open market, black market, or some other kind of trade/exchange relationship.
Development: The ability to conduct business development activities within a country for the purpose of using built infrastructure to facilitate a collection apparatus.
Sanction: The use of economic denial to force an entity into making a business purchase decision that can, in turn, be manipulated by an adversary to enable access opportunities.
Copyright © 2018 Deloitte Development LLC. All rights reserved. 91 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
With new innovative IoT functionality comes new cyber risksBy integrating the networking strength of IoT with exponential technologies like robotics and 3D printing, they are on a path to realizing scenarios like this one:
Connected, autonomous tarmac
The printed part should be delivered to the arrival gate. An autonomous vehicle picks it up and makes the delivery.
On-demand supply chain
The part used in the repair will need to be replaced upon landing, so before
arrival, a 3D printer at the arrival airport receives a signal to print the part.
In-air detection and notification
In mid-flight, an aircraft part recognizes it is not
functioning properly. The aircraft sends a message to the ground about the malfunctioning part for
repair upon arrival.
Connected Employee
The mechanic uses heads-up display eyeglasses to view reference
documents from the cloud. Using a borescope connected to a wireless tablet, the mechanic streams live
video to a remote engineer allowing the repair and inspection to benefit
from the engineer’s authority without the need for travel. As a result, the
aircraft is able to leave on time.
Intercept and use information maliciously or alter message to cause
delays / confusion
Intercept or alter signal to create delays. Use vulnerable 3D printer as entry point to infiltrate the broader supply
chain network
Autonomous vehicle is disabled or controlled
remotely to endanger lives / damage equipment on
the tarmac
The wireless connection is flooded and results in a denial-of-service attack
Copyright © 2018 Deloitte Development LLC. All rights reserved. 10
Audit Considerations
Copyright © 2018 Deloitte Development LLC. All rights reserved. 111 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
What is the typical scope of an IoT security audit?Audit scope
In order to audit the current state of the organization’s IoT security processes and provide recommendations against specific security requirements leveraging industry leading practices, the below activities should be considered:
Obtain and assess the completeness of policies, standards, and procedures compared to leading practices
Interview personnel responsible for security functions and perform procedural walkthrough interviews to understand the policies, standards, and procedures in place:
o Governance
o Security & privacy risk management
o Security event handling
o External communications
o Security education & training
o Program monitoring
Copyright © 2018 Deloitte Development LLC. All rights reserved. 121 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
What governance is in place for securing IoT devices across the organization?
Governance and leadership
Sample Audit ConsiderationsSample Audit Considerations
• What is the governance model around IoT security?
• Is there a single governance model in use and is it driven down from the top?
• Are groups from across the organization included in the governance model and operations?
• Is there a program framework that includes the future state vision?
• Is a strategy and roadmap in place to achieve future state goals?
• Is an overarching IoT security policy in place?
• Are security gates included throughout the device lifecycle (e.g., acquisition) where cybersecurity's signature is required?
Governance
Security Risk Management
Privacy Risk Management
Security Event Handling External Communications
Security Education and Training Program Monitoring
Copyright © 2018 Deloitte Development LLC. All rights reserved. 131 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
What risk management processes are in place regarding security and privacy?
Security and privacy risk management
Sample Audit ConsiderationsSample Audit Considerations
• Are there formalized security and privacy IoT requirements?
• Are security and privacy requirements provided to manufacturers during IoT device procurement?
• Are security and privacy risk assessments and technical security testing completed for IoT devices during procurement and periodically once fielded?
• Are risk management thresholds established for triggering risk management decisions (accept, mitigate, transfer, avoid)?
• Are both program- and device-level security and privacy assessments completed prior to procuring IoT devices?
Governance
Security Risk Management
Privacy Risk Management
Security Event Handling External Communications
Security Education and Training Program Monitoring
Copyright © 2018 Deloitte Development LLC. All rights reserved. 141 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
What processes are in place to keep IoT devices safe and secure once fielded?
Security event handling
Sample Audit ConsiderationsSample Audit Considerations
• Does the organization subscribe to threat and information sharing feeds?
• Is a software-bill-of-materials (SBOM) obtained from the manufacturer and used to identify vulnerabilities at the software level?
• Is there a process and mechanism in place to identify and rollout patches as permitted by service level agreements?
• Is a process in place to handle security events once identified and feed incident handling as appropriate?
• Is a process in place to handle security incidents?
• Is technology in place to monitor for IoT device security events and incidents?
Governance
Security Risk Management
Privacy Risk Management
Security Event Handling External Communications
Security Education and Training Program Monitoring
Copyright © 2018 Deloitte Development LLC. All rights reserved. 151 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
What information is exchanged with and obtained from external parties and how is it handled?
External communications
Sample Audit ConsiderationsSample Audit Considerations
• What information is requested from the manufacturer for each of the organization’s IoT devices?
• Does the organization centrally store IoT device security attribute information in a central repository?
• Does the organization participate in information sharing groups, standards setting bodies, and conferences?
• How are inquiries from external parties handled and who is typically involved in generating responses?
• Are security points of contact identified for each manufacturer within the manufacturer’s corporate IoT/product security or R&D team?
Governance
Security Risk Management
Privacy Risk Management
Security Event Handling External Communications
Security Education and Training Program Monitoring
Copyright © 2018 Deloitte Development LLC. All rights reserved. 161 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
What security training is provided to personnel to assist with securing IoT devices?
Security education and training
Sample Audit ConsiderationsSample Audit Considerations
• Is security awareness training delivered to IoT security practitioners and other specific stakeholders across the organization?
• Are secure development lifecycle and privacy-by-design training delivered to IoT security personnel?
• Is training provided on each of the organization’s IoT security processes and when that process should be completed in the device lifecycle?
• Is a mechanism in place to track the effectiveness of the provided training?
• Is a competency-based learning (CBL) model in place to configure training per role, level of experience, and knowledge?
Governance
Security Risk Management
Privacy Risk Management
Security Event Handling External Communications
Security Education and Training Program Monitoring
Copyright © 2018 Deloitte Development LLC. All rights reserved. 171 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
What processes are in place to know how well the IoT security program is performing?
Program monitoring
Sample Audit ConsiderationsSample Audit Considerations
• Are key performance indicators for IoT security operations established, collected, and reported to leadership?
• Is a risk-based IoT device inventory in place, which consists of select security information including, but not limited to device risk profiles and previous security risk history?
• Is a program audit and assessment framework in place to identify if processes are being followed and are performed in alignment with industry leading practices?
Governance
Security Risk Management
Privacy Risk Management
Security Event Handling External Communications
Security Education and Training Program Monitoring
Copyright © 2018 Deloitte Development LLC. All rights reserved. 18
Next steps
Copyright © 2018 Deloitte Development LLC. All rights reserved. 191 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
The following categories have been identified as having the highest positive impact to organization’s cyber risk profile.
Top 5 Initiatives to Secure IoT Environments
1 Business and IT Alignment (Improved Governance Processes)
2 Improved Network Visibility
3 Extend Network Segmentation and Vulnerability Management Capabilities
4Improved Management of Powerful IDs and Vendors
5Integrating IT and IoT security and threat management programs and platforms
Copyright © 2018 Deloitte Development LLC. All rights reserved. 201 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation
What are some of the takeaways and actions that can be considered to address the complex issues that are being created?
What actions can be taken
• Conduct an audit of your current state IoT security organization to assist with the development of a strategy and roadmap to enhance security capabilities
• Establish a risk-based inventory of your IoT devices to allow for prioritization, analysis, remediation, and monitoring
• Hold IoT device manufacturers accountable to include cybersecurity within the design of their products by leveraging secure procurement processes
• Integrate cybersecurity into your procurement processes to better under the risk of the IoT devices you are fielding as well as what your own responsibilities are in securing the device
• Participate in security standards setting group/body meetings in order to have a major input into new standards before they are arbitrarily developed for your industries
What can be done now to help mitigate an organization’s cyber risk?
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2018 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
Recommended