Industrial Security Trends & Opportunities
Industrial Security Trends & Opportunities Russ Dietz, Chief Security Officer – GE Digital September 30th, 2015
#IndustrialInternet
powered by
#IndustrialInternet
Production
Processing Extraction
Exploration
Industrial environments have broad & different automation priorities.
powered by
Even with massive OT connected growth… … only an 2 – 8% of power generation data is used today.
Energy Processing & Production automation will drive higher use of data across Industrial Internet #IndustrialInternet
powered by
Threats are continuing to grow … Over 800% increase in ICS-Cert vulnerability reports since 2010
Increasing needs*
70%
of critical infrastructure companies
suffered an attack last year
NO
“ICS-CERT is currently coordinating with GE and the security researcher to identify mitigations.”
“GE Business X has released security advisories and free product updates”
new cyber security insurance policies
issued by Lloyd’s of London for the energy sector
78%
of senior security officials expect a successful
attack on their ICS/SCADA systems within 24 months #IndustrialInternet
“There is no method to update “GE Product” devices released prior to October 2014.”
*ARC Group - 2014 powered by
End-to-end operational cyber security solutions
Embedded Security Device Security Assessment In-depth, comprehensive device evaluation
Device Security Health Check Rapid, economical engagement
Field Security Site Security Assessment In-depth, comprehensive site evaluation
Site Security Health Check Rapid facility overview
NERC CIP CVA Comprehensive assessment for U.S. electric utilities
#IndustrialInternet
Achilles Certifications Communication Certification Network assessment of device against standard attacks
Practices Certification Security policy and practices audit to international standards
OpShield & Threat Updates Equipment specific protection profiles GE and non-GE
Automated Isolation new threats appear as traffic “outliers”
Continuous OT Protection Updates without operational impact powered by
Predix – Cyber Secure Digital Infrastructure
Software Defined HA Turbine
Digital Twin
+
Digital Power Software Defined HA Turbine Plant
Digital Twin
+
Cloud
PredixTM Plant Suite
$230M Connectper plant APM + OO
plant) Digital(new Infrastructure
$50M per plant (existing plant)
#IndustrialInternet
powered by
Industrial Internet requires a secure platform – end-to-end
Security is a GOOD word…
Shrink vulnerabilities & cost
Isolating BAD stuff
#IndustrialInternet
Application to infrastructure
Coordinating security
powered by
“They all seem SO excited… why don’t we get started?”
In any Predix discussion… THIS is SECURITY #IndustrialInternet
powered by
Protecting operations & information SECURE & CERTIFY OPERATIONAL INFRASTRUCTURE
BRING OPERATIONAL AVAILBILITY & GOVERNANCE WITH “IT”
PROTECT OT/IT IN AN APP FACTORY DELIVERY MODEL
ESTABLISH USER-BASED WORLD FOR INDUSTRIAL CLOUDS
Drive the security discussion… surface this pain… #IndustrialInternet
powered by
Predix – Embrace Security!
… app users to operational
#IndustrialInternet
… at every connection & layer
… automated secure apps
… end-to-end visibility
powered by
Shrink vulnerabilities & cost
#IndustrialInternet
powered by
Application to infrastructure Individuals
Data
Identity
Devices
Software
#IndustrialInternet
powered by
Isolating BAD stuff Edge Firewall
HA Proxy LB
DEA
Potential Impact
VM Cluster Firewall DEA
VM Pool Firewall VM Firewall
App
App
App
App
App
App
App
App
Automation Complexity
SDN Firewall
Dynamic Router
App Firewall Application
#IndustrialInternet
powered by
Control at every Layer Network Edge Hardware Firewalls IaaS Security Groups
CF BOSH Default Security Rules Elastic Runtime Default Security Rules
My Application #IndustrialInternet
CF Application Security Groups powered by
Tiers of User Identity for Predix Application Tier Platform Services Tier OS Management Tier Virtualization Management Tier Enterprise Identity Management Tier
#IndustrialInternet
Overlapping tiers of Identities – Layers of control & isolation
powered by
Hardening Identity Cloud Foundry – Elastic Runtime
UAA DB
UAA Tenant A
Platform User Store (AD/LDAP)
Administrative User Store (AD/LDAP)
#IndustrialInternet
Admin Identity Provider
Platform Identity Provider
Developer User Store (AD/LDAP)
SAML(HTTPS)/ LDAPS
Developer Identity Provider
SAML SP
Oauth AuthZ Server
OAuth Client / OpenID Connect RP
OAuth Client / OpenID Connect RP
App-1
App-N
powered by
Coordination – Unified Information Security Main Design Characteristics • • • • • •
One Framework – Multiple Certifications
Full ISO 27001/2 Certification End-to-end Infrastructure Visibility Extend Compliance for GE & Customers Unified Monitoring Framework Central Controls – Separate Monitors ISMS (Information Security Mgmt System)
#IndustrialInternet
powered by
Predix – Cyber Security Innovations Integrated identity vetting & proofing
Automated development security
Universal governance & compliance
Isolation of rouge actors & actions Individual App/User visibility
#IndustrialInternet
powered by
Predix Cyber & Operational Security SECURE & CERTIFY OPERATIONAL INFRASTRUCTURE
… app users to operational
ISO 27K, NIST 800-53 & FIPS 140-2 L1/2 Controls Matrix & Compliance Unified Monitoring Framework Extend Compliance for GE & Customers Over 60 Geo-Industry specific regulations #IndustrialInternet
BRING OPERATIONAL AVAILBILITY & GOVERNANCE WITH “IT”
… at every connection & layer
Common & Layer Identity for User, Device, Software & Data Automated isolation & monitoring - incidents Unified & clean run-time environments Visibility to mixed Information assets
PROTECT OT/IT IN AN APP FACTORY DELIVERY MODEL
ESTABLISH USER-BASED WORLD FOR INDUSTRIAL APPS
… automated secure apps
… end-to-end visibility
SAST, DAST, Artifact integration & automation Code vaulting & Vetted delivery to platform Routine Red Team platform assessments DevOpsSec evaluations for platform base code
End-to-end Infrastructure Visibility Full Security Operations Center & Tooling App-to-App behavioral evaluation Maintain chain of custody for the data communities powered by
Wrap it up!
SECURITY is the WORD – embrace it!
#IndustrialInternet
Prepare your operational teams and systems for connectivity
Reducing platform vulnerabilities – common control
Application security design – HARD requirement
Converged platform – unified compliance
powered by
Any questions?
#IndustrialInternet
powered by
Thank you General Electric reserves the right to make changes in specifications and features, or discontinue the product or service described at any time, without notice or obligation. These materials do not constitute a representation, warranty or documentation regarding the product or service featured. Illustrations are provided for informational purposes, and your configuration may differ.
This information does not constitute legal, financial, coding, or regulatory advice in connection with your use of the product or service. Please consult your professional advisors for any such advice. GE, Predix, the Predix Halo and the GE Monogram are trademarks of General Electric Company. ©2015 General Electric Company – All rights reserved.
#IndustrialInternet
powered by
#IndustrialInternet
powered by
#IndustrialInternet
Production
Processing Extraction
Exploration
Industrial environments have broad & different automation priorities.
powered by
Even with massive OT connected growth… … only an 2 – 8% of power generation data is used today.
Energy Processing & Production automation will drive higher use of data across Industrial Internet #IndustrialInternet
powered by
Threats are continuing to grow … Over 800% increase in ICS-Cert vulnerability reports since 2010
Increasing needs*
70%
of critical infrastructure companies
suffered an attack last year
NO
“ICS-CERT is currently coordinating with GE and the security researcher to identify mitigations.”
“GE Business X has released security advisories and free product updates”
new cyber security insurance policies
issued by Lloyd’s of London for the energy sector
78%
of senior security officials expect a successful
attack on their ICS/SCADA systems within 24 months #IndustrialInternet
“There is no method to update “GE Product” devices released prior to October 2014.”
*ARC Group - 2014 powered by
End-to-end operational cyber security solutions
Embedded Security Device Security Assessment In-depth, comprehensive device evaluation
Device Security Health Check Rapid, economical engagement
Field Security Site Security Assessment In-depth, comprehensive site evaluation
Site Security Health Check Rapid facility overview
NERC CIP CVA Comprehensive assessment for U.S. electric utilities
#IndustrialInternet
Achilles Certifications Communication Certification Network assessment of device against standard attacks
Practices Certification Security policy and practices audit to international standards
OpShield & Threat Updates Equipment specific protection profiles GE and non-GE
Automated Isolation new threats appear as traffic “outliers”
Continuous OT Protection Updates without operational impact powered by
Predix – Cyber Secure Digital Infrastructure
Software Defined HA Turbine
Digital Twin
+
Digital Power Software Defined HA Turbine Plant
Digital Twin
+
Cloud
PredixTM Plant Suite
$230M Connectper plant APM + OO
plant) Digital(new Infrastructure
$50M per plant (existing plant)
#IndustrialInternet
powered by
Industrial Internet requires a secure platform – end-to-end
Security is a GOOD word…
Shrink vulnerabilities & cost
Isolating BAD stuff
#IndustrialInternet
Application to infrastructure
Coordinating security
powered by
“They all seem SO excited… why don’t we get started?”
In any Predix discussion… THIS is SECURITY #IndustrialInternet
powered by
Protecting operations & information SECURE & CERTIFY OPERATIONAL INFRASTRUCTURE
BRING OPERATIONAL AVAILBILITY & GOVERNANCE WITH “IT”
PROTECT OT/IT IN AN APP FACTORY DELIVERY MODEL
ESTABLISH USER-BASED WORLD FOR INDUSTRIAL CLOUDS
Drive the security discussion… surface this pain… #IndustrialInternet
powered by
Predix – Embrace Security!
… app users to operational
#IndustrialInternet
… at every connection & layer
… automated secure apps
… end-to-end visibility
powered by
Shrink vulnerabilities & cost
#IndustrialInternet
powered by
Application to infrastructure Individuals
Data
Identity
Devices
Software
#IndustrialInternet
powered by
Isolating BAD stuff Edge Firewall
HA Proxy LB
DEA
Potential Impact
VM Cluster Firewall DEA
VM Pool Firewall VM Firewall
App
App
App
App
App
App
App
App
Automation Complexity
SDN Firewall
Dynamic Router
App Firewall Application
#IndustrialInternet
powered by
Control at every Layer Network Edge Hardware Firewalls IaaS Security Groups
CF BOSH Default Security Rules Elastic Runtime Default Security Rules
My Application #IndustrialInternet
CF Application Security Groups powered by
Tiers of User Identity for Predix Application Tier Platform Services Tier OS Management Tier Virtualization Management Tier Enterprise Identity Management Tier
#IndustrialInternet
Overlapping tiers of Identities – Layers of control & isolation
powered by
Hardening Identity Cloud Foundry – Elastic Runtime
UAA DB
UAA Tenant A
Platform User Store (AD/LDAP)
Administrative User Store (AD/LDAP)
#IndustrialInternet
Admin Identity Provider
Platform Identity Provider
Developer User Store (AD/LDAP)
SAML(HTTPS)/ LDAPS
Developer Identity Provider
SAML SP
Oauth AuthZ Server
OAuth Client / OpenID Connect RP
OAuth Client / OpenID Connect RP
App-1
App-N
powered by
Coordination – Unified Information Security Main Design Characteristics • • • • • •
One Framework – Multiple Certifications
Full ISO 27001/2 Certification End-to-end Infrastructure Visibility Extend Compliance for GE & Customers Unified Monitoring Framework Central Controls – Separate Monitors ISMS (Information Security Mgmt System)
#IndustrialInternet
powered by
Predix – Cyber Security Innovations Integrated identity vetting & proofing
Automated development security
Universal governance & compliance
Isolation of rouge actors & actions Individual App/User visibility
#IndustrialInternet
powered by
Predix Cyber & Operational Security SECURE & CERTIFY OPERATIONAL INFRASTRUCTURE
… app users to operational
ISO 27K, NIST 800-53 & FIPS 140-2 L1/2 Controls Matrix & Compliance Unified Monitoring Framework Extend Compliance for GE & Customers Over 60 Geo-Industry specific regulations #IndustrialInternet
BRING OPERATIONAL AVAILBILITY & GOVERNANCE WITH “IT”
… at every connection & layer
Common & Layer Identity for User, Device, Software & Data Automated isolation & monitoring - incidents Unified & clean run-time environments Visibility to mixed Information assets
PROTECT OT/IT IN AN APP FACTORY DELIVERY MODEL
ESTABLISH USER-BASED WORLD FOR INDUSTRIAL APPS
… automated secure apps
… end-to-end visibility
SAST, DAST, Artifact integration & automation Code vaulting & Vetted delivery to platform Routine Red Team platform assessments DevOpsSec evaluations for platform base code
End-to-end Infrastructure Visibility Full Security Operations Center & Tooling App-to-App behavioral evaluation Maintain chain of custody for the data communities powered by
Wrap it up!
SECURITY is the WORD – embrace it!
#IndustrialInternet
Prepare your operational teams and systems for connectivity
Reducing platform vulnerabilities – common control
Application security design – HARD requirement
Converged platform – unified compliance
powered by
Any questions?
#IndustrialInternet
powered by
Thank you General Electric reserves the right to make changes in specifications and features, or discontinue the product or service described at any time, without notice or obligation. These materials do not constitute a representation, warranty or documentation regarding the product or service featured. Illustrations are provided for informational purposes, and your configuration may differ.
This information does not constitute legal, financial, coding, or regulatory advice in connection with your use of the product or service. Please consult your professional advisors for any such advice. GE, Predix, the Predix Halo and the GE Monogram are trademarks of General Electric Company. ©2015 General Electric Company – All rights reserved.
#IndustrialInternet
powered by
