Cyber security readiness for manufacturing:
Protecting Your business from the Robot Zombie Hackmageddon
Cytellix, Cyber Security Division of IMRI | Aliso Viejo, CA
Copyright © 2017 IMRI. All rights reserved. Proprietary Information
Today’s Agenda
Introduction
Statistics are a wake up call
Cybersecurity preparedness is real
Industry standards driving compliance
What should be done
Common questions
Q&A
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Who am I?
Spencer Cobb, 20 years experience in Cyber security. Various roles in multiple cutting edge start ups helping global organizations secure their networks and confidential information.
Cytellix, is the commercial cyber security division of IMRI.
IMRI, Delivering comprehensive IT and engineering solutions since 1992
Successfully delivered over $150 Million in technology contracts. Secure over 1500 networks with 7M endpoints. Army, DISA, Missile Defense Agency are customers.
We are focused on helping small manufacturers meet new Federal Supply chain compliance guidelines around cyber security readiness.
Partnered with Manufacturing Extension Partnerships around the U.S.
- 3 -
Quick survey…
• Raise your hand if….(Keep them up please)
• You or someone you know has had their personal credit card or identity stolen.
• Your company or a company you know has been hacked.
• Your company or a company you know has been hit with ransomware.
• Your company or a company you know has paid ransom ware…
You are likely running out of hands and your arms are getting tired.
- 4 -
Cyber attacks on the rise!
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Attacks are becoming common place. Hacking is a fact of life.
Robotics and Automation
- 6 -
From this ….
Robotics and Automation
- 7 -
From this ….
Or…Zombie Robot Hackmaggedon.
- 8 -
To this?
Cyber attacks on the rise!
60% of SMB cybercrime victims go out of
business within 6 months of attack (NCSA)
50% of all surveyed in 2014
reported being victims of cyber attacks. (National SBA)
70% of all targeted attacks struck
small to mid-sized organizations in 2016.(SMB Group)
50% of small and midsized businesses have fallen victim to ransomware
48% of those paid a ransom, (2017 Ponemon Institute)
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Small business getting attacked
79% percent of small businesses do not have an incident response plan. Without one, you may
never be able to fully recover when a cybersecurity incident becomes a reality.
75% of spear-phishing attacks in 2015 targeted businesses less than 250 employees.
53% of small businesses reported they do not allocate budget for risk mitigation services
because they do not store valuable data, yet the majority of respondents reported they store email addresses (68%) and phone numbers (65%), along with other valuable Personal information.
56% of SMB’s are unprepared to identify and respond to a security event (EiQ Networks
2017)
75% of SMB’s admitted a small-to-nonexistent IT security staff, with zero to two employees
dedicated to that role. (EiQ Networks 2017)
- 10 -
More Statistics…July 17
- 11 -
2 out of 3 companies
don’t fully measure whether
their disaster recovery will
work as planned.
4out of 5 never measure
the success of security training
investments.
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Thycotic survey July 2017
Security Challenges
- 12 -
What do we know?
Constant system upgrades, moves and changes
Resources in IT and Cyber are limited in most organizations
Real time analysis across the entire enterprise or cloud is
required
Awareness of every computer, network, device (IoT) and route is
required for true situational awareness
We need to understand attack paths, risks and data leaks
Increased requirements for Cyber Security Compliance and
Policies
Who is attacking?
Nation states
- 13 -
Hacktivists
Organized Crime
Anonymous
PLA Unit 61398
Why are we being attacked?
- 14 -
Value at Risk
- 15 -
256 days Average time to detect malware*
$5,850,000 / US Average total cost of a data breach**
*Beyond Trust** Ponemon Institute
Costing a data breach: Brand value Intellectual propertyCustomer relations Supplier relationsCompetitive information Information Recovery Systems Recovery RemediationDamage Control DowntimeLegal costs Forensics
Categories of attacks in SMB
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Statistics of the Market
- 17 -
Top Cyber Attack Threats in Manufacturing
Average cost of a cyber attack on a Manufacturer
Why now?The statistics show the small and mid-size business market has not been able to track the constant system upgrades, moves and changes. 60% of these businesses will experience losses, from cyber incidents, significant enough to drive them out of business within six months. Limited budgets and cyber resources in IT have prevented business owners from protecting their infrastructure. The awareness of the devices (IoT) on networks is almost nonexistent. New requirements for Cyber Security Compliance and Policies have rolled out to many industries, and there are more to come.
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Common TTP’s
Common Tools, Tactics & Procedures in manufacturing attacks
- 18 -
Phishing, spear-phishing, SQLi, malvertising>>>account hijacking or malware infection, for data exfiltration or ransomware (encryption)
What is being stolen?
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Real world anecdotes
Manufacturer in MI: Hit by ransomware 3 different times. Paid
increasing amounts of ransom to decrypt files.
Industrial Materials Manufacturer in PA: Hit by ransomware
twice. Paid $10,000.
Manufacturer in NJ: Put out RFP for components. Provided
information about its products to bidders. Later found out it was
being hacked. FBI found out that a Chinese company which had
bid on the RFP had hacked the company and stolen IP, reproduced
their product for sale on Chinese black market.
- 20 -
Hackers stealing IP from DoD and its suppliers
And Replicating our technology!
These successful attacks have led to stricter guidelines for protecting information in DoD supply chain.
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
DFARS 252.204-7012 4 Things you need to know
1) Contractors have until December 2017 to be in full compliance with the requirements outlined in the clause and NIST 800-171
2) Areas of non-compliance need to be reported to the DoD CIOs office within 30 days after contract award
3) Contractors have 72 hours to report cyber incidents to the DoD CIO (and their suppliers)
4) The cyber DFARS clause needs to be flow down to all suppliers/subcontractors storing, processing and/or generating Covered Defense Information as part of contract performance
- 22 -
DoD Supply Chain Protection: New Cyber Security Guidelines
• If your business currently supplies an OEM in the DoD supply
chain- you will be required to address new cyber guidelines
• DFARS 252.204.7012 (references) NIST 800-171 for
guidelines around Controlled Unclassified Information in Non
Federal Info Systems & Orgs
DoD contractors including small businesses must adhere to two basic cybersecurity requirements
1. Must provide adequate security for information that resides in or transits through internal unclassified systems
2. Must rapidly report cyber incidents and cooperate with the DoD to respond to security incidents
https://www.archives.gov/cui/registry/category-list
- 23 -
Cybersecurity for Manufacturers
- 24 -
NIST 800-171 is our recommended guidance for all Manufacturers.
Adequate security is defined as a minimum in NIST 800-171 with the 14 controls ( to protect controlled, unclassified data):
• Access Control
• Awareness and Training
• Audit & Accountability
• Configuration Management
• Identification & Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System & Com Protections
• System & Info Integrity
All Dod contractors must implement full compliance no later than December 31, 2017 Contractors must notify the DoD, of any security gaps, within 30-days of any contract
award
What is needed?
- 25 -
• Baseline assessment completed – IE CSET
(DHS Self Assessment- free tool)
• Documentation: GAP analysis completed with
a Security Plan & Plan of Action &Milestones
(POAM) plan of action for remediation and
priority list defined
• Implement continuous improvement and
awareness program in place (continuous
monitoring)
• Prepare for notification to your contractor/
Dod (within 72hrs) should you be hacked
NIST Cyber Security Framework
- 26 -
5 Steps to Reduce Cyber Risk(NIST Cybersecurity Framework)
PROACTIVE
REACTIVE
NIST has provided the cyber security framework to help all businesses understand the basic tenets of reducing exposure and risk to hacking and compromise.
CUI -Questions to ask
• Does our company store, transmit, process or generate
CUI? What does it consist of?
• How do we protect it? Is it encrypted? Where do we store it?
Do we back it up?
• Who has access? How do we authenticate them? Do we log
this access?
• How do we monitor ‘it’? How does it traverse our network?
Who receives it? Do we / can we log and track that receipt?
• How do we know when we have an incident? How do we
report it? Who is involved? Do they know what to do?
- 27 -Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Other questions
• What skills are need to accomplish this?
Outsource or become an expert.
• Are there services that provide a complete documentation and improvement program?
Yes, look for a single service provider that can take you through the entire process.
• What happens if a manufacturer doesn’t do this?
Business will suffer in a couple ways
• Likelihood of a successful attack against your network is HIGH.
• For Dod suppliers, your contractor is required to have proof of compliance (within 24 hours of contract award) to give you new contracts
- 28 -
CYTELLIX – Trusted Leader in Managed Cyber Security
- 29 -
IMRI, Delivering comprehensive IT and engineering solutions since 1992
Successfully delivered over $150 Million in technology contracts
Computer Operations:
Manages over $300 million
Cybersecurity:
Over 1500 networks, 7 million devices;
Engaged with U.S Army Network Enterprise
Technology Command; Missile Defense
Agency; U.S Army Corps of Engineers; DISA
Data Center/Cloud Computing:
15 facilities, 4 million users, 2800 applications
Data Center Consolidation:
22 operations with merger of $2 billion
in assets
Software Development:
Application modernization and software
development planning and implementation
Certifications:
ISO 9001 / AS9100; CMMI compliant;
industry and professional certifications
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
CYTELLIX Solution –Network Situational Awareness
- 30 -
Network behavioral analytics
Performs real-time
continuous monitoring
Discovers every device
connected to the network
(Physical, Virtual, Cloud, Wireless)
Proactive threat identification
Identify
Protect
Detect
Respond
Recover
Monitor
Security
Strategy
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Cyber Ready Environment
Identify your Network Topology
Network maps identify
Segmentation
Device Connections
Inventory of connected
Device Types
Provides your organization with “privilege” from a legal context
- 32 -Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Cytellix outsourced Cyber
Cytellix provides a turnkey, affordable, comprehensive solution to help the small and medium business meet Cyber requirements
1. CSET Assessment management & report
2. Network scan and real-time assessment & report
3. Gap Analysis & Assessment of 14 controls & report with Security Plan and POAM.
4. Continuous network asset monitoring with threat detection
5. Remediation and compliance service – best practices & practical implementation
- 33 -Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Cytellix Service Package Options
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Cytellix, the Cybersecurity Division of Information Management Resources, Inc. partners with Manufacturing Extension Partners (MEPs) to provide an affordable managed cybersecurity service to small manufacturing companies.
- 34 -
Managed Cybersecurity Services "Snap Shot" (Under 20 employees)
Turnkey Compliance
Service Summaries One-time Yearly
Consulting Interview
NIST 800-171, CSET Assessment, Documentation
Vulnerability Assessment, Review, Documentation
Network Situational Awareness Scan, Report
Gap Analysis, Top Vulnerabilities, Recommendations
Cytellix Customer Portal and Stored Documentation
Cytellix Continuous Monitoring (CCM) with Real-time
Alerts
Periodic Vulnerability Scans
Best Practices for Proper Cyber Posture
Updated CSET and Gap Analysis Post Remediation
Cytellix – Additional Services
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Cytellix’ managed security operation center (SOC) is an upgrade to the turnkey package which allows customers to completely outsource the Cytellix cyber readiness service, including remediation, mitigations and reporting.
- 35 -
Optional Services Provided: Security Operations Center (less than 50 employees)
Yearly
24x7 Outsourced Continuous Monitoring
Investigation, Mitigation, and Intelligence Analytics
Monitoring of Open/Closed Sources
Professional Services
Cytellix Cybersecurity Tips and Tricks
• Never open email from unknown senders
• Right click on email addresses to verify sender’s domain is
legitimate, prior to opening an email message.
• When in doubt about an email and its intentions, call the sender
to verify.
• Use two step verification / authentications
• If it’s being offered for free, it’s never free
• Use antimalware and antivirus products vs nothing
• Always update security when requested by legitimate publishers
• Back-up your data, use multiple places/locations.
• Back up your data offline when possible
• Do not download applications from unknown publishers or sites
• Never share USB keys/drives
• Do not open attachments in email messages from suspicious
senders – verify sender and intentions
• Using mobile devices for browsing is just as risky as laptops for
discovering malware and virus’s
• Check what ports are open on your network and their behaviors
• Segment your network for guest and internal users
• Public Wi-Fi networks are very risky for data protection on your
devices – use a VPN
• Use a secure password manager for all your unique passwords
• Never us the same password 2x
• Physical spying takes place as much as digital spying, watch
who is looking over your shoulder.
• No one is protected from being hacked, you are, will and have
been hacked!
• Set strong privacy setting on your devices – you don’t want to
overshare
• Java script in your browser is insecure, disable it!
• Always ask yourself questions about communications sent to
you, be suspicious is the best practice.
• Use the best browser available from a security perspective, stay
aware of exploits of browsers.
• Patch, patch, patch!
• Pay attention to mobile app permissions and access, some will
access very private, personal and proprietary information you
want to remain confidential.
• Clean up (delete) apps you don’t use
• Use device passwords to lock and encrypt the data wherever
possible – losing a device is painful enough!
• Never leave devices set to default
• Change Wi-Fi passwords often and never repeat them
• Don’t use names, birthdates, and phone numbers as passwords
– be unique and complex
• Social media has risks associated with personal information –
don’t feed the bad guys information they can use against you.
• Inventory your devices and their IP addresses on your network
• Remove any devices that are end-of-life from their manufacturer
from your network – they are attack points
• Log-out of services like banking when your done with your
business.
• Don’t store UID/PW in cookies on devices, just don’t do it
• IoT is pretty cool, but, make sure you manage these IoT devices
with the same care as your computer.
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Cytellix News & Awards
News Updates – Click here
Awards – Click here
Social Media Pages
Facebook – Click here
Twitter – Click here
LinkedIn – Click here
- 37 -Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Thank you
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Spencer CobbCytellixDirector, Strategy & Business Dev.(404)[email protected]