Cyber Security - a New Challenge for Production (Management) Heiko Wolf, Manager R&D Program PSImetals FutureLab

Similar documents
Asset Tracking Solutions. Partial Controls and Features

OSS ENTERPRISE E-PRODUCUREMENT MANANGEMENT SYSTEM (ASP.NET) Version: ASP.NET (3) Updated: 4Q/2007, v:g/1 Reference: Core Application 0103/88

OCTOPUS THE NEXT GENERATION OF COMMAND AND CONTROL Summary

Primavera Analytics and Primavera Data Warehouse Security Overview

System and Server Requirements

The Hybrid Enterprise: Working Across On-premises, IaaS, PaaS and SaaS

Industrial IoT Solution Architecture Design From Connectivity to Data

ACHIEVE INNOVATION WITH CONNECTED CAPABILITIES Connected Product Maturity Model. white paper

OSS BUSINESS INTELLIGENCE MIDDLEWARE (ASP.NET/3.0) 0501/86 APPLICATION SPECIFICATIONS, FEATURE SPECIFICATIONS & ILLUSTRATIONS

DYNAMICS 365 live your future now

Azure IoT Suite. Secure device connectivity and management. Data ingestion and command + control. Rich dashboards and visualizations

CHAPTER 9 Electronic Commerce Software

Families. Content. Ref Family: Areas. 1. What is AuraPortal. 2. Architecture. 10. Own Families

Blockchain Role in Smart Cities/IoT Security A Cryptographic Perspective!

The Business Process Environment

1 P a g e. IT Tailored to Your Needs

Maturing IoT solutions with Microsoft Azure

Limitless Creativity in the Cloud

MOBILIZING ORACLE APPLICATIONS ERP. An Approach for Building Scalable Mobility Solutions. A RapidValue Solutions Whitepaper

Seven Ways to Create an Unbeatable Enterprise Mobility Strategy

Introduction. Case for SAP Cybersecurity Framework

TMW Systems, Inc. TMW 3GTMS Integration Service Installation Guide

Jetstream Certification and Testing

Keeping a Customer Focus in a Digital World

Automatically Find and Fix Insecure Database settings with Oracle Management Cloud PRO4284

Extending Enterprise to the Edge

AWS MSP Partner Program Validation Checklist v3.2 Mapping

2018 WTW General Industry Information Technology Compensation Survey Report - U.S.

IT. 1. Carry out trouble-shooting strategies for resolving an identified end-user IT problem.

Dovico Planning & Timesheet v4 BEST PRACTICES

From Things to Value

e-commerce Technologies

Digital Twin & Augmented Reality. Usage of digital product models for product development, production and. service

The Data Opportunity: Using data for economic and social benefit reaping the

What s new on Azure? Jan Willem Groenenberg

Believe in a higher level of IT Security SECUDE Business White Paper. How to Improve Business Results through Secure Single Sign-on to SAP

Oracle s Hyperion System 9 Strategic Finance

Presented by: Purdianta, ST.,MT

FGFOA 2017 Focus on the Future

OpenText RightFax. OpenText RightFax OnDemand. Product Brochure. Benefits

Business IT Solutions, Security and Support

WHY COMMERCIAL REAL ESTATE FIRMS ARE EMBRACING OFFICE 365. Find out how out-of-the-box Cloud services in Office 365 can help you grow your practice

HOW INTEGRATION WORKS...

Compiere ERP Starter Kit. Prepared by Tenth Planet

Cloud as the enabler for new value chains

SIMPLE FUND 360: AN AUDITORS GUIDE. Australia s leading cloud SMSF admin solution AN AUDITORS GUIDE.

Presentation Title. Presenter. What research in SPLE is not solving in configuration. Arnaud Hubaux

COURSE SLO ASSESSMENT 4-YEAR TIMELINE REPORT (ECC)

CASE STUDIES PREPARED BY:

Delivering high-integrity accounting with Xero

External Supplier Control Obligations. Information Security

A digitális átalakulás és az SAP infrastruktúra. Hargitai Zsolt üzletfejlesztési igazgató

Atlant s atwatch CAPA TM. Corrective and Preventive Action System (CAPA) Product & Services Bundle for

AUGMENTED REALITY COLLABORATION SOLUTION FOR ENTERPRISE FIELD SERVICES

LAYOUTS CRYOGENIC-GASES TERMINAL AUTOMATION SYSTEM SYSTEM ACHITECTURE SYSTEM DESCRIPTION

20332B: Advanced Solutions of Microsoft SharePoint Server 2013

The call to action for digital transformation. Uwe Kueppers Senior Business Consultant Rockwell Automation Chairman MESA EMEA

Sage 100. Sage Payroll Services Getting Started Guide

Upgrading to Maximo 7.6. Presenter: Jeff Yasinski

TOP 9 TECH CHALLENGES FOR NONPROFITS + SMALL BUSINESSES

JD Edwards Component Global Price List December 21, 2017 Software Investment Guide

Managing intelligent electronic devices

Lesson 3 Cloud Platform as a Service usages for accelerated Design and Deployment of IoTs

Session Number: 5 Proactive Remote Service Support

5 STEPS TO AUTOMATE YOUR PRODUCT LIFE CYCLE A guide produced by Sweet Systems

OSS TENDER PORTAL MANAGEMENT SYSTEM (ASP.NET)

PlantConnect SFactory

Fujitsu Value Proposition for Manufacturing Industry. Enabling Digital with Connected Enterprise

SAP Monitoring: Performance Management Your Business Can Count On

WHITE PAPER. CalAmp Connect An Enterprise M2M Application Enablement Platform

An introduction to MediaSales Traffic

Blockchain Unleashed TM Forum 1

Supplier Security Directives

Design of Manufacturing Information System using Advanced PLC and Server Controls

Where s the value in IIoT?

Super Schlumberger Scheduler

Elisa IoT. From idea to a product in weeks

Maximo Webcast Series

MANUFACTURING EXECUTION SYSTEM

SAP Product Road Map SAP Identity Management

Provide Your SAP Applications the Best Response Time, Tightest Security and Highest Availability with Radware s Certified Solution

IBM Business Automation Content Services on Cloud

Maturing IoT solutions with Microsoft Azure. Glenn Colpaert Azure/IoT Domain

Stat Production Services for Oracle E-Business Suite (Onsite and Remote)

power up your business DIGITISE YOUR BUSINESS PROCESSES Entry Level

Accelerating Industrial Performance. Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Our Services. Staff Augmentation Provision of quality resources Long term, medium term and short term engagements

T13 - The Future of Manufacturing in a Connected World

Fujitsu Value Proposition for Manufacturing Industry. Enabling Digital with Connected Enterprise

Digitalization to enable the Future of Manufacturing

T²Enterprise. Mapping Communication Translation Management. T 2 Tran. EDI solution Translation/transport Monitoring/tracking.

WORKFLOW AUTOMATION AND PROJECT MANAGEMENT FEATURES

Varibill Implementation Plan On-Premise

Operational Level Agreement: SQL Server Database Incidents and Requests

Position Description. Job Summary: Campus Job Scope:

Jaap Burgerhout Marcel Riemen Erwin Jaikaran Harold Beers. Heidelberg (Germany) May 2000

Hardware. This white paper will discuss the realities of IIoT and review the 7 key success factors for software monetization, including:

Automating Your Hyperion EPM and BI Environments. Tom Tortolani, VP Products January 2010

VISUAL Business Objects David Giusto, Technical Services Specialist, Synergy Resources

Infor Cloverleaf Integration Suite

Transcription:

Cyber Security - a New Challenge for Production (Management) Heiko Wolf, Manager R&D Program PSImetals FutureLab

The Challenge Complexity of IT-Systems is rising Landing on the moon with 7.500 lines of code Today: Boeing 787: 6,5 million Mercedes S: 20 million Chevrolet Volt: 100 million Systems are becoming more interconnected Internet-of-Things, Industry 4.0, M2M, V2X, etc. Virtual infrastructures (Cloud, etc.) Dependency on IT is growing Smart Grid, Smart Home, Smart City, Smart Phone ecommerce, Digital Production, etc. 2 2017 PSI - Software Excellence in Metals

Cybercrime Ransomware Source: Symantec Internet Security Threat Report 2016 3 2017 PSI - Software Excellence in Metals

Motivation for Attacks Is Changing Cracker / Script Kiddies Cybercrime State-sponsored Attacks 4 2017 PSI - Software Excellence in Metals

Yes, It Happens 5 2017 PSI - Software Excellence in Metals

There s No Alternative to Digital Transformation Already today, the steel industry is automated to a degree. A complex and quality-focused production would be impossible without integrated IT systems. 6 2017 PSI - Software Excellence in Metals

Industry 4.0 Turbo-Charging Digital Transformation 7 2017 PSI - Software Excellence in Metals

Getting Rid of the Pyramid From traditional integration layers To business driven connectivity Level 4 Level 3 Sensors / IoT HMI Level 2 unicast broadcast Service Bus synchronous asynchronous Process Control ERP / CRM Level 1 8 2017 PSI - Software Excellence in Metals

How Do These Attacks Work? Remote control, data exfiltration IT (Office/Enterprise Network) OT (Industrial Control Systems) Attacker Initial attack by phishing mail or drive-by download Office Users Lateral movement Distributed Control System (PLC s, etc.) Disrupting operations Firewall Firewall Internet Administrators Accessing the Process Control Network SCADA Systems 11 2017 PSI - Software Excellence in Metals

Social Engineering Effort to attack a system vs. reaching a goal If technical attacks are hard Social engineering Source: XKCD - https://xkcd.com/538/ Source: Microsoft Security Intelligence Report 2011 12 2017 PSI - Software Excellence in Metals

Security Has Costs Setup effort Reduced comfort Reduced performance Money Level of security Pareto principle Effort 13 2017 PSI - Software Excellence in Metals

Good enough Security Economics A perfect security system is not necessary! Also not feasible/possible/affordable Too strong focus on one area risks neglecting others weakest link There are no secure systems, only degrees of insecurity (Adi Shamir) It s all about risk first thing should be a risk analysis A absolutely secure system that s not usable any more has the same business value as a system without any security Security Comfort Functionality Performance Find the balance that s right for you! 14 2017 PSI - Software Excellence in Metals

IT Security Definition of Risk According to ISO 73:2002: Risk: combination of the probability [ ] of an event [ ] and its consequence Threat Probability of occurrence Risk = Vulnerability Impact 15 2017 PSI - Software Excellence in Metals

Difference Between IACS / Office IT Industrial automation & control system General purpose information technology (IT) systems Availability Integrity Priority Confidentiality Integrity Confidentiality Availability 16 2017 PSI - Software Excellence in Metals

PSImetals Integrated Modules & Integrative Solution 17 2017 PSI - Software Excellence in Metals

PSImetals Comprehensive Support of End-To-End Processes Commercial Processes Sales Order Entry Pricing Purchasing Plant Maintenance Costing Billing Order Dressing Demand & Sales Planning Product Configuration Sales Order Dressing Production Order Elaboration Demand Management Sales & Operations Planning Due Date Quoting Scheduling Production Planning Delivery Order Scheduling & Material Allocation Flow & Order Planning Capacity & Campaign Management Transport Management (outbound) Caster & Melt Shop Scheduling Hot Mill Scheduling Cold Mill & Finishing Scheduling Net Demand Calculation Plate & Coil Combination Shipping Planning Production Execution & Material Logistic Production Order Life Cycle Material & Stock Management Schedule Execution Management Production Tracking Quality Control & Exception Management Warehouse & Transport Management Shipping Execution 18 2017 PSI - Software Excellence in Metals

Customer Risks from a Production Management System Confidentially Product configuration / steel grades Process know-how Algorithms / optimizations Availability Disruption of production due to no or limited availability of PMS Integrity Disruption of production due to corrupt data Production of sub standard quality metals Inaccurate reporting 19 2017 PSI - Software Excellence in Metals

Security by Design with PSImetals Organization Information Security Management System ISO27k certified Encryption Use latest standard to secure sensible data Authentication Use safe & up-to-date standard protocols xxxx Create Awareness Safe Data Transmission Updates & Recovery 20 2017 PSI - Software Excellence in Metals

Security by Design: Key Areas We Are Working On Processes within PSI Metals IT Technology and SW Development Process Project Implementation Methodology 21 2017 PSI - Software Excellence in Metals

Security by Design: Key Areas We Are Working On Processes within PSI Metals IT Technology and SW Development Process Project Implementation Methodology 22 2017 PSI - Software Excellence in Metals

Information Security Management Terms poses exploits Threat Create awareness leads to Improve processes and take measures Vulnerability addresses Manage and respond to incidents Asset may corrupt Risk Assess Safety Measure can be countered by Damage causes Classify and evaluate 23 2017 PSI - Software Excellence in Metals

Security by Design: Key Areas We Are Working On Processes within PSI Metals IT Technology and SW Development Process Project Implementation Methodology 24 2017 PSI - Software Excellence in Metals

Secure Software Development Lifecycle Core Security Training Establish Security Requirements Create Quality Gates / Bug Bars Security & Privacy Risk Assessment Establish Design Requirements Analyze Attack Surface Threat Modeling Use Approved Tools Deprecate Unsafe Functions Static Analysis Dynamic Analysis Fuzz Testing Attack Surface Review Incident Response Plan Final Security Review Release Archive Execute Incident Response Plan Training Requirements Design Implementation Verification Release Response Source: Microsoft SDL 25 2017 PSI - Software Excellence in Metals

Data Flow Diagram Steel Grade Maintenance Rich Client Java PSImetals GUI Login Screen DB- Session Order Dressing/ Edit Grade Data Third Party Systems e. g. Level 2 Application Server Java Database Server Oracle Client User/ Password Web Service DB Server-User/ Password Establish DB-Connection JDBC PSIauth Authentication/ Authorization Service Oracle Access Management PSIauth Database Scheme Permissions DB Client User/ Password Permissions DB Client User/ Password Establish DB-Connection JDBC Oracle Access Management Transactions Grade Data DB Server-User/ Password PSIintegration Communication Adapter Establish DB-Connection JDBC Oracle Access Management Business Logic PL/SQL PSImetals Factory Model Scheme Send Grade Data TCP/IP, Web Services, Grade Data 26 2017 PSI - Software Excellence in Metals

STRIDE Model Attack Target Example of an attack Examples of countermeasures Spoofing Person, Account, Application Impersonation, account take over, manin-the-middle attack Authentication with passwords, LDAP/AD, Oracle Wallet, encrypted communications Tampering Client application, database, configuration Usage of modified client, manipulation of Data in Database (e.g. grade data) Access control, digital signatures, integrity check (hashing, etc.), etc. Repudiation Application, Logs/History Query/manipulate data, manipulate logs Authentication, log access and actions, undo logs, timestamps, validation of data Information disclosure Network, Application, Database, Files Eavesdropping of data (e.g. passwords), access to sensitive data Encryption incl. key mgmt., access control (client/server/database) Denial of service Database, Application, Service Overload with complex queries, manipulate configuration Check input data / query parameters, integrity checks, quotas Elevation of privilege Database, Application, Network SQL-Injection, manipulated authentication information Input validation, programming style, integrity validation of authentication data 27 2017 PSI - Software Excellence in Metals

Security by Design: Key Areas We Are Working On Processes within PSI Metals IT Technology and SW Development Process Project Implementation Methodology 28 2017 PSI - Software Excellence in Metals

Product-based Project Methodology Come Together Meetings Get to know each other Project Methodology Next Steps Early Trainings On PSImetals Standard System Upgrades On PSImetals Release Pre-Project Project Maintenance Prime Analysis Checklists Project Schedule <-> Release Plan Proposal Scope of Supply Commercial Figures Timeline Terms & Conditions + Workshops Use Cases Fit-Gap-Analysis Specification Detailed Analysis Basic Configuration Faster ROI Robust System Highly Configurable Reduced Risks Shorter Project Duration Reduced TCO

Product-based Project Methodology Come Together Meetings Get to know each other Involve customer security experts Project Methodology Next Steps Early Trainings On PSImetals Standard System Install latest security fixes Upgrades On PSImetals Release Pre-Project Prime Analysis Proposal Checklists Project Schedule <-> Release Plan Scope of Supply Commercial Figures Timeline Terms & Conditions Offer different security options (tradeoffs) + Project Workshops Use Cases Fit-Gap-Analysis Security fit-gap-analysis and mapping to customer security guidelines Specification Detailed Analysis Setup security Basic measures Configuration Maintenance Faster ROI Robust System Highly Configurable Reduced Risks Shorter Project Duration Reduced TCO

Takeaways Importance of IT infrastructure is increasing but so are systems complexity and security threats! PMS is a part of critical infrastructure but technologies and security measures already available to ensure secure operation! Assess your risks and choose the right level of security (and availability, comfort, functionality )! Security should not be an afterthought but essential part of project methodology and corporate awareness! 31 2017 PSI - Software Excellence in Metals

Suddenly everything s that simple. 32 2017 PSI - Software Excellence in Metals

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback