Security Challenges and Governance

for Smart Manufacturing

Mar 4, 2017

Digital Technology Service Group

Haier Group

Archer Cao

Archer Cao

2

Current Role:

Director, Information Security

Background & Experience:

14+ years experiences in IT industry by taking various

roles across design/plan and global operations

management functions

Oversea working experience in US, Germany, Russia,

Philippine

Worked for world classed multi-national companies

such as TrendMicro, Mars/Wrigley, Nielsen

Rich experience in information security strategic

planning, roadmap, business engagement and service

delivery, etc.

Familiar with International security standards, Privacy

and data protection laws and regulations

Agenda

Transforming Traditional Industry – Industry 4.0

Evolving Threat Landscape for Manufacturers

Future of Information Security

1

2

4

Summary5

Building Effective Information Security Program3

3

Transforming Traditional Industry – Industry 4.0

4

Smart

Buildings

Smart

Homes

Social

Web

Business

Web

Smart

Logistics

Smart

Grid

Smart

Mobility

Smart Factory

CPPS

Internet of Things

(IoT)

Internet of Services

(IoS)Internet of People

(IoP)

Internet of Data

(IoD)

Smart Manufacturing Solution Portfolio

5

Vertical networking of

Smart production systems

Horizontal integration via a

new generation of global value chain

network

Through engineering across entire value chain

Acceleration through

exponential technology

Smart

Manufacturing

1

23

4

IT Integration

Analytics and data

management

Cloud-based

applications

Operational efficiency

2.0

Business model

optimization

Smart Supply Chain

Smart Logistics

IT Security

Management

New IP management

Corporate Venturing

The Learning

Organization

Innovation

Efficient management

of innovation

Efficient life cycle

management

Evolving Threat Landscape for Manufacturers

6Dell Annual Threat Report

Insecure product and app design

Lack of Patching

Lack of monitoring and response

Corporate espionage (theft of IP

and trade secret)

Lack of security awareness

Process

Technology

People

Complex technology environment

Lack of defense in-depth design

The Business Model for Information Security

7

Source: USC Marshall School of Business Institute for Critical Information Infrastructure Protection.

Systematic Thinking

• Business-oriented approach

• Four elements

• Six dynamic Interconnections

• Independent of any technology

• Applicable across industries,

geographies, regulatory and

legal systems

Information Security Governance Framework

8

Information

Security

policies

Business

objectives

Compliance

requirements

Laws &

Regulations

Define

Security

threats

International

security

standards

Information

Security

standards

Information

Security

Artefacts

Security

intelligence

Line

Management

Auditors

Risk &

Compliance

Governance

Product

Management

Program

Management

Security

Professionals

Security

Metrics Portal

Information

Security

Processes

Te

ch

no

logy

Policy framework

Security management

Pe

op

le

Define

security controls

Execute

security controls

Information

Security

Metrics

objectives

Metrics

framework

Measure

security controls

maturity

External

security

metrics

Rules Measure

Correction of security processes

Process

framework

Inform

CEO & Board

Drivers

Consists of Security Drivers, Security management (Policy, Process, Technology, Metrics & People)

Adaptive Cybersecurity Framework

9

1.

Identify

2.

Prevent

3.

Detect

4.

Respond

5.

Recover

Business Context

Asset Management

Governance

Risk Assessment

Risk Management Strategy

Access Control

Awareness and Training

Data Security

Information Protection

Processes and Procedures

Protective Technology

Anomalies and Events

Security Continuous Monitoring

Detection Process

Response Planning

Communications

Analysis

Mitigation

Improvements

Recover Planning

Improvements

Communications

Defense-in-depth Model

10

GRC

Information & Event Mgmt.Id

en

tity

, E

ntitle

me

nt,

Acce

ss

Cry

pto

gra

ph

yData Security

Application Security

Host Security

Network Security

Physical Security

Organize security

reporting around the

stack

For each prepare current,

target state analysis and

roadmap

Future of Information Security

11

Static Adaptive

Real-time Context

Transforming information security driven by,

rapidly evolving technology rapidly changing business environment and threat environment1 2 3

Now Future

Supporting context layer includes environmental, community, process, content, identity, application, etc.

Summary

12

• Information security challenges in manufacturing

• Building effective information security management program

• The future of information security

Q&A

14

Thank you ！