Cyber Security - a New Challenge for Production (Management) Heiko Wolf, Manager R&D Program PSImetals FutureLab
The Challenge Complexity of IT-Systems is rising Landing on the moon with 7.500 lines of code Today: Boeing 787: 6,5 million Mercedes S: 20 million Chevrolet Volt: 100 million Systems are becoming more interconnected Internet-of-Things, Industry 4.0, M2M, V2X, etc. Virtual infrastructures (Cloud, etc.) Dependency on IT is growing Smart Grid, Smart Home, Smart City, Smart Phone ecommerce, Digital Production, etc. 2 2017 PSI - Software Excellence in Metals
Cybercrime Ransomware Source: Symantec Internet Security Threat Report 2016 3 2017 PSI - Software Excellence in Metals
Motivation for Attacks Is Changing Cracker / Script Kiddies Cybercrime State-sponsored Attacks 4 2017 PSI - Software Excellence in Metals
Yes, It Happens 5 2017 PSI - Software Excellence in Metals
There s No Alternative to Digital Transformation Already today, the steel industry is automated to a degree. A complex and quality-focused production would be impossible without integrated IT systems. 6 2017 PSI - Software Excellence in Metals
Industry 4.0 Turbo-Charging Digital Transformation 7 2017 PSI - Software Excellence in Metals
Getting Rid of the Pyramid From traditional integration layers To business driven connectivity Level 4 Level 3 Sensors / IoT HMI Level 2 unicast broadcast Service Bus synchronous asynchronous Process Control ERP / CRM Level 1 8 2017 PSI - Software Excellence in Metals
How Do These Attacks Work? Remote control, data exfiltration IT (Office/Enterprise Network) OT (Industrial Control Systems) Attacker Initial attack by phishing mail or drive-by download Office Users Lateral movement Distributed Control System (PLC s, etc.) Disrupting operations Firewall Firewall Internet Administrators Accessing the Process Control Network SCADA Systems 11 2017 PSI - Software Excellence in Metals
Social Engineering Effort to attack a system vs. reaching a goal If technical attacks are hard Social engineering Source: XKCD - https://xkcd.com/538/ Source: Microsoft Security Intelligence Report 2011 12 2017 PSI - Software Excellence in Metals
Security Has Costs Setup effort Reduced comfort Reduced performance Money Level of security Pareto principle Effort 13 2017 PSI - Software Excellence in Metals
Good enough Security Economics A perfect security system is not necessary! Also not feasible/possible/affordable Too strong focus on one area risks neglecting others weakest link There are no secure systems, only degrees of insecurity (Adi Shamir) It s all about risk first thing should be a risk analysis A absolutely secure system that s not usable any more has the same business value as a system without any security Security Comfort Functionality Performance Find the balance that s right for you! 14 2017 PSI - Software Excellence in Metals
IT Security Definition of Risk According to ISO 73:2002: Risk: combination of the probability [ ] of an event [ ] and its consequence Threat Probability of occurrence Risk = Vulnerability Impact 15 2017 PSI - Software Excellence in Metals
Difference Between IACS / Office IT Industrial automation & control system General purpose information technology (IT) systems Availability Integrity Priority Confidentiality Integrity Confidentiality Availability 16 2017 PSI - Software Excellence in Metals
PSImetals Integrated Modules & Integrative Solution 17 2017 PSI - Software Excellence in Metals
PSImetals Comprehensive Support of End-To-End Processes Commercial Processes Sales Order Entry Pricing Purchasing Plant Maintenance Costing Billing Order Dressing Demand & Sales Planning Product Configuration Sales Order Dressing Production Order Elaboration Demand Management Sales & Operations Planning Due Date Quoting Scheduling Production Planning Delivery Order Scheduling & Material Allocation Flow & Order Planning Capacity & Campaign Management Transport Management (outbound) Caster & Melt Shop Scheduling Hot Mill Scheduling Cold Mill & Finishing Scheduling Net Demand Calculation Plate & Coil Combination Shipping Planning Production Execution & Material Logistic Production Order Life Cycle Material & Stock Management Schedule Execution Management Production Tracking Quality Control & Exception Management Warehouse & Transport Management Shipping Execution 18 2017 PSI - Software Excellence in Metals
Customer Risks from a Production Management System Confidentially Product configuration / steel grades Process know-how Algorithms / optimizations Availability Disruption of production due to no or limited availability of PMS Integrity Disruption of production due to corrupt data Production of sub standard quality metals Inaccurate reporting 19 2017 PSI - Software Excellence in Metals
Security by Design with PSImetals Organization Information Security Management System ISO27k certified Encryption Use latest standard to secure sensible data Authentication Use safe & up-to-date standard protocols xxxx Create Awareness Safe Data Transmission Updates & Recovery 20 2017 PSI - Software Excellence in Metals
Security by Design: Key Areas We Are Working On Processes within PSI Metals IT Technology and SW Development Process Project Implementation Methodology 21 2017 PSI - Software Excellence in Metals
Security by Design: Key Areas We Are Working On Processes within PSI Metals IT Technology and SW Development Process Project Implementation Methodology 22 2017 PSI - Software Excellence in Metals
Information Security Management Terms poses exploits Threat Create awareness leads to Improve processes and take measures Vulnerability addresses Manage and respond to incidents Asset may corrupt Risk Assess Safety Measure can be countered by Damage causes Classify and evaluate 23 2017 PSI - Software Excellence in Metals
Security by Design: Key Areas We Are Working On Processes within PSI Metals IT Technology and SW Development Process Project Implementation Methodology 24 2017 PSI - Software Excellence in Metals
Secure Software Development Lifecycle Core Security Training Establish Security Requirements Create Quality Gates / Bug Bars Security & Privacy Risk Assessment Establish Design Requirements Analyze Attack Surface Threat Modeling Use Approved Tools Deprecate Unsafe Functions Static Analysis Dynamic Analysis Fuzz Testing Attack Surface Review Incident Response Plan Final Security Review Release Archive Execute Incident Response Plan Training Requirements Design Implementation Verification Release Response Source: Microsoft SDL 25 2017 PSI - Software Excellence in Metals
Data Flow Diagram Steel Grade Maintenance Rich Client Java PSImetals GUI Login Screen DB- Session Order Dressing/ Edit Grade Data Third Party Systems e. g. Level 2 Application Server Java Database Server Oracle Client User/ Password Web Service DB Server-User/ Password Establish DB-Connection JDBC PSIauth Authentication/ Authorization Service Oracle Access Management PSIauth Database Scheme Permissions DB Client User/ Password Permissions DB Client User/ Password Establish DB-Connection JDBC Oracle Access Management Transactions Grade Data DB Server-User/ Password PSIintegration Communication Adapter Establish DB-Connection JDBC Oracle Access Management Business Logic PL/SQL PSImetals Factory Model Scheme Send Grade Data TCP/IP, Web Services, Grade Data 26 2017 PSI - Software Excellence in Metals
STRIDE Model Attack Target Example of an attack Examples of countermeasures Spoofing Person, Account, Application Impersonation, account take over, manin-the-middle attack Authentication with passwords, LDAP/AD, Oracle Wallet, encrypted communications Tampering Client application, database, configuration Usage of modified client, manipulation of Data in Database (e.g. grade data) Access control, digital signatures, integrity check (hashing, etc.), etc. Repudiation Application, Logs/History Query/manipulate data, manipulate logs Authentication, log access and actions, undo logs, timestamps, validation of data Information disclosure Network, Application, Database, Files Eavesdropping of data (e.g. passwords), access to sensitive data Encryption incl. key mgmt., access control (client/server/database) Denial of service Database, Application, Service Overload with complex queries, manipulate configuration Check input data / query parameters, integrity checks, quotas Elevation of privilege Database, Application, Network SQL-Injection, manipulated authentication information Input validation, programming style, integrity validation of authentication data 27 2017 PSI - Software Excellence in Metals
Security by Design: Key Areas We Are Working On Processes within PSI Metals IT Technology and SW Development Process Project Implementation Methodology 28 2017 PSI - Software Excellence in Metals
Product-based Project Methodology Come Together Meetings Get to know each other Project Methodology Next Steps Early Trainings On PSImetals Standard System Upgrades On PSImetals Release Pre-Project Project Maintenance Prime Analysis Checklists Project Schedule <-> Release Plan Proposal Scope of Supply Commercial Figures Timeline Terms & Conditions + Workshops Use Cases Fit-Gap-Analysis Specification Detailed Analysis Basic Configuration Faster ROI Robust System Highly Configurable Reduced Risks Shorter Project Duration Reduced TCO
Product-based Project Methodology Come Together Meetings Get to know each other Involve customer security experts Project Methodology Next Steps Early Trainings On PSImetals Standard System Install latest security fixes Upgrades On PSImetals Release Pre-Project Prime Analysis Proposal Checklists Project Schedule <-> Release Plan Scope of Supply Commercial Figures Timeline Terms & Conditions Offer different security options (tradeoffs) + Project Workshops Use Cases Fit-Gap-Analysis Security fit-gap-analysis and mapping to customer security guidelines Specification Detailed Analysis Setup security Basic measures Configuration Maintenance Faster ROI Robust System Highly Configurable Reduced Risks Shorter Project Duration Reduced TCO
Takeaways Importance of IT infrastructure is increasing but so are systems complexity and security threats! PMS is a part of critical infrastructure but technologies and security measures already available to ensure secure operation! Assess your risks and choose the right level of security (and availability, comfort, functionality )! Security should not be an afterthought but essential part of project methodology and corporate awareness! 31 2017 PSI - Software Excellence in Metals
Suddenly everything s that simple. 32 2017 PSI - Software Excellence in Metals