Presenter: Jeff Schutt - Cybersecurity Solutions Architect (Jeff works in Adv Services in the IoT team)

Full Title: An IoT Security Model & Architecture for Securing Cyber-Physical and IT-OT Converged Assets

Mix of IT/OT folks in the room.

How do we do physical security?

  • Protect the perimeter
  • Detect breaches
  • Situational awareness (<< THIS!)
  • Forensics

How do we do cybersecurity?

  • Same principles!
  • Just different tools

IT landscape

  • Systems approach
  • Requirements dominated by business data focus
  • Time horizon: driven by Moore's law and high tech product cycles
  • Scale: 1000s
  • Security: built into protocols (IPsec, TLS)

OT landscape

  • Requirements dominated by needs of physical systems
  • Time horizon driven by capital equipment life; complete lifecycle determined and managed by engineers
  • Scale: few; 10s - 100s
  • Security: No access to outside systems; insecure protocols

With IT and OT convergence, ther's no way people are going to lose their jobs. We all have too much to do for anyone to be redundant. Additionally, there is a well-known shortage of skilled workers in this area.

Security awareness and training: a combination of people, process, and technology.

"Airgap security" does not address "people, process and technology". Airgap is NOT security (on its own). Airgap is not a pervasive security architecture.

"On average, we see 11 direct connections between [enterprise and OT] networks" β€” Subcommittee on National Security, May 25 2011 hearing

How do we secure the IoT?

  1. Risk management (assessment)
  2. Reference architecture
  3. Controls design & implementation
  4. Security operations
  5. Continuous security lifecycle (go back to #1)

34% of audience members worked at places that either didn't or weren't sure if they perform cybersecurity risk assessments today. (Changed to 17% after he explained his take on risk assessments)

What is cybersecurity risk?

Risk(event) = Likelihood(threat * vulnerability) x Impact(asset value)

This definition maps the business needs to the technical requirements.

23% of audience implement cybersecurity controls by "trial and error". 47% follow IT trends. (numbers didn't add to 100%. bleh.)

#1 security challenge that your organization is facing? Audience said "cost".

IT:

  1. Confidentiality
  2. Integrity
  3. Availability

OT:

  1. Availability
  2. Integrity
  3. Confidentiality

Great reference slide of IT vs OT "careabouts" (hate that word)

Before, during and after β€” address lifecycle of attacks.

Security must be built into systems from the begining and not as an after-the-fact process.

"What applies to enterprise networks [for security] also applies to OT networks... but with stricter requirements."