Académique Documents
Professionnel Documents
Culture Documents
Gary Spiteri
Consulting Security Engineer
#clmel
Agenda
• Introduction
• Extraordinary Benefits
• Major Security Challenges
• Delivering Security Across the
Extended Network
• The Best of Both Worlds
• Conclusion
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
What is the Internet of Things?
IoE
Data Things
Physical Devices and Objects
Leveraging Data into
Connected to the Internet and
More Useful Information for
Each Other for Intelligent
Decision Making
Decision Making
Rapid Adoption
30 Rate of Digital
Infrastructure:
5X Faster Than
20 25 Electricity and
Inflection Telephony
Point
12.5
10 World
Population
6.8 7.2 7.6
0
TIMELINE
2010 2015 2020
Source: Cisco IBSG, 2011
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Connected Objects Generate Big Data
46 million in the U.S alone
1.1 billion data points (.5TB) per day
Knowledge
Information
01010100101010101010101010101
Data 01010101010001010100101010101
01110101010101010101 Less Important
$
*
19.0 Trillion
VALUE AT STAKE
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
IoT Delivers Extraordinary Benefits
Connected Rail Operations
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Smart City
Reduced congestion
Improved emergency services response times
Lower fuel usage
Increased efficiency
Power and cost savings
New revenue opportunities
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
The Connected Car
Online entertainment
Mapping, dynamic re-routing, safety and security
Reduced congestion
Increased efficiency
Safety (hazard avoidance)
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
… but it also adds complexity.
New Business Models Partner Ecosystem
Applications
Application Interfaces
Unified Platform
Infrastructure Interfaces
Infrastructure
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
… but it also adds complexity.
APPLICATION
New AND BUSINESS
Business Models INNOVATION
Partner Ecosystem
Application
Data Integration Big Data Applications
Analytics Control Systems
Integration
Application Interfaces
Unified
APPLICATION Platform PLATFORM
ENABLEMENT
Infrastructure Interfaces
Information Operational
Technology Technology Smart
Objects
(IT) (OT)
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
The Flip Side: Major Security Challenges
IoT Expands Security Needs
IoT CONNECTIVITY
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
What Can Breach IoT Networks?
• What can’t?
– Billions of connected devices
– Secure and insecure locations
– Security may or may not be built in
– Not owned or controlled by IT … but data flows through the network
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Connected Rail Operations
Schedule manipulation
System shutdown
Sensor manipulation
Creation of unsafe conditions
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Smart City
Device manipulation
Remote monitoring
Creation of unsafe conditions
Environmental degradation
System shutdown
Lost revenue
OBD-II (PassThru)
Disc/USB/Phones
Bluetooth
Remote Keyless Entry
SDRC
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
IT Breach via OT Network
• Breached via Stolen Credentials from HVAC Vendor
• 40 Million Credit And Debit Cards Stolen
• PII Stolen From 70 Million Customers
• Reputation Damage*
– 46% drop in year-over-year profit
– 5.3% drop in year-over-year revenue
– 2.5% drop in stock price
• CEO Fired
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Delivering Security Across the Extended
Network
The Secure IoT Architecture – IT Plus OT!
APPLICATION
New AND BUSINESS
Business Models INNOVATION
Partner Ecosystem Cloud-based
Threat Analysis /
Protection
Data Control Application
Integration
Big Data Applications
Analytics
Systems Integration
Network and
Perimeter
Application Interfaces Security
End-to-End Data
Encryption
Device and Sensor Innovation
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
IT and OT are Inherently Different
• IT • OT
• Connectivity: “Any-to-Any” • Connectivity: Hierarchical
• Network Posture: Confidentiality, • Network Posture: Availability, Integrity,
Integrity, Availability (CIA) Confidentiality (AIC)
• Security Solutions: Cybersecurity; Data • Security Solutions: Physical Access
Protection Control; Safety
• Response to Attacks: • Response to Attacks: Non-stop
Quarantine/Shutdown to Mitigate Operations/Mission Critical – Never
Stop, Even if Breached
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Attack/Security Continuum – IT
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Network-Wide Security with Differential Applications
Security Activity IT OT
• Role-based access for • Role-based access to few
individuals and groups individuals
• VPN/remote access for most • VPN to few systems and users
systems throughout the • Badge readers/integrated
Before Secure Access
network sensors
• Complex passwords with • IP cameras with video analytics
lockout policies • Simplified passwords (except
• Application control for the most critical systems)
Intrusion Prevention/Detection IPS – enforces policies IDS – sends security alert only
Analysis of the threat to determine
Threat Mitigation Quarantine affected system
appropriate action
During
Combined physical and
Data Integrity and Confidentiality Data Loss Prevention (DLP)
cybersecurity access controls
Network-wide Policy Enforcement Differentiated actions based on value, function, and location of the device
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
IT/OT Converged Security Model
IT
Cloud
Network Security
Enterprise Network
Application Control
Identity Services
DMZ Demilitarised Zone
Secure Access
OT
Supervisory
Config
Mgmt
Automation & Control
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
The Best of Both Worlds
IoT Can Actually Increase Security Posture
• Network of Security Devices
– Cyber Security
• Firewall, IDS
– Physical Security
• IP cameras, badge readers, analytics NG Firewall IDS
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Keeping Passengers Safe: Airport Security
• Profile
– Large facilities with diverse human population
– Significant security exposures
– Need for real-time, actionable intelligence
• Existing Security Systems
– Badge readers
– IP cameras
– Sensors
– Network/perimeter security (firewall/IPS)
• Challenge
– Limited visibility
– Sluggish response times
– High OpEx
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
IoT Enhances Security: The Connected Airport
• Video Analytics & Sensors
– Multi-factor employee badge authentication
– Facial recognition
– Event correlation across multiple facilities
– Rapid response
• Integration of Cameras & Sensors
– Automatically zoom to potential problems
• Integration with Cyber Security
– Employee/asset location monitoring
– Critical system lockdown
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Making Plant Operations Safe: Manufacturing Security
• Profile
– Large facilities with dozens of independent
systems
– Complex robotics and other dangerous moving
parts
– Need for physical security and personnel safety
– System availability is absolutely essential
• Existing Security Systems
– IP cameras
– Badge readers
• Challenge
– Limited visibility
– Data silos
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
IoT Enhances Security: The Connected Plant
• Integrate physical and cyber security
– Device- and user-level authentication
– Automated access lockout with breach detection
– Removable media detection
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Conclusion: Securely Embrace IoT!
• New challenges require new thinking!
– avoid operational siloes
– networking and convergence are key
– a sound security solution is integrated throughout
– build for the future
• Security must be pervasive
– inside and outside the network
– device- and data-agnostic
– proactive and intelligent
• Intelligence, not data
– convergence, plus analytics
– speed is essential for real-time decisions
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Most Importantly: Teamwork!
IT OT
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
BRKSEC-2005 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you.