SlideShare a Scribd company logo

Future-proofing Supply Chain against emerging Cyber-physical Threats

S
Steven SIM Kok Leong

Steven Sim, VP, ISACA Singapore Chapter Black Hat Asia 2019 Executive Summit

Technology
1 of 44
Future-proofing Supply Chain against emerging Cyber-physical Threats Future-Proofing Supply Chain Against Emerging Cyber-Physical Threats Disclaimer: The views and opinions expressed in this presentation are those of the author and do not necessarily reflect the official policy or position of any organisation Steven Sim, VP, ISACA Singapore Chapter
What do they have in common? (1)
What do they have in common? (2)
Infosecurity Magazine Supply Chain Risk Closer to Home
• Threats are getting increasingly impactful and sophisticated • All organisations that have a cyber footprint can be breached • Not a matter of IF but WHEN incidents would happen • How can we then future-proof against the inevitable? New Cybersecurity Normal Area Characteristics of Advanced Persistent Threats (APTs) Adv. Persistent Threats (APTs) Wiperworm (NotPetya) Ransomworm (WannaCry ) Impact & Behavior Data leaked (Rest are Outage)   Stays persistent not detected Intent hard to figure Sophistication Signatureless, legitimate tools, sites   Exploits multiple vulnerabilities Fully patched systems vulnerable
Now what can we do? Know our SELF Know our ENEMIES A hundred BATTLES A hundred VICTORIES - Sun Tzu “While cyber defences will never be impregnable, the success of the attacker in achieving actions on objectives is not inevitable.” – SingHealth COI
Exposures, Attacks, Compromises Technical Equivalents Indicators of Exposure (IOE) Indicators of Attack (IOA) Indicators of Compromise (IOC) ISACAISACA Know our SELF Know our ENEMIES Tactics, Techniques, Procedures (TTP)
Now what can we do? Know our SELF
McKenzie Supply Chain 4.0 ISACA
Cyber-Physical Universe Automation is also the means to repeat human errors with rigor in a consistent manner. Cybersecurity and Safety are increasingly synonymous.
Star Tribune Matter of Life and Death RiskBasedSecurity
Perils of Patching • How complex is your system? • How fast can you test a patch? • How complete is your testing? • Can you afford to risk a self-inflicted Denial-of-Service? ZDNet TechRepublic LapTopMag
Key current pain-points 1. Weak computing power 2. Insecurity by design 3. Insecure industrial protocols 4. Slow certification of patches 5. Hard to retrofit Inherent Design Issues Belden Cyber-Physical Limitations
Inherent Accessibility Exposures Internet connectivity  Watering Hole Attacks Cloud adoption, data lakes  Leaky Cloud Buckets Internet connectivity  Distributed Denial-of-Service Increased Accessibility
Now what can we do? Know our ENEMIES
Identifying and Prioritizing Threat Scenarios Threats against Supply Chain ISACA ISACA1. Defeat Device 2. Logic Bombs 3. Back Doors 4. Malware 5. Vulnerabilities
Threats towards Cyber-Physical Systems in Supply Chain 4.0 PWC
PWC
Tactics, Techniques and Procedures (TTPs) Who are our Enemies? (2) Prevent Action on Objectives
Low Barriers to Attacks (1)
Low Barriers to Attacks (2)
Low Barriers to Attacks (3)
Source: Resilient Navigation and Timing Foundation Physical-to-Cyber Threats (1) Resilient Navigation and Timing Foundation
Source: PC Magazine DreamsTime Physical-to-Cyber Threats (2)
Now what can we do? A Hundred Battles A Hundred Victories
Governance key to Future-proofing Perform threat modelling Adopt cybersecurity frameworkAdopt key principles IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of IIOT Focus Adopt IT Risk Framework
• Business to operation to IT risk alignment paramount • Risk optimization is key to risk management • Risk Owner is Accountable • CISO cannot own Risk Adopt IT Risk Framework ISACA Risk IT Framework
1. Tender Specs (Firewall, VPN, Common Criteria, etc) 2. Product allows Vulnerability to be Managed 3. Layered Defense Architecture 4. Architecture Security Review 1. Security Standards 2. Server Hardening i.e. Disable Unnecessary Services 3. Network-based Firewall 4. Pre-deployment Vulnerability Assessment & Penetration Testing 1. Regular Vulnerability Scan 2. Regular Vulnerability alert Monitoring 3. Timely Vulnerability Remediation/Patching 4. Continuous Audit and Monitoring 1. Security Training and Awareness 2. Security Advisories to Custodians 3. Phishing Simulation Exercise 4. Extension to Supply Chain Microsoft ISACA Adopt Key Principles
• Data as the new oil • Adopt a data- centric approach Privacy-by-Design (as part of SbD) ISACA
Patch-work is not ideal – addressing flaws in pre- existing systems architecture Security-by- design has to be done right from start ZDNet
Adopt Cyber Security Framework (1) ISACA COBIT Increased Focus on Detect, Response and Recover phases ISACA
Third-party Attestations • Multi-Tiered Cloud Services • Common Criteria • CREST • CoBIT/ISO270XX/SOC2 • ABS Guidelines • OSPA (Outsource Service Provider Assessment) • PTG (Penetration Testing Guideline) • RTAASEG (Red Team Adversarial Attack Simulation Exercises Guidelines) Adopt Cyber Security Framework (2)
Network Security Focus IIOT Physical Security Change Mgmt Network Security Security Hardening Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Standards • ISA/IEC-62443 • NIST SP800-82 Layered Defenses • by depth • by diversity Key Areas of Focus (1)
Vulnerability Management Focus IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Different ways of fixing a vulnerability • Disable unnecessary services • Network-based firewall • Host-based firewall • Hardening the configuration • Virtual Patching • Patching Systems / Services Vulnerability Severity Exploitable remotely from Internet / Building Exploitabl e remotely from Gateway / Clients Exploitable only locally on host Internet / Extranet- facing Critical / High Medium Low Intranet-facing Critical / High Medium Low Vulnerability Remediation Timeline • Risk-based • Peace Time vs Heightened Posture • Attack Surface Exposure • Exploit Public Availability Key Areas of Focus (2)
Optiv IR Org Model Incident Management Focus IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of Focus (3) Key Areas of Consideration • Black Swans • Recovery Order • Alternate Comms • Crisis Management • Cyber-Physical SOC • Threat Hunting, Drills, Table-tops • BCM for full automation
IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s
Governance key to Future-proofing Perform threat modelling Adopt cybersecurity frameworkAdopt key principles IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of IIOT Focus Adopt IT Risk Framework
“… need for organizations to elevate cybersecurity as a priority to build the foundation of its cybersecurity culture, better secure their operations, and strengthen the global digital economic ecosystem. Partnerships and information sharing, like ISACA’s collaboration with Digital Manufacturing and Design Innovation Institute (DMDII) on this study, are becoming increasingly key to accomplishing these goals.” Frank Downs, Director of Cybersecurity Practices at ISACA Public Private Partnership
1. Be Aware of Increasing Concerns with Cyber-Physical Threats • Emerging Cyber-Physical Threats are sophisticated. Cover all spaces. 2. Key Resilience Principles are still relevant against emerging threats • Adopt good risk, threat modelling, principles, cybersecurity frameworks. • Be pragmatic - Cyber Resiliency is key. 3. Good Risk Culture, Management and Governance is important • Optimize risk. Technology is inadequate. Support with people and processes. Connect with industry and community. Key Take-aways (1)
Key Take-aways (2) 4. Need for inventory of systems and services, asset classification, risk assessment 5. Need for architecture governance • Not allowing excessive diverse technologies to be used in • Having adequate diversity to mitigate supply chain concentration risk. 6. Buying technology to solve problems but with adequately trained people and processes
• Industrialization 4.0 is here to stay • Less human intervention • Heavy reliance on cyber-physical connectivity, analytics, cloud • Increased criticality on wireless networking • Transiting to the New Cybersecurity Normal • Better impact assessment and automated containment • Elevated cybersecurity requirements and mandate – Security & Privacy by Design • Increased commoditization of cyber insurance 41 All’s not doom and gloom
• Become better at your job • Support your profession • Increase your value to your employer by expanding your skill set • Expand your network of business contacts • Highlight your expertise by earning a professional credential • Position yourself to participate in a global marketplace • Support the future of your profession • Position yourself for management opportunities Why you should become an ISACA memb
43 MANAGING RISK. EMBRACING UNCERTAINTY MAY 15, 2019 SINGAPORE PROGRAMME & SPEAKERS PROFILE Updated as of 22 Mar 2019 https://www.gtacs.sg
T h a n k y o u f o r a t t e n d i n g . S t a y i n t o u c h !

Recommended

Future-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsFuture-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsSteven SIM Kok Leong
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 

Recommended

Future-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsFuture-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsSteven SIM Kok Leong
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
SourceFire IPS Overview
SourceFire IPS OverviewSourceFire IPS Overview
SourceFire IPS OverviewGuardEra Access Solutions, Inc.
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attackintegritysolutions
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSmmiznoni
 
IPS Best Practices
IPS Best PracticesIPS Best Practices
IPS Best PracticesHeather Axworthy
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons Computer Learning Centers / 5PE
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)Cisco Crisis Response
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Cyber security
Cyber securityCyber security
Cyber securityAman Pradhan
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
Enhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseEnhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseSymantec
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Decisions
 
Build a Cyber Resilient Network with Symantec
Build a Cyber Resilient Network with SymantecBuild a Cyber Resilient Network with Symantec
Build a Cyber Resilient Network with SymantecArrow ECS UK
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 

More Related Content

What's hot

Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSmmiznoni
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)Cisco Crisis Response
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
Enhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseEnhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseSymantec
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Decisions
 

What's hot (19)

SourceFire IPS Overview
SourceFire IPS OverviewSourceFire IPS Overview
SourceFire IPS Overview
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPS
 
IPS Best Practices
IPS Best PracticesIPS Best Practices
IPS Best Practices
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Cyber security
Cyber securityCyber security
Cyber security
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
 
Enhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseEnhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open Enterprise
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto Presentation
 

Similar to Future-proofing Supply Chain against emerging Cyber-physical Threats

Build a Cyber Resilient Network with Symantec
Build a Cyber Resilient Network with SymantecBuild a Cyber Resilient Network with Symantec
Build a Cyber Resilient Network with SymantecArrow ECS UK
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWPICPE
 
Assuring Reliable and Secure IT Services
Assuring Reliable and Secure IT ServicesAssuring Reliable and Secure IT Services
Assuring Reliable and Secure IT Servicestsaiblake
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceNISIInstituut
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkNathan Wallace, PhD, PE
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaShivamSharma909
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineerShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Power Plants Security Webinar Presentation
Power Plants Security Webinar PresentationPower Plants Security Webinar Presentation
Power Plants Security Webinar PresentationCertrec
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
 
Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Chris Sistrunk
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

Similar to Future-proofing Supply Chain against emerging Cyber-physical Threats (20)

Build a Cyber Resilient Network with Symantec
Build a Cyber Resilient Network with SymantecBuild a Cyber Resilient Network with Symantec
Build a Cyber Resilient Network with Symantec
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWebinar - Reducing the Risk of a Cyber Attack on Utilities
Webinar - Reducing the Risk of a Cyber Attack on Utilities
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperations
 
Assuring Reliable and Secure IT Services
Assuring Reliable and Secure IT ServicesAssuring Reliable and Secure IT Services
Assuring Reliable and Secure IT Services
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Power Plants Security Webinar Presentation
Power Plants Security Webinar PresentationPower Plants Security Webinar Presentation
Power Plants Security Webinar Presentation
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 

Recently uploaded

How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Future-proofing Supply Chain against emerging Cyber-physical Threats

  • 1. Future-proofing Supply Chain against emerging Cyber-physical Threats Future-Proofing Supply Chain Against Emerging Cyber-Physical Threats Disclaimer: The views and opinions expressed in this presentation are those of the author and do not necessarily reflect the official policy or position of any organisation Steven Sim, VP, ISACA Singapore Chapter
  • 2. What do they have in common? (1)
  • 3. What do they have in common? (2)
  • 5. • Threats are getting increasingly impactful and sophisticated • All organisations that have a cyber footprint can be breached • Not a matter of IF but WHEN incidents would happen • How can we then future-proof against the inevitable? New Cybersecurity Normal Area Characteristics of Advanced Persistent Threats (APTs) Adv. Persistent Threats (APTs) Wiperworm (NotPetya) Ransomworm (WannaCry ) Impact & Behavior Data leaked (Rest are Outage)   Stays persistent not detected Intent hard to figure Sophistication Signatureless, legitimate tools, sites   Exploits multiple vulnerabilities Fully patched systems vulnerable
  • 6. Now what can we do? Know our SELF Know our ENEMIES A hundred BATTLES A hundred VICTORIES - Sun Tzu “While cyber defences will never be impregnable, the success of the attacker in achieving actions on objectives is not inevitable.” – SingHealth COI
  • 7. Exposures, Attacks, Compromises Technical Equivalents Indicators of Exposure (IOE) Indicators of Attack (IOA) Indicators of Compromise (IOC) ISACAISACA Know our SELF Know our ENEMIES Tactics, Techniques, Procedures (TTP)
  • 8. Now what can we do? Know our SELF
  • 10. Cyber-Physical Universe Automation is also the means to repeat human errors with rigor in a consistent manner. Cybersecurity and Safety are increasingly synonymous.
  • 11. Star Tribune Matter of Life and Death RiskBasedSecurity
  • 12. Perils of Patching • How complex is your system? • How fast can you test a patch? • How complete is your testing? • Can you afford to risk a self-inflicted Denial-of-Service? ZDNet TechRepublic LapTopMag
  • 13. Key current pain-points 1. Weak computing power 2. Insecurity by design 3. Insecure industrial protocols 4. Slow certification of patches 5. Hard to retrofit Inherent Design Issues Belden Cyber-Physical Limitations
  • 14. Inherent Accessibility Exposures Internet connectivity  Watering Hole Attacks Cloud adoption, data lakes  Leaky Cloud Buckets Internet connectivity  Distributed Denial-of-Service Increased Accessibility
  • 15. Now what can we do? Know our ENEMIES
  • 16. Identifying and Prioritizing Threat Scenarios Threats against Supply Chain ISACA ISACA1. Defeat Device 2. Logic Bombs 3. Back Doors 4. Malware 5. Vulnerabilities
  • 17. Threats towards Cyber-Physical Systems in Supply Chain 4.0 PWC
  • 18. PWC
  • 19. Tactics, Techniques and Procedures (TTPs) Who are our Enemies? (2) Prevent Action on Objectives
  • 20. Low Barriers to Attacks (1)
  • 21. Low Barriers to Attacks (2)
  • 22. Low Barriers to Attacks (3)
  • 23. Source: Resilient Navigation and Timing Foundation Physical-to-Cyber Threats (1) Resilient Navigation and Timing Foundation
  • 25. Now what can we do? A Hundred Battles A Hundred Victories
  • 26. Governance key to Future-proofing Perform threat modelling Adopt cybersecurity frameworkAdopt key principles IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of IIOT Focus Adopt IT Risk Framework
  • 27. • Business to operation to IT risk alignment paramount • Risk optimization is key to risk management • Risk Owner is Accountable • CISO cannot own Risk Adopt IT Risk Framework ISACA Risk IT Framework
  • 28. 1. Tender Specs (Firewall, VPN, Common Criteria, etc) 2. Product allows Vulnerability to be Managed 3. Layered Defense Architecture 4. Architecture Security Review 1. Security Standards 2. Server Hardening i.e. Disable Unnecessary Services 3. Network-based Firewall 4. Pre-deployment Vulnerability Assessment & Penetration Testing 1. Regular Vulnerability Scan 2. Regular Vulnerability alert Monitoring 3. Timely Vulnerability Remediation/Patching 4. Continuous Audit and Monitoring 1. Security Training and Awareness 2. Security Advisories to Custodians 3. Phishing Simulation Exercise 4. Extension to Supply Chain Microsoft ISACA Adopt Key Principles
  • 29. • Data as the new oil • Adopt a data- centric approach Privacy-by-Design (as part of SbD) ISACA
  • 30. Patch-work is not ideal – addressing flaws in pre- existing systems architecture Security-by- design has to be done right from start ZDNet
  • 31. Adopt Cyber Security Framework (1) ISACA COBIT Increased Focus on Detect, Response and Recover phases ISACA
  • 32. Third-party Attestations • Multi-Tiered Cloud Services • Common Criteria • CREST • CoBIT/ISO270XX/SOC2 • ABS Guidelines • OSPA (Outsource Service Provider Assessment) • PTG (Penetration Testing Guideline) • RTAASEG (Red Team Adversarial Attack Simulation Exercises Guidelines) Adopt Cyber Security Framework (2)
  • 34. Vulnerability Management Focus IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Different ways of fixing a vulnerability • Disable unnecessary services • Network-based firewall • Host-based firewall • Hardening the configuration • Virtual Patching • Patching Systems / Services Vulnerability Severity Exploitable remotely from Internet / Building Exploitabl e remotely from Gateway / Clients Exploitable only locally on host Internet / Extranet- facing Critical / High Medium Low Intranet-facing Critical / High Medium Low Vulnerability Remediation Timeline • Risk-based • Peace Time vs Heightened Posture • Attack Surface Exposure • Exploit Public Availability Key Areas of Focus (2)
  • 35. Optiv IR Org Model Incident Management Focus IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of Focus (3) Key Areas of Consideration • Black Swans • Recovery Order • Alternate Comms • Crisis Management • Cyber-Physical SOC • Threat Hunting, Drills, Table-tops • BCM for full automation
  • 37. Governance key to Future-proofing Perform threat modelling Adopt cybersecurity frameworkAdopt key principles IIOT Physical Security Change Mgmt Network Security Security Hardenin g Account Mgmt Vuln Mgmt Incident Mgmt Security Awarenes s Key Areas of IIOT Focus Adopt IT Risk Framework
  • 38. “… need for organizations to elevate cybersecurity as a priority to build the foundation of its cybersecurity culture, better secure their operations, and strengthen the global digital economic ecosystem. Partnerships and information sharing, like ISACA’s collaboration with Digital Manufacturing and Design Innovation Institute (DMDII) on this study, are becoming increasingly key to accomplishing these goals.” Frank Downs, Director of Cybersecurity Practices at ISACA Public Private Partnership
  • 39. 1. Be Aware of Increasing Concerns with Cyber-Physical Threats • Emerging Cyber-Physical Threats are sophisticated. Cover all spaces. 2. Key Resilience Principles are still relevant against emerging threats • Adopt good risk, threat modelling, principles, cybersecurity frameworks. • Be pragmatic - Cyber Resiliency is key. 3. Good Risk Culture, Management and Governance is important • Optimize risk. Technology is inadequate. Support with people and processes. Connect with industry and community. Key Take-aways (1)
  • 40. Key Take-aways (2) 4. Need for inventory of systems and services, asset classification, risk assessment 5. Need for architecture governance • Not allowing excessive diverse technologies to be used in • Having adequate diversity to mitigate supply chain concentration risk. 6. Buying technology to solve problems but with adequately trained people and processes
  • 41. • Industrialization 4.0 is here to stay • Less human intervention • Heavy reliance on cyber-physical connectivity, analytics, cloud • Increased criticality on wireless networking • Transiting to the New Cybersecurity Normal • Better impact assessment and automated containment • Elevated cybersecurity requirements and mandate – Security & Privacy by Design • Increased commoditization of cyber insurance 41 All’s not doom and gloom
  • 42. • Become better at your job • Support your profession • Increase your value to your employer by expanding your skill set • Expand your network of business contacts • Highlight your expertise by earning a professional credential • Position yourself to participate in a global marketplace • Support the future of your profession • Position yourself for management opportunities Why you should become an ISACA memb
  • 43. 43 MANAGING RISK. EMBRACING UNCERTAINTY MAY 15, 2019 SINGAPORE PROGRAMME & SPEAKERS PROFILE Updated as of 22 Mar 2019 https://www.gtacs.sg
  • 44. T h a n k y o u f o r a t t e n d i n g . S t a y i n t o u c h !

Editor's Notes

  1. More on ISACA
  2. Can anyone hazard a guess what these organisations have in common? Yes, these are organisations hacked due to a breach in their supply chain. https://www.channelnewsasia.com/news/technology/fema-error-exposes-2-3-million-disaster-survivors-to-fraud--watchdog-11371994 https://www.bankinfosecurity.com/pentagon-data-breach-exposed-30000-travel-records-a-11600
  3. What about this list? These are the suppliers who resulted in the breaches. Breaches can come in many forms, shapes and sizes, some through their law firms, some through their managed services, some through maintenance contractors. https://www.techradar.com/news/hpe-and-ibm-attacked-by-chinese-hackers https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/ https://www.csoonline.com/article/2129794/lessons-from-the-rsa-breach.html https://bgr.com/2018/08/06/android-malware-windows-google-removes-145-apps/ https://www.smh.com.au/politics/federal/chinese-hackers-breach-anu-putting-national-security-at-risk-20180706-p4zq0q.html https://www.icij.org/investigations/paradise-papers/ the threat of cyberattacks using an enterprise’s supply chain as a delivery vector has become a common concern within the information security community.
  4. Locally, Singapore is not spared. More than 800,000 blood donors details exposed through a vendor who was working on a database. https://www.infosecurity-magazine.com/news/vendor-exposes-singapore-health-1-1/
  5. https://www.isaca.org/Journal/archives/2017/Volume-1/Pages/indicators-of-exposure-and-attack-surface-visualization.aspx
  6. Mckenzie article has a detailed writeup on Supply Chain 4.0. However, it makes no mention of cyber risk or security in its consideration. ISACA classifies and provides a series of recommendations to manage risks associated with various systems. https://www.mckinsey.com/industries/consumer-packaged-goods/our-insights/supply-chain-4-0-in-consumer-goods
  7. For the purpose of today’s short presentation, I am going to narrow the focus down to Cyber-physical systems.
  8. It is a matter of life and dealth! There are so many imperfectly written software out there. How are you going to remote patch a life-dependent device? Over and on top, there are so many vulnerabilities out there.
  9. Ok, let’s say you are able to orchestrate patches, but how complex is your system? How fast can you test a patch? How complete is your testing and can you afford to risk a self-inflicted Denial-of-Service, which was what happened to Queensland hospitals during the WannaCry patch frenzy, and more recently when factory systems were hit by post-meltdown/spectre-patch glitches. Not to mention recent case of Windows 10 Oct update giving issues. Imagine your HMIs in your OT network being patched, getting into issues as well.
  10. IIOT needs to ensure risk is at a minimal, therefore its underlying foundation is very much the same as OT, inheriting a large bulk of its design flaws. OT stands for Operations Technology and encompasses ICS (Industrial Control Systems) and SCADA (Supervisory Control And Data Acquisition). Unlike IT, the cybersecurity requirements of OT prioritizes differently. In OT and unlike IT, safety comes foremost, followed by availability, integrity and confidentiality. I look at IIOT as an extension of OT as it has to bring along the engineering ruggedness of OT. IIOT tends to be weaker in computing power hence even the trials of block chain have to resort to weaker hashes instead of using industrial-acceptable SHA-2 hashes, impacting the ability to comply to standards. This was partly the reason why separate IoT security standards have to be developed. Having its roots in OT, IIOT tends to be insecure by design, with hardcoded passwords and lack orchestration. Insecure industrial protocols that have no authentication and encryption are often put in place because they were originally built for closed systems. And for the reason of safety and thoroughness in testing, OS and third party security fixes are often slow in being certified by the vendors. Lastly, they are often hard to retrofit due to the scale and its tight legacy interactions. Any component change often requires extensive testing and customization.
  11. With IoT, analytics come to play and with analytics, you would think of the use of cloud. There are 3 key concerns with the underlying accessibility. First, there is the risk of watering hole attacks that was exploited by NotPetya malware which had relied on the MeDocs accounting software. Then, there was the challenge of misconfigured leaky cloud buckets. There was a slew of news relating to misconfigured amazon web services with victims including some of the big consulting houses. Not least DDoS attacks targeting IIoT such as Mirai botnet.
  12. https://www.isaca.org/Journal/archives/2013/Volume-4/Pages/JOnline-Mitigating-Software-Supply-Chain-Risk.aspx
  13. https://www.recode.net/sponsored/12356344/cybersecurity-and-privacy-risks-of-industry-4-0-infographic
  14. GPS jamming and spoofing attacks are a serious concern if GPS is relied as the only means of navigation. Land-based navigation systems and transponders would be a consideration.
  15. And even hobby drones can be used to effectively jam industrial access points. This is a tough problem to solve and this is where integration of physical and cyber monitoring becomes very important.
  16. Cyber supply-chain risk management (SCRM) monitoring and response What is at risk? Confidentiality (intellectual property and personal and business data) Integrity (processes, products and data) Availability (flows, products and data) Authenticity (products and data) Trustworthiness (processes, products and people The following properties enable one to assure that the risk has been adequately mitigated or avoided:10 Transparency Quality Accountability
  17. Adopt a security-by-design, security-by-default, security-by deployment approach and underlying all these, strong communications as foundation is key. For instance, security-by-design entails incorporating security requirements in tender specifications right from the start. I want to highlight that it is important to cover continuous audit and monitoring under the “secure in deployment” phase and it is important to extend your awareness and phishing simulation to stakeholders down your supply chain.
  18. https://www.zdnet.com/article/boeing-737-max-software-patches-can-only-do-so-much/
  19. Securing via an ecosystem approach than a component-based approach.
  20. Network security should be based on layered defenses by depth and by sufficient diversity, minimally diversity between security zones or tiers such as the use of two different makes of firewalls.
  21. Another important aspect of IIOT security focus is on vulnerability management. Notice that I don’t call it patch management because patching is just means to an end. There are different ways beside patching to fix a vulnerability and this includes as straightforward as disabling an unused service to as sophisticated as virtual patching. It is also important to establish a risk-based vulnerability remediation timeline that depends on the threat posture, attack surface exposure as well as exploit availability.
  22. The earlier slides described about the WHY and the WHAT. This slide indicates the HOW. To transform the GCIRT Global Organisation into one that achieves the three PSA objectives I mentioned earlier, there are 3 key phases, norming, performing and excelling. By the end of 2019, in accordance to CSMS, the LCIRT would have been setup and by the end of 2019, GCIRT would be transformed from a reactive state to an adaptive state. By the end of 2020, GCIRT would be expected to evolve from an adaptive stage to a purposeful stage where incident management processes are optimized. At the end of 2021, GCIRT would be more agile, respond to changes in threat landscape quickly and be able to integrate business risk more a lot more seamlessly. Now, what does this mean to each BU?
  23. Establishing a strong cybersecurity and risk culture is ever more important. Do you alert only when there are indicators of compromise or even when there are indicators of attack? What is your management’s reaction when you report false positives?
  24. Here are some key take-aways. Be aware of increasing concerns with cyber-physical threats, key resilience principles are will still be relevant against emerging threats. Not least, good risk management and governance are absolutely essential and is the foundation of .
  25. And sharing some of common pitfalls, good governance is key. The lack of adequate inventory is a common pain-point. Secondly, I know this sounds contradictory but the number of vulnerabilities that needs to be dealt with multiplies with every new technology in use. Therefore, do not have excessive diverse technologies, yet do not rely on only one as that would also incur supply chain concentration risk. Not least, using technology to solve problems without supporting with trained personnel and processes is a huge concern. A set of double-layered IPSes with no rules in place is as good as not having any IPSes in place.
  26. In the foreseeable future, industrialization 4.0 is here to stay and it comes with less human intervention, heavier reliance on cyber-physical connectivity, analytics and cloud and increases the criticality on wireless networking. There is no way you can physically wire up an automated guided vehicle or automated ship for that matter. With that, it means transiting to the new cybersecurity normal where better impact assessment and automated is required since everything is automated and real-time, elevated cybersecurity requirements will be mandated such as security by design. There will likely be increased investments in cyber security and increased commoditization of cyber insurance. Industrialization has helped us evolve from a canoe to a container ship, there are increased benefits and risks, yet it does not stop us from progressing. BIMCO standards are put in place and insurance becomes mandated. Eventually, I believe the cyber world would reach a similar maturity.
  27. With that I end my presentation. Thank you for your attending and do stay in touch. Are there any questions? I will be glad to take up any here, later during the break or off-line. Do link up in LinkedIn. This is my LinkedIn QR code which you can simply scan using your linkedin mobile app. I would very much like to exchange notes with all of you. For all of us, it is a never-ending learning journey in the cyber security space and it is therefore important to stay in touch and synergize collective wisdom based on knowledge and experience exchanges. Thank you.