Securing industrial and smart grid devices in a connected world webinar (final)

For Mocana Customer and Partner Use

Securing Industrial and Smart Grid Devices in a Connected

World


Agenda

Mocana Overview

Recent Vulnerabilities & Value of Security

Key Concerns, Needs, & Challenges

1

2

3

Security Compliance & Best Practices

4

Introduction to Mocana Security Detail™

5


Introducing Mocana

Offices San Francisco, CA Headquarters

Industry Smart Device Security So5ware and Services

Awards -  World Economic Forum 2012 Tech Pioneer

-  Gartner Cool Vendors List for 2012

-  RedHerring Global Top 100 Private Co.

Major Products -  Smart Device Security PlaKorm™ (SDSP): 24 Modules

-  Mobile App ProtecRon™ (MAP)

Customers 200+ customers

Mul=ple Patents Filed and Granted

Target Segments -  AutomoRve & AviaRon -  Banking & Finance -  Consumer Electronics -  Datacom -  Defense & Government -  Industrial Automa=on -  Smart Grid / AMI -  Medical -  Mobile Revenue 200%+ Growth YoY

Solid Investors -  Intel / McAfee -  Symantec -  Shasta Ventures -  Trident Capital

Target Market -  Device Manufacturers -  Service Providers -  Enterprises

Primary Business Benefit Mocana insRlls confidence and trust for OEMs, service providers, consumers and enterprises by securing smart devices and the applicaRons and services they carry.


Mocana Smart Device Security PlaKorm (SDSP)

Spans across Apps, Devices & Services

Deep IP with MulRple Patents Pending

Mocana Cryptography Deemed “Adequate”

by NSA

Decade of Embedded Security ExperRse

FIPS 140-‐2 CerRfied & Suite B Algorithms

Deployed Across 200+ OEMs, 300+

Designs, and Millions of Devices

Mocana: Deep Security Expertise & History

Recent Vulnerabilities & Value of Security


Jun 2010

Sep 2011

Aug 2012

Oct 2011

Apr 2012

Recent Vulnerabilities in Smart Grid & Industrial

Sep 2012

VirusBlokAda first reported Stuxnet worm targeted Siemens PLCs

Rockwell Automa=on

PLC DoS aOack exposed

W32.Duqu is reported and found in across 11 countries

30,000 Saudi Aramco

Worksta=ons Compromised (Shamoon)

Wiper targets machines belonging to the Iranian Oil Ministry and the Na=onal Iranian Oil

Company

New Stuxnet / Flame Rela=ve Targets Middle East Banks

Private Key Vulnerabili=es for HTTPS/SSL

and SSH

OASyS SCADA project files stolen and malicious code installed on internal

systems Many SCADA systems should “consider

themselves hacked. It is only a maOer =me before you find out.” – Department of

Homeland Security (DHS)


The Value of Security . . .

MeeRng Industry Compliance & Security Best PracRces

Increasing Worker Safety

Reducing Corporate Risk & ProtecRng Brand

Reducing In-‐Field Maintenance and Support Costs

Maintaining Product DifferenRaRon


Key Concerns, Needs & Challenges


Smart Grid Ecosystem Key Concerns

Utility Reduction in maintenance costs

(“rolling the truck”) Maintaining CIP-compliance

& passing NERC audits Providing consistent quality

& reliability of services

Consumption Reliable Service Consistent Costs

Privacy

Generation & Storage

Ability to securely update deployed devices in the

field Device-level functionality that supports CIP & NIST

compliancy

Substation Protection of infrastructure

from security threats Protection of general public

through deployment of proper safety measures

SCADA Smart Meter


Smart Grid Security Needs

Scalable & Efficient Security Solutions optimized to execute within

diverse microcontrollers, processors and Operating Systems environments

Security solutions for highly resource

constrained environments, such as, low memory / CPU availability and battery

powered devices.

Data Encryption

Securing data-at-rest on all device types from HAN through Utility Headquarters

Authenticity Cryptographically authenticate devices to networks (HAN &

Utility) with keys and/or certificates

Cryptographically protect devices by not allowing unauthorized

software / firmware to execute

Secure Communications Secure data-in-motion

throughout entire ecosystem of connected devices & systems

SCADA Smart Meter


Industrial Ecosystem Key Concerns

Photo Credit: Advantech Inc.

Plant / Factory Management Reducing costs

Reduce frequency of “rolling a truck” Increasing Worker Safety

Operations In-Field device management

Ability to securely update deployed devices in the field Preventative Maintenance

IT Security Team Protecting data-at-rest and data-

in-motion between devices, subsystems, and systems

Security compliance & best practices

OEMs Protecting IP

Maintaining brand


Industrial Security Needs


Scalable & Efficient Security

Support scalable solutions optimized to execute within

diverse microcontrollers, processors and Operating

Systems environments

Data Encryption Securing data-at-rest on all device types from I/O

Modules to PLCs and HMIs

Authenticity Cryptographically authenticate

devices to networks and management systems

Cryptographically protect devices by not allowing unauthorized

software / firmware to execute

Secure Communications Secure data-in-motion

throughout entire ecosystem of connected

devices & systems


Key Challenges with Smart Grid & Industrial Security

Budgets & Cost (Security is expected to be free)

Resource Constrained Devices (8 bit MCU, Memory, Battery, etc)

Lack of a real “standard” or “specification” – multiple best practices and guidelines

Large existing installed base, providing backwards compatibility

Aligning Operations Technology (OT) and Information Technology (IT) à (Operational Uptime vs. Network Security)

Fragmented Product Architectures – Multiple OS & CPUs à standardizing on a security platform difficult


Security Compliance & Best PracRces


Smart Grid & Industrial – Security Compliance & Best Practices

ISA99 - International Society of Automation (Industrial)

NIST 800-82 (Industrial)

NIST Inter-Agency Report (NISTIR) 7628 (Smart Grid)

NERC Critical Infrastructure Protection (CIP) (Smart Grid)

Security Profile for Advanced Metering Infrastructure

(NIST Cyber Security Coordination Task Group)

Zigbee Smart Energy 2.0 Profile (Industrial & Smart Grid)


Smart Grid Security Compliance & Best Practices

Utility

Consumption

Generation & Storage

SCADA Smart Meter

Substation

Critical Infrastructure Protection (CIP)

NISTIR 7628


NIST Inter-Agency Report 7628 (NISTIR 7628)

▶  Confidentiality – Privacy and confidentiality of the data being transferred between smart grid devices & systems

▶  Integrity – Source of data has not only been authenticated, but data has not been modified without authorization

▶  Authentication - Certificate Management using a trusted root with the Proper Use of Certificates, Revocation, and Expiration Dates

▶  Proper use of cryptography algorithms with FIPS 140-2 validated and Suite B algorithms recommended: -  Encryption: AES-128 and AES-256

-  Key Exchange: ECDH (NIST p-Curve 256 and 384 bit)

-  Digital Signature: ECDSA (NIST p-Curve 256, 384, and 512 bit)

-  Hashing: SHA-256, SHA-384, and SHA-512

-  Symmetric Keys: AES-128, AES-192, and AES-256 with ECB, CBC, OFB, CFB, CTR, or XTS mode

-  Asymmetric Keys: DSA, RSA, ECDSA (NIST p-Curve 256, 384, and 512 bit)

-  Message Authentication: CMAC with AES-128, AES-192, or AES-256 in CMAC, CCM, GCM modes. HMAC with SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512

Smart Grid – Security Compliance


NERC Critical Infrastructure Protection (NERC / CIP)

▶  Secure Firmware / Software Updating

-  Adding, modifying, replacing, or removing hardware or software

-  Establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all assets

▶  Access Control

-  Security processes shall use an access control model that denies access by default (specific access permissions must be specified)

▶  Authentication

-  Where external access to assets (end points) has been enabled, there shall be technical controls to ensure authenticity of accessing party



Industrial Security Compliance & Best Practices


ISA 99

NIST SP-800-82


Security Compliance / Best Practices – Industrial Automation

ISA99 - International Society of Automation

▶  Device-to-Device authentication

▶  Password / Role-based Authentication

▶  Encryption using FIPS 140-2 Validated Cryptography, including Advanced Encryption Standard (AES), including AES-128, AES-192, or AES-256 algorithms

▶  Virtual Private Networks (VPNs) using Internet Protocol Security (IPsec), Secure Sockets Layer (SSL), or Secure Shell (SSH) secure communications protocols

▶  Includes non-device security, such as physical security, passwords, etc



NIST 800-82 - National Institute of Standards and Technology

▶  Addressing security throughout the device lifecycle – design, deployment, & operations

▶  Enabling secure remote access through proper authentication

▶  Data-at-Rest and Data-in-Motion Encryption

▶  Securely updating devices with new firmware or patches

▶  Use of standards-based cryptography and protocols, such as FIPS 140-2 validated encryption, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL), Secure Shell (SSH), and RADIUS


Mocana Security Detail™


Introducing Mocana’s Security Detail™ Program

Integrated package of software security, training, support, expertise, breach management services, and exclusive access to the security

community

With Security Detail™, Mocana becomes your security partner and expert – allowing OEMs to focus on product innovation & core R&D


Performance & Design

Trusted & Highly Deployed

Expertise & Consultative

Approach

Tiny footprint—efficient code

High performance and scalability

Cross platform— OS & CPU Agnostic

Government Certifications (FIPS/Suite B)

Guaranteed GPL-free Cryptography

“No-shortcuts”

Focused on embedded security

High Quality Support

Code samples provided to make integration easy

Why Customers Choose Mocana


Improved Cross Project Development Efficiencies

-  Cross plaKorm—OS CPU AgnosRc Embedded Security Framework

-  Tiny footprint—extremely efficient -  Source Code Access & Easy to use APIs

Trusted Implementa=ons -  Security Standards Interoperability and Government CerRficaRons

-  Fielded by 200+ Global OEMs & 300+ designs

Core Context

Advantages of Open Source . . . Without the Drawbacks

-  Limited Liability & IP IndemnificaRon -  ExperRse & Support -  Flexible Licensing -‐ Per project or “all you can eat” to provide maximum agility

Lower Total Cost of Ownership (Global R&D)

-  Predictable Release Process -  ReducRon in Support & ProducRon Issues

-  Focus on Core AcRviRes – Reduce TTM

Value Proposition to Device OEMs


Mocana Increases Return on Investment (ROI)*

Mocana Open Source

PorRng / IntegraRon / QA & TesRng Code

2 -‐3 Weeks 10 – 12 Weeks

Maintaining & SupporRng Code < 2 Weeks 8 – 10 Weeks

Ability to Retain Internal Security ExperRse

High to Very High Challenging to Impossible

IP IndemnificaRon

Limited Liability Exposure

ExperRse & Support via Phone / Email * Based on historical customer data over 8+yrs in business across 200+ customers . 20 weeks * $250k for fully burdened engineer = ~$100k

Mocana saves up to 20 weeks/project,

providing a 10x =me savings for Engineers

Up to ~$100k / project savings

Mocana Enables

OEMs To: Save money Reduce TTM

Focus on Core R&D


▶  Industrial & Smart Grid security is evolving – OEMs need a trusted partner

▶  Security can be a value add – compliance to product differentiation to reducing corporate risk

▶  Mocana is Trusted and Fielded by 200+ major OEMs & 300+ designs

▶  Mocana helps save money, reduce TTM and allows you to focus on core R&D

▶  Mocana reduces development time, reduces production issues, and protects against Open Source IP concerns

Summary


Tushar M. Patel

Director of Product Marketing

[email protected]

(415) 617-0055

https://mocana.com/sd/

Contact Us

Documents

Securing industrial and smart grid devices in a connected world webinar (final)