Embed Size (px)
Citation preview
FIIF JAM SESSION focusing on Industrial Internet cyber safety issues
22 September 2015
Introduction
”Cyber Security Risks of Industrial Internet in different Sectors of Industry”
Pasi Ahonen, Senior Scientist, KYBER-TEO Project Manager VTT Technical Research Centre of Finland
2
Ten IoT Opportunities and Cyber Risks
Energy
Industry
Sector
Smart grid &
Advanced metering
IoT Application
example
Demand response
pricing and
production model
Business
Opportunity
Hostile remote access to grid control
system
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
3
Ten IoT Opportunities and Cyber Risks
Energy
Other Utilities
Industry
Sector
Smart grid &
Advanced metering
Process optimizer &
Environment monitor
IoT Application
example
Demand response
pricing and
production model
Waste material
utilization
Business
Opportunity
Hostile remote access to grid control
system
Hostile access to pump station control
system
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
4
Ten IoT Opportunities and Cyber Risks
Energy
Agriculture
Other Utilities
Industry
Sector
Smart grid &
Advanced metering
Precision farming,
Traceability of origin
Process optimizer &
Environment monitor
IoT Application
example
Demand response
pricing and
production model
Efficient production
Waste material
utilization
Business
Opportunity
Hostile remote access to grid control
system
Malware infected farming or food
production system
Hostile access to pump station control
system
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
5
Ten IoT Opportunities and Cyber Risks
Energy
Agriculture
Construction
Other Utilities
Industry
Sector
Smart grid &
Advanced metering
Precision farming,
Traceability of origin
Logistics optimizer
(RFID, GPS, ERP…)
Process optimizer &
Environment monitor
IoT Application
example
Demand response
pricing and
production model
Efficient production
Logistics of
materials, tools and
workforce
Waste material
utilization
Business
Opportunity
Hostile remote access to grid control
system
Malware infected farming or food
production system
Network based denial of access to
logistics system
Hostile access to pump station control
system
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
6
Ten IoT Opportunities and Cyber Risks
Energy
Agriculture
Construction
Retail
Other Utilities
Industry
Sector
Smart grid &
Advanced metering
Precision farming,
Traceability of origin
Logistics optimizer
(RFID, GPS, ERP…)
Optimized customer care,
Self-checkout
Process optimizer &
Environment monitor
IoT Application
example
Demand response
pricing and
production model
Efficient production
Logistics of
materials, tools and
workforce
Global reach &
distribution
Waste material
utilization
Business
Opportunity
Hostile remote access to grid control
system
Malware infected farming or food
production system
Network based denial of access to
logistics system
Consumer abuse using open source
attack tool
Hostile access to pump station control
system
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
7
Ten IoT Opportunities and Cyber Risks
Energy
Agriculture
Construction
Retail
Manufacturing
Other Utilities
Industry
Sector
Smart grid &
Advanced metering
Precision farming,
Traceability of origin
Logistics optimizer
(RFID, GPS, ERP…)
Optimized customer care,
Self-checkout
Remote system maintenance
Process optimizer &
Environment monitor
IoT Application
example
Demand response
pricing and
production model
Efficient production
Logistics of
materials, tools and
workforce
Global reach &
distribution
Continuous
production
Waste material
utilization
Business
Opportunity
Hostile remote access to grid control
system
Malware infected farming or food
production system
Network based denial of access to
logistics system
Consumer abuse using open source
attack tool
Cyber disturbance to production
network
Hostile access to pump station control
system
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
8
Ten IoT Opportunities and Cyber Risks
Energy
Agriculture
Construction
Retail
Manufacturing
Other Utilities
Health
Industry
Sector
Smart grid &
Advanced metering
Precision farming,
Traceability of origin
Logistics optimizer
(RFID, GPS, ERP…)
Optimized customer care,
Self-checkout
Remote system maintenance
Process optimizer &
Environment monitor
Patient monitoring &
Personal fitness
IoT Application
example
Demand response
pricing and
production model
Efficient production
Logistics of
materials, tools and
workforce
Global reach &
distribution
Continuous
production
Waste material
utilization
Online diagnostics
Business
Opportunity
Hostile remote access to grid control
system
Malware infected farming or food
production system
Network based denial of access to
logistics system
Consumer abuse using open source
attack tool
Cyber disturbance to production
network
Hostile access to pump station control
system
Personal data leak from monitoring
system
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
9
Ten IoT Opportunities and Cyber Risks
Energy
Agriculture
Construction
Retail
Manufacturing
Other Utilities
Health
Transport
Industry
Sector
Smart grid &
Advanced metering
Precision farming,
Traceability of origin
Logistics optimizer
(RFID, GPS, ERP…)
Optimized customer care,
Self-checkout
Remote system maintenance
Process optimizer &
Environment monitor
Patient monitoring &
Personal fitness
Fleet management &
Condition based maintenance
IoT Application
example
Demand response
pricing and
production model
Efficient production
Logistics of
materials, tools and
workforce
Global reach &
distribution
Continuous
production
Waste material
utilization
Online diagnostics
Optimized logistics
Business
Opportunity
Hostile remote access to grid control
system
Malware infected farming or food
production system
Network based denial of access to
logistics system
Consumer abuse using open source
attack tool
Cyber disturbance to production
network
Hostile access to pump station control
system
Personal data leak from monitoring
system
Cyber disturbance to fleet management
network
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
10
Ten IoT Opportunities and Cyber Risks
Energy
Agriculture
Construction
Retail
Manufacturing
Other Utilities
Health
Transport
Buildings
Industry
Sector
Smart grid &
Advanced metering
Precision farming,
Traceability of origin
Logistics optimizer
(RFID, GPS, ERP…)
Optimized customer care,
Self-checkout
Remote system maintenance
Process optimizer &
Environment monitor
Patient monitoring &
Personal fitness
Fleet management &
Condition based maintenance
Maintenance cost optimizer
IoT Application
example
Demand response
pricing and
production model
Efficient production
Logistics of
materials, tools and
workforce
Global reach &
distribution
Continuous
production
Waste material
utilization
Online diagnostics
Optimized logistics
Life-cycle costs
Business
Opportunity
Hostile remote access to grid control
system
Malware infected farming or food
production system
Network based denial of access to
logistics system
Consumer abuse using open source
attack tool
Cyber disturbance to production
network
Hostile access to pump station control
system
Personal data leak from monitoring
system
Cyber disturbance to fleet management
network
Cyber vandalism against building
automation network
Cyber Risks R
ef:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
11
Ten IoT Opportunities and Cyber Risks
Energy
Agriculture
Construction
Retail
Manufacturing
Other Utilities
Health
Transport
Buildings
Industry
Sector
Smart grid &
Advanced metering
Precision farming,
Traceability of origin
Logistics optimizer
(RFID, GPS, ERP…)
Optimized customer care,
Self-checkout
Remote system maintenance
Process optimizer &
Environment monitor
Patient monitoring &
Personal fitness
Fleet management &
Condition based maintenance
Maintenance cost optimizer
IoT Application
example
Demand response
pricing and
production model
Efficient production
Logistics of
materials, tools and
workforce
Global reach &
distribution
Continuous
production
Waste material
utilization
Online diagnostics
Optimized logistics
Life-cycle costs
Business
Opportunity
Hostile remote access to grid control
system
Malware infected farming or food
production system
Network based denial of access to
logistics system
Consumer abuse using open source
attack tool
Cyber disturbance to production
network
Hostile access to pump station control
system
Personal data leak from monitoring
system
Cyber disturbance to fleet management
network
Cyber vandalism against building
automation network
Cyber Risks
Security Remote monitoring &
Smart access Security services
Hijacking of remote connections to
acquire unlawful entry
Ref:
Pa
si A
ho
ne
n &
He
ikki A
ilisto
, V
TT.
12
Cyber Security Risk areas relevant to Industrial Internet
Ref: OWASP Internet of Things Project:
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
Daniel Miessler, IoT Village, DEFCON 23, August 2015
13
Cyber Security Risk areas relevant to Industrial Internet
Ref: OWASP Internet of Things Project:
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
Daniel Miessler, IoT Village, DEFCON 23, August 2015
14
CONCLUSION?
The designers of IoT applications must UNDERSTAND these problems at hand - IN PRACTICE!
VTT Oy
15
VTT Offering - Cyber Defence Workshops
Advanced
actions
Network
monitoring tools
Security testing tools
Tools for the
attack
- Scout/intelligence
- Attack
Networks Application
Platforms
Settings
Policy
Guidelines
Models/Practice
Requirements
Audits
Work rights
Change control
Secure
applications
Secure
networks
Secure
settings
Secure
platforms
GW
FW
Network
scanning
Illegal ad-
mission
Visualisation
tools
Network monitoring
tools
Log monitoring
tools
- Monitor
- Defence actions
Alarms
Network
events
Log
Switch Network
attack
Applicable vulnerable network and
device environments are used in
the workshops
VTT Oy
1. Find vulnerable targets
2. Select targets and goals for the
attack
3. Implement attacks by using ready
configured tools
BATTLEFIELD
1. Set logging
2. Monitor traffic
3. Find attacks
4. Consider best
defence mechanism
16
Main goals for participants are to recognise cyber attacks and learn the best defence mechanisms in practice
• Special hands-on workshop for company experts who need to understand how cyber attacks work and how they can defence their systems against such attacks
• Value: Hands-on learning of cyber attacks and specific defence
VTT Oy
VTT Offering - Cyber Defence Workshops
17
Participant Objectives
• Threaths Learn to understand and find cyber threaths and vulnerabilities in company’s systems and operations
• Recognise cyber security needs in your company
• Learn the basics of good practices and tools
• See in practice about cyber security tools for attack, monitor and defence
VTT Oy
VTT Offering - Cyber Defence Workshops
You are welcome to test your systems
and products
TECHNOLOGY FOR BUSINESS
www.vtt.fi
