A presentation given on 4 27-2016

1. Internet of Things &
Cybersecurity In
Manufacturing
Northwest State Community College
Manufacturing Consortium
Thursday, April 28, 2016
1

2. Education
AA – Tiffin University
BA – Ohio Northern University
MA – Bowling Green State University
MA – George Washington University
Experience
Principal Founder, President & Chairman - CentraComm
CEO - Aardvark Inc.
Lynn R. Child
2

3. Education
AA, BA, BS, MBA – University of Findlay
DIA – University of Fairfax (In Progress)
Security Professional Certificate – National Defense University &
University of Fairfax
Certified Information Security Professional
Certified Six Sigma Blackbelt
Developed and taught first Information Security class in 1999
Co-designed Information Assurance Major at the University of
Findlay
Network & Security Architect – Fortune 1000 Global Manufacturer
Experience
Loren W. Wagner
Certifications
3

4. Agenda
• History
• Today’s Environment
• Hacker’s Exploits
• Security Overview In Manufacturing
• Challenges and Changing Expectations
• The Threat Landscape
• Cyber Hygiene: 8 Tips To Follow
• Invitation to the 15th Annual IA Forum
4

5. History
5

6. Evolution of Society’s Use of Technology
6

7. 7

8. Today’s Environment
8

9. Technology is making our homes safer
9

10. Technology is making work smarter
10

11. Technology is changing society
11

12. Technology is connecting the world
12

13. Connectivity will overhaul businesses
13

14. GE CEO Jeff Immelt on Industrial Internet
•In a best-case scenario, "predictive" analytics translates
into better products, better sales, happier customers,
better service agreements, and better company profits.
•General Electric is rolling out a suite of Industrial
Internet tools for locomotive haulers to improve
efficiency. By GE's calculation, even a 1% gain could
translate into $2.8 billion in savings annually.
14

15. Connectivity will overhaul businesses
15
Connectivity will integrate business units & businesses

16. Rank Country Devices online Relative size
1 South Korea 37.9
2 Denmark 32.7
3 Switzerland 29.0
4 United States 24.9
5 Netherlands 24.7
6 Germany 22.4
7 Sweden 21.9
8 Spain 19.9
9 France 17.6
10 Portugal 16.2
11 Belgium 15.6
12 United Kingdom 13.0
13 Canada 11.6
14 Italy 10.2
15 Brazil 9.2
16 Japan 8.2
17 Australia 7.9
18 Mexico 6.8
19 Poland 6.3
20 China 6.2
21 Colombia 6.1
22 Russia 4.9
23 Turkey 2.3
24 India 0.6
16
Connected Society:
*Organisation_for_Economic_Co-operation_and_Development
Over 75 Billion
Connected
Devices by 2020!
List of countries by IoT devices online per 100 inhabitants
as published by the OECD* in 2015.

17. Hacker’s Exploits
17

18. MIT coins the term “Hackers” related
to people who were typing up the
phone lines.
1983
The movie War Games is released and depicts a
young hacker nearly starting WWIII by accessing a
military supercomputer.
18
1963

19. 1995
The web takes off and famous hacker Kevin
Mitnick steals 20,000 credit card numbers leading
to a fear of e-commerce. Later caught by the FBI
by utilizing a “White Hacker”.
2006
Julian Assange becomes the new face of
hacking.
19

20. 2011
CIA, PBS, Gmail, the U.S.
Senate all are hacked.
Anonymous rises up as a
underground hacktivist
community. Year was coined
“The Year of the Hack.”
20

21. 21
2013
And then there was Edward
Snowden…the computer analyst
whistleblower who provided the
Guardian with top-secret NSA
documents leading to revelations about
US surveillance on phone and internet
communications.

22. 2014
A record 1 billion records were
compromised. Becomes the new “Year of
the Breach.”
Sony Entertainment Pictures Hacked.
22

23. 2015
Insurer Anthem – 80
Million Customer Records
Exposed
23

24. 2016
Identity Theft Resource Center
(ITRC) indicates that there has been
a total of 155 data breaches recorded
through March 15. More than 4.3
million records have been exposed
since the beginning of the year.
24

25. Security Overview In Manufacturing
25

26. Cybersecurity for Advanced
Manufacturing
• A broad cross section of contributors:
• National Institute of Standards & Technology
• Cisco
• Lockheed Martin
• Rockwell Automation
• Virginia Tech
• Boeing
• International Society of Automation
• Department of Defense
• The Langer Group
• Exxon Mobile
26
National Defense Industrial Association’s Manufacturing Division and Cyber Division

27. Cybersecurity for Advanced
Manufacturing
•Key findings:
•The threat is real and manufacturing companies are
targets
• Factory floor systems are a weak link in
safeguarding technical information
• Small Business manufacturers are not well
equipped to manage the risks
27

28. The Threat is Real and Manufacturing Companies
are Targets
• Motivations may be:
•Espionage
•Financial gain
•Disruption
•In an effort to compromise data
•Confidentiality
•Integrity
•Availability
28
CIA Triad

29. The Threat is Real…
•Confidentiality: Theft of technical data, including
critical national security information and valuable
commercial intellectual property.
•Integrity: Alteration of data, thereby altering
processes and products.
•Availability: Impairment or denial of process control,
thereby damaging or shutting down operations.
29

30. 30

31. What’s Changed - Past
• ICS are long-lived lived investments
• 15+ year life cycle
• Discrete operating systems and network protocols
• Air gap
• Autonomous & proprietary
• Little tolerance for down time
• Real-time operation
• Critical safety implications
• System availability precedence over confidentiality
• Speed, functionality, reliability and safety
• Weak privilege management/access controls
31

32. IT-OT Architectural Considerations
32

33. IT-OT Architectural Considerations
33
Danger!

34. What’s Changed - Present
• Competitive pressures driving the integration and
analysis of “big data”
• Converging information systems, engineering
information systems and manufacturing systems across
the supply chain.
• Organizations need to respond quickly to market
changes
• Executives need timely and accurate information
• Production control systems – ICS – must feed this
information to the decision makers as soon as possible
• A distinct trend toward integration of IT and OT systems 34

35. IT-OT Architectural Considerations
35

36. IT-OT Architectural Considerations
36

37. What Has Changed - Future
• Integration of IT and OT
• Additional complexity
• Internet of Things
• Industrial Internet of Things
• Greater emphasis on ICS security practices
• Support for NIST Framework
• Cyber Security Framework for Critical
Infrastructure Protection
• Developing into a de facto standard?
37

38. IT-OT Architectural Considerations
38

39. IT-OT Architectural Considerations
39

40. Smart Manufacturing IoT Stack
40
Security Layer
Security Layer

41. Challenges & Changing Expectations
41

42. Top Technology Challenges
• Top 5 Concerns*
• Emerging technologies & infrastructure changes
• Transformation, innovation, disruption
• IT security & privacy/cyber security
• Resource/staffing/skills challenges
• Infrastructure management
• Cloud computing/virtualization
*ISACA & Protivity 5th Annual IT Audit Benchmarking Survey with 1230 global participants
42

43. Regulatory Environment
•Security and Exchange Commission
• Risk Alert issued by the Office of Compliance Inspections
and Examinations September 2015. The alert was a result
of investigations of financial institutions but lays out what
the expectations would be when investigating a data
breach.
•Federal Trade Commission
• "It is not only appropriate, but critical, that the FTC has
the ability to take action on behalf of consumers when
companies fail to take reasonable steps to secure
sensitive consumer information” - FTC Chairwoman Edith
Ramirez
43

44. Advisors & Consultants
•National Association of Corporate Directors
• Cited benefits of a common cyber risk management language, so
that more efficient and precise discussions can be held up, down,
and across a company's management structure, with auditors,
and with supply chain partners.
•PricewaterhouseCoopers (PwC)
• Corporate officers and boards may have a fiduciary obligation to
comply with the guidelines (NIST CSF) and demonstrate due are
44

45. Legal Environment
• A U.S. appeals court
• Said the Federal Trade Commission has authority to regulate
corporate cyber security, and may pursue a lawsuit accusing
hotel operator Wyndham Worldwide Corp of failing to
properly safeguard consumers' information.
• Bloomberg BNA
• Cybersecurity today is not merely the responsibility of a
company’s IT group. As with any critical function within an
organization, governance over and management of
cybersecurity is an essential “best practice.” Good
governance not only helps companies make appropriate
strategic cybersecurity decisions, but studies have shown it
reduces the cost of a cyberattack.
45

46. Insurance
• Rationalizing Risk
• Insurance companies and other industry leaders
are pushing hard to make the NIST CFS more
pervasive. Companies like AIG, Apple, and Visa are
already onboard.
• The NIST CSF opens the door for the insurance
industry to capture, measure, and share risk
metrics, which could go a long way toward policy
underwriting and consistent premiums.
46
NIST CSF = National Institute of Standards & Technology Cyber Security Framework

47. Business Partners Expectations
• “The breach at Target Corp. that exposed credit card and PII
data on more than 70MM consumers began with a malware-
laced phishing attack sent to a third party vendor”
KrebsOnSecurity
• “PCI 3.0, HIPAA Omnibus, OCC, CFPB, FFIEC and the Federal
Reserve have changed the way organizations in many
industries need to think about IT & data supply chain risk
management”
• "If not managed effectively, the use of service providers may
expose financial institutions to regulatory action, financial
loss, litigation, and loss of reputation.“ Federal Reserve
47

48. The Threat Landscape
48

49. Security Vulnerabilities
Recent studies show:
• As many as 85% of targeted attacks are preventable
• That 83.6% of vulnerabilities in ‘All’ products, and 84.6% of
vulnerabilities in products in the Top 50 portfolio have a
patch available on the day of disclosure
• In 2014, 76.9% of the vulnerabilities affecting the Top 50
applications affected non-Microsoft applications, such as
• Third-party programs, including Oracle Corp.'s Java and
Adobe Systems Inc.'s Flash and Reader applications
49

50. Be Aware of the Most Prevalent Tactics to “Hack”
Information
Spearfishing: An e-mail spoofing
fraud attempt that targets a
specific organization, seeking
unauthorized access to
confidential data. …conducted by
perpetrators out for financial gain,
trade secrets or military
information. Example of Social
Engineering.
50

51. Spearphishing Example: Business Email
Compromise Scam (BEC) or CEO Scam
•FBI states that there were over
17,000 reports from victims all over
the world from October of 2013 to
February of this year, accounting for
over $2.3 billion in losses for affected
companies.
51

52. Example of Business Email Compromise (CEO Scam)
52

53. 53

54. Be Aware of Other Prevalent Forms of Hacks
Malware
•Malicious software that interferes with
normal computer functions or sends
personal data about the user to
unauthorized parties over the Internet
or gains access to private computer
systems. Includes viruses, worms, Trojan
horses, etc.
54

55. Some Common and Prevalent Malware Includes:
•SpyWare – secretly gathers information about a
person or organization. Can take partial or full
control of computer without knowledge of user.
•AdWare – automatically renders advertisements
in order to generate revenue for its author. Pop-
ups are an example.
•RamsonWare – restricts access to your
computer system and demands a ransom be
paid to the creator of the malware in order for
the restriction to be removed. Forms include:
encrypted files, lock system/display message to
pay…
55

56. RansomWare: Example of Cryptolocker Locked Screen

57. Ransomware Proliferation
57

58. .
58

59. Malware/Spyware/RansomWare What To Do
• Do Not Click upon any Links within an SMS Message or Email
Message
• Do Not Download any Software from an Email Link
• Do Not Click upon any Links or Forwards within Social Media
• Go to the Authorized Marketplace for 3rd-party Applications
and Downloads
• Pay Particular Attention to Popular Game Applications – Hotbed
for Hackers
• Do Research with Trusted Names, i.e., Gartner, Information
Week, TechTarget, etc.

60. Cyber Hygiene: 8 Tips to Follow
60

61. Tip #1: Think Before You Click
•As stated previously, beware of links and
downloads within:
•Email
•Web
•Text Message
•Social Media
•Other
61

62. Tip #2: Go to Authorized Marketplace for Downloads
62
• Marketplaces include:
• Apple
• Droid
• Google
• AWS
• Azure
• Other

63. Tip #3: Update/Patch Software Upon All Devices
•Device updates/patches are new instructions your
computer can use to communicate with devices
that are attached, like printers, sound systems, or
cameras. Often device patches are written to fix
known problems, add new functionality, increase
the performance of the attached device, or fix
security holes
•Examples: Adobe Reader, Java Script, Microsoft
Operating System, Anti-Virus, etc.

64. Tip #4: Practice Password Management
• Password manager software is used by individuals to
organize and encrypt many personal passwords. This is also
referred to as a password wallet.
• Rule of thumb: Use “Strong Passwords”
• Upper case letters
• Lower case letters
• Number
• Symbol
• Longer Passwords are Safer
• Change Regularly
Examples
Get2NoUWell#
TriKnot2Cry@Work
Ate4hotDogs!
Tks4$2Eat

65. Tip #5: Change Default Passwords
65
Systems and Software generate general passwords
that allow companies to enter a system or
software with the requirement that these
passwords should be changed upon receipt.
Often, companies do not actually take the time to
do this. Major concern as hackers know these
basic passwords and can easily exploit these
systems and/or software.

66. Tip #6: Create Dedicated Email
Accounts
•Establish “Specialized Accounts” that You Use
For:
•Online purchases
•Responding to inquiries
•Taking surveys
•Personal use
•Business use
•Other

67. Tip #7: Consider End-User Security
Training
67
•In-House Training
•Consulting
•Online Training
•Hybrid Training

68. Tip #8: Don’t Surf With Administrator Accounts
•Use a normal user account to log onto your
computer
•Administrator rights allow privileged access,
which allows malware to install programs or
make unauthorized changes to your
computer
68

69. 8 Security Tips for Manufacturing & You
Go to Authorized Marketplace for Downloads
Update/Patch Software Upon your Devices
Practice Password Management
Change Default Passwords
Create Separate Email Accounts
69

70. Security Tips for Your Associates & You
Consider End-User Security Training
Don’t Surf With Administrator Accounts
Think Before You Click
If It Feels Wrong, It Probably Is!
70

71. A Challenge to Your Manufacturing Associates & You
Prepare your Manufacturing Associates for the Reality of a Connected Society:
- Read and Research Continuously
- Utilize Case Studies
- Utilize Table Top Exercises
- Seek Out Industry Speakers
- Attend Relevant Events and Webinars
- Be Willing to Watch, Learn, & Listen from Each Other!
71

72. Thank you!
And, we hope to see you at…
72

73. • 2016 TIC Business Survey Results
• End-User Security Training
• Social Engineering Pitfalls
• Social Media Do’s & Don’ts
• System Settings: Going Back to Basics
• Cloud Security/Mobile BYOD – Microsoft:
Office 365, Azure, & Security
• Student Company & Internship
Interaction
• Interactive Q & A Throughout the Day
2016 Information Assurance
Forum Topics
73

74. Registration Opens August 1
www.IAForum.net
$35 Chamber Members | $45 Non-Chamber Members | $10 Students
Breakfast and Lunch Provided
Wednesday October 26th 8:45 am – 5:00 pm
Winebrenner Auditorium, Winebrenner Seminary
The University of Findlay Campus
950 North Main Street, Findlay, OH 45840
74

75. Presentation References & Other Resources
 Connected Society/Internet of Things:
https://en.wikipedia.org/wiki/Internet _of_Things
 The Horizon Report-2015 Higher Education (Emerging Technologies):
http://www.ictliteracy.info/rf.pdf/Horizon-report-2015.pdf
 Over 75 Billion Devices Connected by 2020:
http://www.businessinsider.com/75-billion-devices-will-be-connected-to-
the-internet-by-2020-2013-10
 World’s Biggest Data Breaches:
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-
breaches-hacks/
 Jeep Car Gets Hacked: http://www.wired.com/2015/07/hackers-remotely-
kill-jeep-highway
 Spearfishing: http://searchsecurity.techtarget.com/definition/spear-phishing
75

76.  MalWare: http://whatis.techtarget.com/glossary/Malware
 GrrCon Security Summit & Hacker Conference: http://grrcon.com
 IAForum.net: http://IAForum.net
 Why the Internet of Things is Big Business:
http://harvardmagazine.com/2015/07/why-the-internet-of-things-is-big-
business
 NIST Cybersecurity Framework: http://www.nist.gov/cyberframework/
 Online Trust Alliance: https://otalliance.org/initiatives/internet-things
 End-User Security Training: http://www.KnowBe4.com
 Societal Impact of a Connected Life Over the Next 5 Years:
http://www.gsma.com/connectedliving/wp-
content/uploads/2013/02/GSMA-Connected-Life-PwC_Feb-2013.pdf
 Behind GE's Vision For The Industrial Internet Of Things:
http://www.fastcompany.com/3031272/can-jeff-immelt-really-make-the-
world-1-better 76
Presentation References & Other Resources

77.  Top IT Trends in 2015: http://www.entrepreneur.com.ph/technology/top-
it-trends-for-businesses-in-2015-and-how-to-prepare-for-those?ref=tag
 IoT in Manufacturing:
http://4dm7pi3anfms2bn7sk7u16h1.wpengine.netdna-cdn.com/wp-
content/uploads/2015/02/Internet-Of-Things-Manufacturing.jpg
 RIPE - Robust Industrial Control Systems Planning and Evaluation:
http://www.langner.com/en/wp-content/uploads/2014/10/A-RIPE-
Implementation-of-the-NIST-CSF.pdf
 CYBERSECURITY FOR ADVANCED MANUFACTURING:
http://www.ise.vt.edu/ResearchFacilities/Centers/CenterPages/CPSSMFG/f
iles/cyber_security_AM.pdf
 The Internet of Things Will Make Manufacturing Smarter:
http://www.industryweek.com/manufacturing-smarter?page=2
77
Presentation References & Other Resources

78.  Cybersecurity and Privacy in 2015: http://www.bna.com/
cybersecurity-privacy-2015-m17179934502/
 The State of Cyber Insurance:
http://www.networkworld.com/article/3005213/security/the-state-of-cyber-
insurance.html
 Improving Third Party Risk Management with Cyber Threat Intelligence:
http://www.isaca.org/chapters11/Western-New-
York/Events/Documents/2015-April/CT02-3RD-Party-Cybersecurity-
NMenz.pdf
 FBI reminds companies to watch out for business email compromise scams:
https://www.consumeraffairs.com/news/
 fbi-reminds-companies-to-watch-out-for-business-email-compromise-scams-
040816.html
78
Presentation References & Other Resources

79. Thank you for the Honor & Privilege of
Sharing Information Regarding
“IoT & Manufacturing”
Lynn R. Child, President & Chairman, CentraComm
www.CentraComm.net
Direct: 419-421-1284 | Lchild@CentraComm.net
Loren W. Wagner, Information Assurance Professional
Adjunct Senior Lecturer, University of FIndlay
Cell: 419-722-2990 | Wagner@Findlay.edu
Find this presentation at: http://www.slideshare.net/CentraComm/ 79

80. Risks to Home, Business, & Careers
80

81. Security hacks could expose our homes
81

82. Security hacks could disrupt our businesses
82

83. Security hacks could end your business career
83
Add Sony CEO Fired (Apparently not – article on Feb, 2016 still refers to
same CEO)

84. 84