Add to collection(s) Add to saved
  1. No category
Uploaded by victor

IoT Zero Trust & U.S. NIST Cybersecurity Presentation 06 14 22

advertisement 
Transitioning
to Zero-Trust
Architecture
in IoT
Cybersecurity
An Academic Beginner’s Guide to
U.S. Regulations in IoT & Cloud
Native Security Themes
(A glimpse of a future career in
Industrial/ Consumer Technologies)
Brief Overview
IoT Concepts
Cybersecurity Threats
U.S. Regulations
Kubernetes
DevSecOps
Free Resources
https://www.theelectricalportal.com/2018/02/co-generation-advantages-cogeneration.html
What True Tech Intl. Corporation (TTIC) Does
TTIC provides planning, architecture,
and advice on hybrid cloud
architecture for small businesses and
multi-nationals.
• Data Analytics
• Hybrid Cloud Infrastructure
• Software Development
• Marketing Solutions
• Product Management
Who is Victor?
• Principal Consultant at TTIC.
• IT/OT Project & Product Management within:
• Fortune 500 Enterprises
• Startups
• Academia
• Intl. Governments
• Speaker at Microsoft, Universities
• Writer/Contributor on Tech Blogs
• Project Management Professional (PMI)
• Fellow at the Royal Society of Arts, Manufactures, &
Commerce based in London, UK
• Degrees at New York University NYU
• B.A. in Chemistry
• M. Sc. In Management & Systems
• Thesis on HIPAA Security under Dr. Omar Alvarez-Pousa,
Global Business Director, Pfizer Corp.
The Difference in IT vs. OT
INFORMATION TECHNOLOGY (IT)
Any equipment or interconnected system or subsystem of
equipment that is used in the automatic acquisition, storage,
manipulation, management, movement, control, display,
switching, interchange, transmission, or reception of data or
information by the executive agency. For purposes of the
preceding sentence, equipment is used by an executive
agency if the equipment is used by the executive agency
directly or is used by a contractor under a contract with the
executive agency which:
i.
requires the use of such equipment; or
ii.
requires the use, to a significant extent, of such
equipment in the performance of a service or the
furnishing of a product. The term information
technology includes computers, ancillary equipment,
software, firmware and similar procedures, services
(including support services), and related resources.
• FIPS 200 from 40 U.S.C. Sec. 1401
OPERATIONAL TECHNOLOGY (OT)
Programmable systems or devices that interact with the
physical environment (or manage devices that interact with the
physical environment).
These systems/devices detect or cause a direct change through
the monitoring and/or control of devices, processes, and
events. Examples include :
Industrial Control Systems (e.g. SCADA)
building management systems
fire control systems
physical access control mechanisms
NIST SP 800-37 Rev. 2
Artificial Neural Networks in IIoT
Artificial Neural Network (ANN)
Models and Polymers*
Setpoint Tracking is
referred to Servo
Control
ANN models were
developed using a
feed forward
topology for
modeling of
hyperbranched
polymers (HBP)
treatment on
polyethylene
terephthalate (PET)
fabric.
The effects of three
HBP treatment
parameters namely
solution
concentrations
(wt.%), treatment
temperature (°C)
and time (min) on
dyeability (K/S
value) of treated
PET fabrics were
investigated.
Chemical Structure of Amine
Terminated HBP*
The best prediction
was obtained by
ANN with 8
neurons in hidden
layer. In this model
the R2 and RMSE
were 0.97 and 0.61
respectively.
Furthermore, the
mean, standard
division, maximum
and minimum error
are 0.02, 0.02, 0.9,
and 0 respectively.
Advanced Process Control and Simulation for Chemical Engineers CRC PRESS accessed 6/9/22: https://learning.oreilly.com/library/view/advanced-process-control/9781926895321/chapter-01.html
Artificial Neural
Networks in IIoT
General structure for the Feedforward
BackPropogation (FFBP) in a neural
network.
Regulatory Reporting
• In electric power generation, restricting NOx/SOx,
emissions in flue gas to acceptable levels
• All measured process conditions (e.g. fuel feed
rate, O2, Heating value of fuel, ambient air
temperature) can be empirically correlated.
• The Empirical correlation is based on training an
ANN to predict the flue gas NOx concentration
from all available data.
Chemical Process Control 2nd Ed., page 399, 2001, Ferret Publishing
Prediction of SOx–NOx emission from a coal-fired CFB power plant with machine learning: Plant data learned by deep neural network and least square support
vector machine
Accessed 6/9/22, https://doi.org/10.1016/j.jclepro.2020.122310
A Brief History of Industrial Internet of Things
IoT Devices come in many types & sectors
Expansion of IoT Capabilities
Performance Insight
Energy Management
Anomaly Detection
Real-Time Monitoring
Predictive Maintenance
Digital Twins (Simulations)
Edge Device & Cloud Management
Low Code/No Code for Rapid Deployment
Smart Grid: https://hashstudioz.medium.com/the-role-of-internet-of-things-iot-in-smart-grid-technology-and-applications-86061ad17f53
REST API’s on Industrial Programmable Logic
Controllers (PLC) via the Cloud
Expand Capabilities of a PLC
to perform any
task/commands.
API’s allow for the
controller to request almost
any type of process and
offload computation to
another device.
The Controllers
communicate with the API
via HTTP requests that are
sent through TCP sockets.
For example, a basic GET
command that will return
the Anomaly Detection
model weights to the client.
On the PLC programming
side, a custom Function
Block has been created that
handles all the pre and post
processing required to issue
these commands.
Overview of Cyberattacks on Infrastructure
Cyberattack Timeline*
Colonial Pipeline Ransomware Hack^
*https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/us-utilities-prepare-for-heightened-cybersecurity-risk-from-russia-69134779
^ https://www.techtarget.com/whatis/feature/Recent-surge-in-ransomware-attacks-threatens-national-security
Some Cyberattack Threats
SolarWinds Cyberattack Demands Significant
Federal and Private-Sector Response
Major incident
• To say the SolarWinds attack was a
supply chain attacks, when attackers
compromise widely used software at
the source, in turn giving them the
ability to infect anyone who uses it.
• Russian intelligence had potential access
to as many as 18,000 SolarWinds
customers. They ultimately broke into
fewer than 100 choice networks—
including those of Fortune 500
companies like Microsoft and the US
Justice Department, State Department,
and NASA.
U.S. Response & Policy Shift
Managing cybersecurity supply chain risk management (C-SCRM)
requires ensuring the integrity, security, quality, and resilience of
the supply chain and its products and services.
Foundational Practices: C-SCRM lies at the intersection of
information security and supply chain risk management. Existing
supply chain and cybersecurity practices provide a foundation
for building an effective risk management program.
Enterprise-wide Practices: Effective C-SCRM is an enterprisewide activity that involves each tier (Organization, Mission and
Business Processes, and Information Systems) and is
implemented throughout the system development life cycle.
Risk Management Processes: C-SCRM should be implemented as
part of overall risk management activities, such as those
described in Managing Information Security Risk (NIST SP 80039), the NIST Cybersecurity Framework, and Integrating
Cybersecurity and Enterprise Rick Management.
Sovereign Sponsored Corporate Espionage &
Cyberattacks
Theft of Intellectual Property (IP) and
Disruption of Business Services
Damage/Disruption/Destruction of
Records, Processes, Property
• People’s Republic of China (PRC) Targeting of
COVID-19 Research Organizations*
• Taiwan Semi-Conductor Industry (multiple
targets) hacked by PRC to steal IP:
• Russia uses cyberattacks:
1. It deploys cyberattacks to prepare and
facilitate military conflict by attacking
critical infrastructure such as government
websites, IT servers, banks, media outlets,
and power plants. Used as a method of
disrupting societies & organizations.
2. As the Second Ukraine War shows, Russia
seeks to disrupt and disable critical
infrastructure to advance its military goals.
3. A hybrid war strategy that substitutes for
war.
• source code
• software development kits
• chip designs
• Garmin: airplane pilots who use Garmin
products for position, navigation, and timing
services also dealt with disruption
https://www.cisa.gov/sites/default/files/publications/Joint_FBI-CISA_PSA_PRC_Targeting_of_COVID-19_Research_Organizations_S508C.pdf.pdf
https://www.wired.com/story/worst-hacks-2020-surreal-pandemic-year/
https://www.eurasiareview.com/08062022-russias-use-of-cyberattacks-lessons-from-the-second-ukraine-war-analysis/
IoT Cybersecurity Regulations in the U.S.
•
IoT CyberSecurity Improvement Act of 2020
• https://www.congress.gov/bill/116th-congress/house-bill/1668
•
Executive Order 14028 Federal Government ZERO Security
• https://www.nist.gov/itl/executive-order-14028-improving-nationscybersecurity
• https://www.bastionzero.com/blog/i-read-the-federal-governmentszero-trust-memo-so-you-dont-have-to
•
FEDERAL INFORMATION SECURITY MODERNIZATION ACT (FISMA 2014)
• Codifying Department of Homeland Security (DHS) authority to
administer the implementation of information security policies for nonnational security federal Executive Branch systems, including providing
technical assistance and deploying technologies to such systems;
• Amending and clarifying the Office of Management and Budget's (OMB)
oversight authority over federal agency information security practices;
and by
• Requiring OMB to amend or revise OMB A-130 to "eliminate inefficient
and wasteful reporting.“
•
Cybersecurity for IoT Publication History (Roadmap)
•
LIST of Ongoing NIST IoT Programs & initiatives
U.S. Federal Cybersecurity Agencies &
Programs – Vendor Agnostic & Non-Partisan
U.S. Cybersecurity Agencies
a. DHS-Cybersecurity and Infrastructure
Security Agency (CISA)
b. National Institute of Standards and
Technology (NIST)
c. U.S. Department of Defense (DoD)
d. National Cyber Investigative Joint Task
Force (NCIJTF)
e. Energy: North American Reliability
Corporation (NERC)
• Focus on Critical Infrastructure
Protection (CIP) Standards
NIST Cybersecurity Framework 1.1
Version 2 is on its way…
NIST Cybersecurity Framework V 1.1
This document intends to provide direction and guidance to those organizations – in any
sector or community – seeking to improve cybersecurity risk management via utilization of
the NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity
Framework or the Framework). Cybersecurity is an important and amplifying component of
an organization’s overall risk management process. The Framework enables organizations –
regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply
the principles and best practices of risk management to improve security and resilience.
Through implementation of the Framework, organizations can better identify, assess, and
manage their cybersecurity risks in the context of their broader mission and business
objectives.
• U.S. Cybersecurity Job Market at Cyberseek.
JUSTIFICATION FOR INNOVATION (even in IoT
Cybersecurity)
• Innovation [ in-uh-vey-shuhn ]
• Innovation can refer to something new, such as an invention, or the
practice of developing and introducing new things.
• An innovation is often a new product, but it can also be a new way of
doing something or even a new way of thinking. Innovation is most
associated with business and technology, but it happens in any field
where people introduce change, including the arts, medicine, politics,
cooking, language—even philosophy and religion.
Zero Trust Security in Today’s Environments
Zero Trust from NIST Special Publication (SP). 800-207
“Zero trust is the term for an evolving set of cyber security paradigms that
move defenses from static, network-based perimeters to focus on users,
assets, and resources. Zero trust assumes there is no implicit trust granted to
assets or user accounts based solely on their physical or network location.”
• NIST Risk Management Framework
• NIST Privacy Framework (Focus on Data Lifecycle)
• EINSTEIN – National Cybersecurity Protection System
How Zero Trust changes Traditional Security
Challenges
Factor in Physical & Intangible
Costs
Long Term Security
Posture
•Culture Shift (from risk averse to risk
management)
•Hardware to Cloud
•Software has dependencies
•Process (ITIL to Chaos)
•Disaster Recovery
•Business Continuity
• Time
• Resources & Training
• Commitment from
Organizational Leadership &
Individuals (Blameless)
Planning Programs for Establishing
Cybersecurity Policies
Exceptions are required for reducing the deployment latency of policy changes or
new policy shifts.
Mitigate Productivity Losses even when implementing new policies into existing
workflows (DevOps)
Introduce an Iterative Approach to
Implementation
Pilot/Proof of Concept
Minimum Viable Product in Beta/Testing
Gradually implemented in all facets of operations leading to production
environment
Introduce actionable feedback mechanism from end users.
Data: Management, Governance & Security in
IoT
Devices may unintentionally lose access to corporate resources to poor data quality in device
management.
Typos, transposed identifiers, missing information occurs often.
A single device record may contain data for 2 distinct devices. Fixing & Splitting the data may
necessitate physically reconciling the asset tags and physical device serial numbers.
Minimize errors by automating input validation that can detect or mitigate human error at the time
of input.
Username/Password Leaks (see Colonial Pipeline)
Transition to Microservices Architecture
Transition to Microservices Architecture
Monolithic Architecture
• Usually on-Premises (Physical
Servers)
• Migrated to Virtualized Machines
• On-Premises
• Cloud Provider
• Endpoint is a single server
• Virtual Machine Operating System
(OS)
• Financial: Large initial Capital
Expenditure (CapEx)
Microservices Architecture
API Gateway
Service Mesh
Configuration Files/Tools
Serverless
YAML files with Shell Scripts
Configuration Management Tools
Functions (as a Service)
App Engines
Financial: Operating Expenses (OpEx) due to Utility
model
Kubernetes (K8s)Components
Basic K8s Master & Worker Nodes
K8s Pod
Cluster
Deployment
Pod (Containers)
Service (proxy load balancer)
Master/Worker Nodes
Kubectl
Automation &
Orchestration on
Kubernetes
Control Plane Components
Kube-apiserver
Etcd
Kube-scheduler
Kube-controller-manager
Cloud-controller-manager
Network Chuck, “you need to learn Kubernetes RIGHT NOW!” accessed 6/10/22,
https://youtu.be/7bA0gTroJjw
Kubernetes Security
K8s Hardening
• Kubernetes is an open-source system
for automating deployment, scaling,
and management of containerized
applications.
• Key-Pair Management in the Cloud*
• Cybersecurity Technical Report
(CTR): Kubernetes Hardening Guide
from NSA & CISA
API Access Control
IaC (Infrastructure as Code)
Vs. Configuration Mgmt.
• IaC is an IT practice that codifies and
manages underlying IT infrastructure as
software.
• The purpose of infrastructure as code is to
enable developers or operations teams to
automatically manage, monitor and
provision resources, rather than manually
configure discrete hardware devices and
operating systems.
• Infrastructure as code is sometimes
referred to as programmable or softwaredefined infrastructure (usually written in
YAML or JSON)
Configuration Management is a way
to configure servers in the cloud. The
configuration could be:
• Installing applications
• Ensuring services are stopped or
started
• Installing updates
• Opening ports
• (Ansible & Jenkins are Most
Popular)
https://dev.to/thenjdevopsguy/infrastructure-as-code-vs-configurationmanagement-2b66
Ecosystems
Kubernetes Image Repos &
Addons
• Docker Hub (image
repositories)
• Mirantis (formerly Docker
Enterprise)
• Helm (Chart Templates)
• Redhat Podman
• Tigera (Project Calico)
Version Control Systems
• GIT (Distributed)
• GitHub
• Gitlab
• SVN (Centralized)
• Microsoft Team Foundation
Services (Centralized)
What is DevOps?
•
Developers (of Software) & Operators (of Infrastructure) work side by side
to implement and update new software in the most efficient way.
•
The Purpose of DevOps reduces the time between committing to a
change to a system and its implementation to production (available to
intended users).
•
DevOps has been shifting from virtualization to microservices.
•
CI/CD Pipeline– Continuous Integration & Continuous
Delivery/Deployment
• The backbone of modern DevOps Operations
• CI, developers merge code changes in a repository to ensure code
consistency
• CD Automates the software release process based on frequent
changes
• CD includes Automated Infrastructure Provisioning & Deployment
•
12 Factor App
•
The Phoenix Project
Shifting Security to the Left in Software
Development
Incorporate in Agile Software
Development Practices
• Scrum.ORG - Definition of Done: Software delivery
teams are working more and more in an Agile
manner, most of which are using the Scrum
framework to deliver those products. To realistically
combat rising cybercrime levels, security should be
part of everything we do and a required part of
releasing any software.
• SAFe - Our comprehensive approach to security
covers governance, risk management, and
compliance for infrastructure, applications, and data.
This includes encryption at rest, logical segregation
and privacy, SSLv3/TLS encryption, multi-factor
authentication, secure data backups and storage,
administrative access control, security testing, and
session monitoring and logging.
Developers are Stakeholders in Security, not
just Security Team/Pros
•
•
•
•
•
•
•
Security team becomes a facilitator to Dev & Ops Teams
Pre-Commit Hooks
Source Composition Analysis (SCA)
Static App Security Testing (SAST)
Dynamic App Security Testing (DAST)
Security in Infrastructure as Code
Secrets Management
Microservice Vulnerabilities in DevSecOps
• Vulnerable/Outdated 3rd Party
Libraries
• Licensing Issues
• Sensitive Data Leaked
• Vulnerable Docker base Images
• Kubernetes Misconfigurations
• Greater Attack Surface
• More than just 1 Monolith to test
• Containers
• Another Attack Surface
• Public Cloud Platform
• 3rd Party Vendor Ecosystems
DevSecOps- DevOps with Security in Mind
DevSecOps is a set of software development
practices that combines software development
(Dev), security (Sec), and information technology
operations (Ops) to secure the outcome and
shorten the development lifecycle.
Department of Defense (DoD) DevSecOps
Mission:
The DevSecOps Mission is to develop a
Continuous Monitoring (CM) approach for all
Department of Defense (DoD) mission partners
that monitors and provides compliance
enforcement of containerized applications which
cover all the DevSecOps pillars (Develop, Build,
Test, Release & Deploy, and Runtime) for a
secure posture with the focus being on
automation and integration going forward.
• The latest culture in developing
Microservices: DevSecOps
• NIST 800-204c
• DoD Cyber Exchange
• Container Image Creation
• Cloud Native Access Point Reference
Design
• DevSecOps Enterprise Container
Hardening Guide
• DevSecOps Fundamentals Playbook
• Docker Enterprise 2.x Linux
Strategies to mitigate risk from Cyberattacks
•
•
•
•
•
•
•
SMOKE Test (DevSecOps)
Defense-In-Depth Strategy (Enterprise Wide)
Software Bill of Materials (SBOM)
Cybersecurity supply chain risk management (C-SCRM)
Confidential Computing
Trusted Platform Modules (TPM) – ISO 11889-2015
Code Reviews
Open-Source Foundations
Open-Source software is
community driven
• Linux Operating System is the most
distributed open-source project
Free to use with specific
common license
agreements*
• Creative Commons (CC)
Constantly updated
libraries
Usually little/no support
Technology Community
Members contribute and
may provide support for a
fee
• Linux Foundation
• Cloud Native Computing
Foundation
• Open Source Summit (June 20-24)
• Apache Software Foundation
• IEEE OPEN-SOURCE (Free Gitlab
Account)
Non-Governmental Security Groups &
Resources
• Institute of Electrical and
Electronics Engineers (IEEE)
• ISACA
• Cloud Security Alliance
• SANS Institute
• Telecommunications Forum• TM Forum
The Largest IoT Vendors
• Google
• Microsoft
• General Electric (GE)
• RedHat/IBM
• Rockwell Automation
• Siemens
• Schneider Electric
Open Web Application Security Project
(OWASP)
• OWASP Top Ten Web Application Security Risks
• OWASP API Security Top 10
• Orlando OWASP Chapter
IIoT Security
• CBS 60 Minutes: How Secure is America’s Electric Grid
• https://www.redhat.com/en/topics/edge-computing/iot-edge-computingneed-to-work-together
• https://www.redhat.com/en/topics/internet-of-things/what-is-iiot
• https://www.nccoe.nist.gov/iot
• https://www.rfidjournal.com/framework-to-help-industrial-iot-users-planai-deployments
• Implementing Zero-Trust Security in IT/OT Infrastructure
Additional IoT Notes
• https://cloud.google.com/architecture?category=internetofthings
• https://cloud.google.com/docs/enterprise/best-practices-for-enterpriseorganizations
• https://www.ge.com/digital/iiot-platform
• https://new.siemens.com/global/en/products/software/simatic-apps.html
• https://configurator.rockwellautomation.com/#/browse
Kubernetes Resources
•
•
•
•
•
•
•
Kubernetes Documentation
Sander Van Vugt
Cloud Native DevOps with Kubernetes
Docker Desktop
Minikube Installation on Windows
YAML TOOLS
Linux Foundation Free Training via EDX.ORG
• Instructions to Run Kubernetes on Minikube from your laptop
Free Resources & Free Training
•
•
•
•
•
•
Industrial Cybersecurity
Zero Trust Security (FREE eBOOKS from Springer via UCF Library Login)
Manning Publishing Free eBooks
Securing DevOps with 40& off coupon (YTVEHENT)
Google Qwiklabs $200 Credits for Students
The New Stack
Thank You All for Your Attention!
• Email: victor AT tticorp DOT tech
• https://www.true-technology.net
Related documents
IOT Armour is a next-gen cybersecurity solution designed explicitly for critical infrastructure and connected devices in the Internet of Things (IoT).
IOT Armour is a next-gen cybersecurity solution designed explicitly for critical infrastructure and connected devices in the Internet of Things (IoT).
The benefits of exercise and The dangers of lack of exercise
The benefits of exercise and The dangers of lack of exercise
605 tree obstacle course
605 tree obstacle course
Activity 2
Activity 2
Untitled document
Untitled document
BomberJacket Networks - Andover Cybersecurity and IT Support
BomberJacket Networks - Andover Cybersecurity and IT Support
getting started with kubernetes
getting started with kubernetes
Download
advertisement