Cyber security readiness for manufacturing: NIST SP 800 ... · organizational systems that involves adequate preparation, detection, analysis, containment, recover, and user response

Cyber security readiness for manufacturing:

NIST SP 800-171 Compliance to meet DFARS 252.204.7012 Regulations

Cytellix, Cyber Security Division of IMRI | Aliso Viejo, CACopyright © 2017 IMRI. All rights reserved. Proprietary Information

Who am I?

Spencer Cobb, 20 years experience in Cyber security. Various roles in multiple cutting edge start ups helping global organizations secure their networks and confidential information.

Cytellix, is the commercial cyber security division of IMRI.

IMRI, Delivering comprehensive IT and engineering solutions since 1992

Successfully delivered over $150 Million in technology contracts. Secure over 1500 networks with 7M endpoints. Army, DISA, Missile Defense Agency are customers.

We are focused on helping small manufacturers meet new Federal Supply chain compliance guidelines around cyber security readiness.

Partnered with Manufacturing Extension Partnerships around the U.S.

- 2 -

Quick survey…

• Raise your hand if….(Keep them up please)• You or someone you know has had their

personal credit card or identity stolen.• Your company or a company you know has

been hacked.• Your company or a company you know has

been hit with ransomware.• Your company or a company you know has

paid ransom ware…

You are likely running out of hands and your arms are getting tired.

- 3 -

Cyber attacks on the rise!

Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions

Attacks are becoming common place. Hacking is a fact of life.

Cyber attacks on the rise!

60% of SMB cybercrime victims go out of

business within 6 months of attack (NCSA)

50% of all surveyed in 2014 reported being victims of cyber attacks. (National SBA)

70% of all targeted attacks struck small to mid‐sized organizations in 2016.(SMB Group)

50% of small and midsized businesses have fallen victim to ransomware

48% of those paid a ransom, (2017 Ponemon Institute)


Small business getting attacked

79% percent of small businesses do not have an incident response plan. Without one, you may never be able to fully recover when a cybersecurity incident becomes a reality.

75% of spear-phishing attacks in 2015 targeted businesses less than 250 employees.

53% of small businesses reported they do not allocate budget for risk mitigation services because they do not store valuable data, yet the majority of respondents reported they store email addresses (68%) and phone numbers (65%), along with other valuable Personal information.

56% of SMB’s are unprepared to identify and respond to a security event (EiQ Networks 2017)

75% of SMB’s admitted a small-to-nonexistent IT security staff, with zero to two employees dedicated to that role. (EiQ Networks 2017)

- 6 -

Who is attacking?

Nation states

- 7 -

Hacktivists

Organized Crime

Why are we being attacked?

- 8 -

Value at Risk

- 9 -

256 days Average time to detect malware*

$5,850,000 / US Average total cost of a data breach**

*Beyond Trust** Ponemon Institute

Costing a data breach: Brand value Intellectual propertyCustomer relations Supplier relationsCompetitive information Information Recovery Systems Recovery RemediationDamage Control DowntimeLegal costs Forensics

What is being stolen?


Hackers stealing IP from DoD and its suppliers

And Replicating our technology!

These successful attacks have led to stricter guidelines for protecting information in DoD supply chain. Hence, DFARS 252.204.7012 for data protection.


DoD Supply Chain Protection: New Cyber Security Guidelines

• OUSD Announced DFARS 252.204.7012: “Compliance with safeguarding covered defense in information controls” (Oct 2016)

• DFARS points to NIST 800-171 for guidelines aroundControlled Unclassified Information in Non Federal Info Systems & Orgs DoD contractors including small businesses must adhere to two basic cybersecurity requirements1. Must provide adequate security for information that resides

in or transits through internal unclassified systems2. Must rapidly report cyber incidents and cooperate with the

DoD to respond to security incidentshttps://www.archives.gov/cui/registry/category‐list

- 12 -

The sum of the parts

- 13 -

Safeguarding Unclassified Controlled Technical Information

Cyber Security Evaluation Tool (CSET®)

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Cybersecurity for Manufacturers

- 14 -

All contractors must implement full compliance no later than December 31, 2017

Contractors must notify the DoD, of any security gaps, within 30‐days of any contract award Adequate security is defined as a minimum in NIST 800‐171 with the 14 controls ( to protect controlled, unclassified data):

• Access Control• Awareness and Training• Audit & Accountability• Configuration Management• Identification & Authentication• Incident Response• Maintenance

• Media Protection• Personnel Security• Physical Protection• Risk Assessment• Security Assessment• System & Com Protections• System & Info Integrity

800-171 Controls

3.11 Risk Assessment3.11.1 Periodically assess the risk to organizational operations (including missions, functions, image, reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of CUI

3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems are identified.

3.11.3 Remediate vulnerabilities in accordance with assessments of risk.

- 15 -

800-171 Controls

3.12. Security Assessments 3.12.1 Periodically assess the security controls in organizational systems to determine if controls are effective in their application

3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities.

3.12.3 Monitor security controls on an ongoing basis to ensure continued effectiveness of the controls.

- 16 -

800-171 Controls

3.6 Incident Response3.6.1 Establish an operational incident-handling capability for organizational systems that involves adequate preparation, detection, analysis, containment, recover, and user response activities.

3.6.2 Track, document and REPORT incidents to appropriate officials and/ or authorities both internal and external to the organization.

*incident response requires continuous monitoring.

- 17 -

What is needed?

- 18 -

• CSET completed – (DHS Self Assessment tool)

• GAP analysis completed with a plan of action for remediation and priority list defined

• Have a continuous improvement and awareness program in place (continuous monitoring)

• Prepare for notification to your contractor should you be hacked

Other questions

• What skills are need to accomplish this?Outsource or become an expert.

• Are there services that provide a complete documentation and improvement program?

Yes, look for a single service provider that can take you through the entire process.

• What happens if the supplier doesn’t do this?Business will suffer in a couple ways

• You will be hacked, no question (not if but when)

• Your contractor is required to have proof of compliance to give you new contracts

- 19 -

CYTELLIX – Trusted Leader in Managed Cyber Security

IMRI, Delivering comprehensive IT and engineering solutions since 1992

Successfully delivered over $150 Million in technology contracts

Computer Operations:Manages over $300 million

Cybersecurity:Over 1500 networks, 7 million devices;

Engaged with U.S Army Network Enterprise Technology Command; Missile Defense

Agency; U.S Army Corps of Engineers; DISA

Data Center/Cloud Computing:15 facilities, 4 million users, 2800 applications

Data Center Consolidation:22 operations with merger of $2 billion

in assets

Software Development:Application modernization and software

development planning and implementation

Certifications:ISO 9001 / AS9100; CMMI compliant; industry and professional certifications


Cytellix outsourced Cyber

- 21 -

Cytellix provides a turnkey, affordable, comprehensive solution to help the small and medium business meet Cyber requirements

1. CSET Assessment management & report

2. Network scan and real-time assessment & report

3. Gap Analysis & Assessment of 14 controls & report

4. Continuous network asset monitoring and threat detection

5. Remediation and compliance service – best practices & practical implementation

6. Secure Portal to manage all reporting, documentation and incident response.

Business Value Delivered

Cytellix provides a complete turn-key solution: • Cloud based, agentless, compliance as a service. • Affordably priced.• Options for complete outsourced, managed service.

Assessment Continuous Monitoring Remediation Services

• Gap analysis• Compliance posture• Network scan• Identified vulnerabilities• Documentation

• Reports• Customized alerts• Parameters of monitoring• Policies managed / reported• Dashboards developed

• *Automated remediation's• *Best practices• Services for network changes• 3rd party integration services• Customized reports


CYTELLIX Solution –Network Situational Awareness

Network behavioral analytics

Performs real-time continuous monitoring

Discovers every device connected to the network(Physical, Virtual, Cloud,

Wireless)

Proactive threat identification

Identify

Protect

Detect

Respond

Recover

Monitor

SecurityStrategy


Identify your Network Topology

- 24 -

Network maps identifySegmentationDevice ConnectionsInventory of connectedDevice Types

Provides your organization with “privilege” from a legal context.

Copyright © 2016 IMRI Translating business needs into technology solutions

Key Differentiators

1) Complete Turn key service which includes everything a customer needs to be compliant with NIST800-171:CSET, Network Scan & Real Time Vulnerability Scan (with Reports), GAP analysis, Continuous (improvement) monitoring, remediation and compliance services…2) The entire service and reporting is designed for and correlated with NIST 800-171 compliance.3) Cloud based and Clientless (agentless + passive) no heavy on premise installation.4) Affordably priced. (The IBM’s of the world have a difficult time servicing a 50 person company.)5) Available through local MEP

- 25 -

Cytellix Service Packages


*Turnkey pricing is tiered based on the size of the customer/ number of employees .

Managed Cybersecurity Services "Snap Shot" (Under 20 employees)

Turnkey Compliance (Under 50 employees)

Service Summaries One‐time YearlyConsulting Interview NIST 800‐171, CSET Assessment, Documentation Vulnerability Assessment, Review, Documentation Network Situational Awareness Scan, Report Gap Analysis, Top Vulnerabililities, Recommendations Cytellix Customer Portal and Stored Documentation Cytellix Continuous Monitoring (CCM) with Real‐time Alerts

Periodic Vulnerability Scans Best Practices for Proper Cyber Posture Updated CSET and Gap Analysis Post Remediation

Client Costs $2,995 $10,871Manufacturing Extension Partner Discount 10% 20%

**Cytellix provides remediation services on an hourly basis.

Cytellix – Additional Services

Cytellix’ managed security operation center (SOC) is an upgrade to the turnkey package which allows customers to completely outsource the Cytellix cyber readiness service, including remediation, mitigations and reporting.

Optional Services Provided: Security Operations Center (less than 50 employees)

Yearly24x7 Outsourced Continuous Monitoring Investigation, Mitigation, and Intelligence Analytics Monitoring of Open/Closed Sources

Client Costs $2,070Manufacturing Extension Partner Discount 20%


*Managed SOC pricing is tiered based on the size of the customer/ number of employees .

��


Spencer CobbCytellixDirector, Strategy & Business Dev.(404)‐844‐[email protected]

Report Summary 14 Controls

- 29 -

10

15

20

10

18

25

30

5 010

5

25

105

14 Controls Summary

Categories of attacks in SMB


Root causes of attacks – ex.


Real world anecdotes

Manufacturer in MI: Hit by ransomware 3 different times. Paid increasing amounts of ransom to decrypt files.

Industrial Materials Manufacturer in PA: Hit by ransomware twice. Paid $10,000.

Manufacturer in NJ: Put out RFP for components. Provided information about its products to bidders. Later found out it was being hacked. FBI found out that a Chinese company which had bid on the RFP had hacked the company and stolen IP, reproduced their product for sale on Chinese black market.

- 32 -

Security Challenges

- 33 -

What do we know?What do we know?Constant system upgrades, moves and changesResources in IT and Cyber are limited in most organizationsReal time analysis across the entire enterprise or cloud is requiredAwareness of every computer, network, device (IoT) and route is required for true situational awareness

We need to understand attack paths, risks and data leaksIncreased requirements for Cyber Security Compliance and Policies

Common TTP’sCommon Tools, Tactics & Procedures in manufacturing attacks

- 34 -

Phishing, spear‐phishing, SQLi, malvertising>>>account hijacking or malware infection, for data exfiltration or ransomware (encryption)

Documents

Cyber security readiness for manufacturing: NIST SP 800 ... · organizational systems that involves adequate preparation, detection, analysis, containment, recover, and user response