Post on 28-Jun-2020
transcript
1
Internet2IoTSystemsRiskManagementTaskForce2016-2017Outcomes
2
Internet2IoTSystemsRiskManagementTaskForce2016-2017Outcomes
• ExplorenotionofalifecycleofIoTSystemsrisk&operationalmanagementinHigherEdinstitutions
• Develop2tools/practicesasstartingplace:• HEpracticeofusingShodanandCensystoolstodevelopIoTSystemsriskexposureforanHEinstitution
• IoTSystemsVendorManagementdocument/checklisttoguidemultipledepartments/orgswithinanHEinstitutiononselection,procurement,managementofIoTSystems
• Identifypotentialforfuturework
• Identify&shareotherresources
3
IoTSystemsVendorManagementGuidance Document-- questionstoguidepurchaser/futureownerofIoTSystems
Institutionalleadership,policy,oversight,resourcingforknownsystemspre-IoTSystemsImplementation --
RiskMitigation
post-IoTSystems Implementation --OperationalRiskManagement
DevelopinganIoTSystemsRiskMitigationLifeCycle
Shodan/Censys/Othertools?• Systemsidentification(therecanbe
surprises)• Riskmitigation
post-IoTSystemsImplementation --CybersecRiskManagement/Mitigation
4
JanCheethamResearchCyberinfrastructureLiaisonOfficeoftheCIOUniversityofWisconsin-Madison
WiNESTTemplateforamodelwirelesscity
IoTresearchinitiatives
5
IoTVulnerabilities:DDoSattacks
krebsonsecurity.com
9/20/16620Gbps
9/18/161.1Tbps
10/21/161.2Tbps
Un-namedUSUniversityLate2016
DVRs,CCTVcameras,homerouters
Mirai,BASHLITE,andevolvingmalware
Campusvendingmachines,lightsensors,refrigerators
6
IoTVulnerabilities:Industrialcontrolsystems
2008Turkishoilpipeline
2014Germanblastfurnace
BBCNews
IndustrialControl&CriticalInfrastructureinHigherEd
Wealsocareaboutthese:ResearchSystems Building,InternalSpace,
AnimalFacility,BSL3Access
Building/Roomenvironmentcontrol(HVAC)
Utilitydistribution
Andothers…
7
Taskforcebenchmarkingactivity
WARNING: ConsultyourCISOofficebeforeusing!Priornoticeandauthorizationmayberequired.
• Proprietary• DevelopedbyformerUCSDstudent• Usedbyprivatesectorandacademia
• Opensource• DevelopedatUnivofMichigan/Illinois• Daily ZMap and ZGrab scansofIPv4addressspaceacrossimportantportsandprotocols
Bothdofulltextsearchingonprotocolbannersandothermetadataonwebsites,servers,devices
8
9
10
Whatwefound
ICS/SCADAdeviceservers
Searchterms
PotentialRisk
”camera”
Weak,hard-codedpasswords
BuildingAutomation
”scada,”“ICS,”“HVAC,”“TridiumFox,”“BACnet,”“Modbus”
ComponentsofbuildingcontrolsystemsexposedonInternet,protocolslackingauthentication,encryption
”AMQP”“RabbitMQ”“MQTT”
SensorsCameras
Complex,layeredsystemswithphysicalsecurityissues,protocolslackingauthentication
11
Maybeothers
Othertypesofdeviceswedidn’tsearchfor• Vendingmachines• Refrigerators• Healthcaremonitors
Imagesources:MegaLab,AlerSense,UAIVending
12
Briefbackground
ChuckBenson
FacilitiesServicesIT,UWDronepolicyworkinggroup,UWChairInternet2IoTSystemsRiskManagementTaskForceFormerChairUW-ITServiceManagementBoard,UWFormerChairProtectionofIndustrialControls(PICS)TaskForce
ArticlesJune&July2016–
“InternetofThings,IoTSystems,andHigherEducation”&“RaisingExpectationsforIoTSystemsVendors”
King’sCollegeLondonBookChapteronSmartCities– partofSystemsScience/SystemsThinkingSeries
“IoTSystems– SystemsSeams&SystemsSocialization–ConsiderationsforManagingIoTSystemsRiskinSmartCitiesandInstitutions”
(andtheobligatorytwitterfeed-- @cabenson361)
ChairInternet2IoTSystemsRiskManagementTaskForce
13
IoTSystemsVendorManagementDocument
• Shodan,Censys,andnon-publishedtoolsrevealcracks/attackpointsinourinstitutions• Creatingpotentiallysubstantialadditionalrisk
• Wecanlowerthatrisk• Byraisingthebar&settingexpectationsoftheIoTSystemsvendor• RFI,RFP,contractnegotiation,&relationshipmanagementphaseswiththevendor
14
Canwemanagewhatweown?
15
AndtheIoTSystemisdeployedinasystemofhuman&technicalsystems…
meter1
meter2
meter3
metern
Meterdataaggregatoranalytics&reporting
dashboards
rawdata
processing
processeddata1
processeddata2
processing
Exampledatapathforenergymgmt.system
ExistingIT/InfoMgmtInfrastructure(e.g.,physicalnetwork&physicalimplementationpoints)Technicalinfrastructure
Organizationalstructure CentralIT Distributed
ITFacilitiesMgmt
InstitutionLeadership
Acad/AdminDept1
Acad/AdminDeptn
People– withroles,expectations,patterns,routines,opinions
Vendor1 Vendorn
16
Increasingvendor/systemcountincreasessystemscomplexity&managementoverhead
Vendormanagementcomplexitygrowsrapidlywith#IoTsystems@cabenson361#risk#i2summit17
17
IoTSystemsVendorManagementDocument• Acknowledgethat:
• IoTSystemsincreasinglyenteringinstitutioninnon-traditionalways• e.g.,notcentralIT– butend-users/PI’s,facilities,capitalplanning,planning/budgeting
• IoTSystemsaredeployedinnon-traditionalways• Thesearenottraditionalenterprisesystems• OftennotwithcentralIT• Oftenwithvendor-heavyinfluence
• Generally,limitedvettingforIoTSystems• Many,most?ofthesesystemswillnotbemanagedbycentralIT
• IoTSystemsVendorManagementDoc• Designedtoassist:
• selection• RFI• RFP• contractionnegotiation• systemsmanagement
• Docneedsbroadutility&consumability -- Needstobereadableor‘parseable’byorganizationsfulfillingmultipledifferentroles– notjustIT
18
-- exampleitems--
qDoesvendorneed1(ormore)datafeeds/datasharingfromyourorganization?
qArethedatafeedswell-defined?qDotheyexistalready?
q Ifnot,whowillcreate&supportthem
qHowmanyendpointdeviceswillbeinstalled?qIsthereapatchplan?Whomanagesthis?
qDoesthisvendor’ssystemhavedependenciesonothersystems?
qWhopaysforvendorsystemsrequirements(eghardware,supportingsoftware,networking,etc?)
qDoeslocalsupport(FTE)exist?Isitavailable?Willitremainavailable?
q Ifhostedinadatacenter,whopaysforthosecosts?q Ifcloud-hosted,egAWS,whopaysforthosecosts?qAbovequestionsansweredforbothimplementation
&longtermsupport?
operationalrisks(egresourcing&planning) cybersec(badguy)risks both
qWhatistotaloperationalcostafterinstallation?q LicensingqSupportcontractsqHostingrequirementsqBusinessresiliencerequirements(egredundancy,
recovery,etcforOS,db,other)
q IstheIoTvendorsystemimplementationdocumented?
qArchitecturediagram?qw/IPaddresses&physical
locationofdevices?qw/requiredportsdocumented
q Isthereacommissioningplan?Orhaveinstallationexpectationsotherwisebeenstated?
qDefaultlogins&passwordschanged&recorded?qNon-requireddefaultportsclosed?qDevicesportscanned(orsimilar)afterinstallation
qForremotesupport,howdoesvendorsafeguardlogin/accountinformation?
q Isitincontract?
qWho,inyourorganization,willmanagetheIoTsystemvendorcontract?
qCentralIT?qFacilities?qTenant/customerdept ?qOther?PD/security?CISO?CSO?
qCanIoTsystemvendormaintenancecontractoffsetlocalITsupportshortages?
q for10’s,100’s,1000’sofnewendpoints?
q Isarisksharingagreementinplaceforsharedinstitutionalinformation?
qHowmanyIoTsystemsareyoualreadymanaging?qAreyouanticipatingmoreinnext18
months?
IoTSystemsVendorManagementDocument
19
Manyotherresources(somelongertoreadthanothers)• NISTCybersecurityforIoTProgram
• https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program• http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf
• FTC&IoTPrivacy• https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-
things-privacy/150127iotrpt.pdf
• IndustrialInternetofThingsSecurityFramework• http://www.iiconsortium.org/IISF.htm
• GSMAIoTSecurityGuidelines• http://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/
• OWASPIoTSecurityGuidance• https://www.owasp.org/index.php/IoT_Security_Guidance
• DHSStrategicPrinciplesforSecuringtheInternetofThings• https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf
• Others…
20
Possiblefutureworkinarea• IoTSystemsCosting
• Few,ifany,institutionshaveahandleonthis
• Networksegmentportfoliostrategies• Segmentationisalltherage,buthowarethosesegmentationportfoliosmanaged
• InternalICS&IoTexposure• Shodan/Censys dopublicaddresses
• InternalVLAN’s,VRF’s,etc notcovered
• Benchmark/standardforexposureinHE
21
Questions/Comments?