The convergence of everything digital

Transcription

1 pwc.com/cybersecurity August 2014 Highlights Convergence of information (IT), operational (OT), and consumer (CT) technologies will generate sweeping business opportunities, as well as multidimensional security risks. Operational technologies, such as systems that control manufacturing processes, will continue to become exposed to other technology domains, potentially increasing risks of disruption and the integrity of products or services. Consumer technologies (end-user products and services such as home automation and sensorenabled automobiles) will become increasingly connected. This will introduce new privacy and safety concerns. Convergence of these technology domains has created multifaceted security challenges as the complexity increases and vulnerabilities proliferate. Businesses must develop a holistic, cross-functional approach to security that identifies and manages risks across all technology domains. The convergence of everything digital How the fusion of information, operational, and consumer technologies will transform the security landscape for business and society.

2 Imagine a world in which everything and everyone are digitally connected. For businesses, governments, and consumers, this so-called Internet of Things will offer numerous opportunities and efficiencies. It will improve operations, redefine consumer relationships, and enable innovation for businesses. Among individuals, this digital convergence will bring unprecedented lifestyle conveniences, improve healthcare, and offer new control over homes and automobiles. At the same time, the Internet of Things also will introduce new risks to information security, privacy, and personal safety. Digital convergence has its roots in decades-long technology advances that have fused connections between businesses, operations, data, and people. Consider, for instance, the daily commute in your hyperconnected city. As you drive to work, you know that hackers can wirelessly access and control sensor-based automobiles brakes and steering mechanisms. Unseen threat actors also can compromise electronic road signs to display messages that are meant to be harmlessly amusing but can jeopardize public safety. Organized intruders can take control of the industrial control systems of natural gas providers to boost the pressure of gas mains and cause an explosion in the next block ahead. These risks are not theoretical, nor are they futuristic. Cybercriminals have proved they can infiltrate and control a very wide range of connected devices. Doing so is relatively simple, in part, because many of the myriad connected devices that comprise the Internet of Things lack fundamental security safeguards. Consequently, the convergence of everything digital information technology (IT), operational technology (OT), and consumer technology (CT) presents an immense challenge. It is an issue that will only grow more complex as technology domains continue to converge. Evolving business ecosystems will become an expanded universe of intelligent devices that are interconnected, indirectly or directly, via the Internet. Today, these connected objects include building automation, manufacturing plants, automobiles, aircraft, oil and gas production assets, personal medical devices, and automated homes. Tomorrow, they will likely encompass entire cities. This sweeping metamorphosis is well under way. An estimated 10 billion devices are now connected directly or indirectly to the Internet and the research firm IDC forecasts an installed base of 212 billion connected devices will be on line by the end of As Internet Protocol version 6 is phased in, the potential number of online devices will become virtually limitless. Digital convergence has its roots in decadeslong technology advances that have fused connections between businesses, operations, data, and people. (Figure 1) In recent years, the unstoppable proliferation of wireless networks, smart phones and tablets, mobile apps, and cloud computing has profoundly enhanced employee productivity, e-commerce capabilities, and consumer lifestyles. At the same time, increasingly inexpensive and miniaturized embedded microprocessors, sensors, and robotics have been deployed across industries to link production and manufacturing assets with industrial control systems, enabling businesses to efficiently manage plants, remote assets, and physical processes. This convergence will create a wealth of business opportunities and ultimately transform relationships with consumers. And it will do so in a very big way: IDC forecasts that the technology and services spending related to digital convergence will generate global revenues of $8.9 trillion by 2020, growing at a compound annual growth rate of 7.9% IDC, Internet of Things (IoT) 2013 to 2020 Forecast: Billions of Things, Trillions of Dollars, Doc #243661, October IDC, Internet of Things (IoT) 2013 to 2020 Forecast: Billions of Things, Trillions of Dollars, Doc #243661, October 2013 The convergence of everything digital 1

3 The downside? Pervasive integration and connectivity will introduce a wide array of security risks for businesses and consumers. The cyber-attack surface the points on which adversaries attempt to access data, applications, and systems will continue to expand exponentially, moving beyond the traditional information security scope to encompass disparate asset types associated with operational and end-user products and services. Consider, for instance, the technology assets that connect to today s automobile. Automobiles contain dozens of computers that are often linked to each other and the Internet via wireless networks. Hackers have proved they can infiltrate these embedded computers to take control of the brakes, the steering wheel, and even the engine. What s more, some connected automobiles automatically link to the manufacturer s IT and OT systems to perform firmware updates, maintenance monitoring, and real-time communications. Behind the scenes, automakers are continuing to integrate and automate their operational plant-manufacturing systems with their IT environment and back-office business systems. This pervasive interconnectivity has created an environment in which individual automobiles, IT systems, and operational machinery are increasingly vulnerable to cyber threats. The example outlined above is just one of the many risks associated with digital convergence. One thing is certain: Yesterday s security practices cannot effectively address even today s threats, much less the elevated risks of technology convergence. An integrated strategic approach is needed to balance the security objectives related to information, operational and consumer technologies. Defining the basic technology domains Information Information Information Operational Operational Operational Consumer Consumer Consumer Information technology traditionally comprises resources and connectivity for processing and managing data to support business functions and transactions. Its goal is to ensure the confidentiality, integrity, and availability of data and systems. IT includes solutions such as enterprise resource planning, HR management, customer service, transaction processing, financial reporting, and corporate collaboration. Operational technology is typically defined as systems and related automation assets that monitor and control physical equipment and events, or that support the creation and delivery of products and services. Physical control of an object, such as shutting off a valve in a manufacturing plant, is key to OT. Historically, operational systems have been managed and maintained separately from IT. That s continuing to change as businesses begin to mesh OT and IT and connect the two via internal networks or the Internet. OT includes systems such as environmental control, plant-management, integrated facility management, electricity smart grids, air traffic control, and automated logistics operations. Consumer technology encompasses the products and services that companies provide to end users or customers. It includes smartphones, tablets, health- and fitness-monitoring devices, location-aware services, and gaming networks, to name just a few. Ubiquitous connectivity and advanced mobility, combined with the boom in cloud-based services, has further fueled the surge of consumer products. Technologies such as near field communication (NFC), radiofrequency identification (RFID), and Bluetooth Low Energy are enabling a new wave of products like digital wallets and personal health monitors. The convergence of everything digital 2

4 Figure 1: A concise history of digital convergence 1980 s IT, OT and CT operate in different environments and on different platforms OT and CT are based on proprietary platforms Data is not shared between technologies OT and CT face little to no cyber risk since they are not connected to a network 1990 s OT is networked to allow centralized operation CT remains in a separate environment OT becomes vulnerable due to the connection, but is partially protected by the obscurity of proprietary solutions 2000 s OT connects to IT using standardized IT channels to reduce costs and increase compatibility Boundaries between IT and OT start to blur CT connects to IT through purpose built channels OT is no longer protected by obscurity and CT is now vulnerable. Traditional IT security does not cover either 2010 s The technology underlying IT has become ubiquitous across OT and CT The combination of these three represents the integrated technology ecosystem IT, OT and CT are all vulnerable to cyber threats. Businesses must adapt their security model to include the full scope of technologies Information Operational Consumer Internet Proprietary Connection IT Protocol Based Connection Prepare for new threats and broader security impacts The convergence of information, operational, and consumer technology ecosystems will transform the very nature of security risks. It will also open new opportunities for cyber attack that can have serious consequences to business operations, public health and safety, and consumer confidence. For many organizations, these risks will be amplified by security practices that are not integrated across technology domains and business strategies that encourage deployment of new technologies before security implications are fully understood. Separate and not equal processes Despite the increasing interconnection of information, operational, and consumer technologies, most organizations maintain separate security practices for each domain. While security processes for IT systems are typically established and often mature, the same practices are not uniformly applied to operational and consumer technologies. This inevitably results in gaps in fundamental security processes like user access, patch management, and third-party risk assessment. The convergence of everything digital 3

5 Most businesses have not yet implemented policies and procedures to address shared threats that result from interconnected technologies. Even in the comparatively mature IT domain, most companies make no attempt to assess the security capabilities of third-party partners. PwC s US 2014 State of Cybercrime found that only 44% of organizations have a process to evaluate the security of third parties before they launch business operations, and just 31% include security provisions in contract negotiations with external partners. 3 As more devices produced by more manufacturers flood the connected ecosystem, it is critical that organizations carefully assess the security capabilities of business partners to ensure that they comply with standards. Doing so, however, may stretch the capabilities of many IT and security departments. Already, security personnel are so overwhelmed with frequent, but relatively minor, vulnerabilities that they fail to address emerging risks that may be truly impactful. Patch management provides another example of separate and unequal processes. Most businesses have policies and processes for ensuring that the operating systems and firmware for IT assets are up to date, but few apply the same rigor to patching OT and CT technologies. Updating software on operational systems, in particular, can present considerable challenges because in many industries OT assets are outdated and may run discontinued operating systems that cannot be patched. These unpatched systems create significant vulnerabilities that may put businesses at serious risk as cyber incidents targeting OT systems continue to proliferate. Figure 2: New security liabilities: Operational and consumer technologies across key industries Sector Operational technology examples Consumer technology examples Automotive Automated manufacturing & logistics In-vehicle communications & navigation systems, remote diagnostics & maintenance, Highway of the Future Consumer products Automated manufacturing & logistics Home automation & security, smart appliances, wearable devices, smartphones & tablets Energy & utilities Generation & transmission, smart grid, intelligent asset management, automated meter reading Smart meter apps, smart thermostats, digital communications with utilities Entertainment, media, & communications Cable distribution networks, broadcasting equipment Set-top boxes, on-demand services, video streaming Financial services ATMs, branch equipment, transaction & payment processing Online banking, alternative currencies, digital wallets Healthcare provider/ payer Electronic medical records, automated pharmacy dispensing systems, RFID real-time location Wearable fitness devices, remote-patient monitoring, e-doctor services, patient portals & apps Retail & consumer Point-of-sale systems, RFID inventory management, location-based advertising Shopping apps, in-store Wi-Fi, digital wallets, e-commerce Data centers, cloud services, communications protocols, product life cycle management Embedded technology & connectivity, consumer cloud services, social networking 3. CSO magazine, CERT Division of the Software Engineering Institute at Carnegie Mellon University, PwC, and the US Secret Service, 2014 US State of Cybercrime Survey, June 2014 The convergence of everything digital 4

6 Of increasing concern are the industrial control systems of public infrastructure providers. The Department of Homeland Security (DHS) recently announced that a hacker group had successfully infiltrated a US public utility via the Internet and compromised its control system network. 4 While no damage was done, the incident underscores the fact that threats to critical infrastructure providers are very real. They also are on the rise: In 2013, the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 256 cyber-incident reports, an increase of 86% over And not all threats are within the organization s domain. A recently released worm called Linux.Darlloz, for example, was designed to compromise everyday consumer products like webcams, wireless routers, and set-top cable television tuners. 6 This type of threat is particularly pernicious because it can serve as a beachhead to connected IT and OT systems, introducing new categories of risk with potentially serious implications for security, business reputation, and public safety. How business strategies can elevate threats New vulnerabilities also can arise from business strategies that leverage technology advancements to drive innovation and competitive advantage. Consider, for instance, the introduction of consumer products and services in the healthcare industry. A new wave of implantable devices such as pacemakers and glucose monitors are being deployed to monitor and wirelessly report patient health status to doctors and hospitals. Hackers have demonstrated that they can infiltrate these connected consumer devices, a capability that could result in not only serious health and safety risks but also data-privacy concerns and legal exposure. These types of technologies have been deployed before their risks are fully understood, and few healthcare providers are prepared to manage these risks. We have also seen that a business strategy for growth via mergers, acquisitions, and joint ventures can add complexity and challenges to the integration of security practices for converged technologies. That s because businesses cannot fully assess the implications of converged technologies in the initial phases of these agreements, nor can they immediately understand how to limit access to connected technologies by personnel of the companies with which they are negotiating a deal. Rising risks, raising regulations In addition to new vulnerabilities, digital convergence will inevitably lead to new regulatory scrutiny and responsibilities. The US Food and Drug Administration (FDA) has already called for more effective cybersecurity to govern connected medical devices and the electronic exchange of health information. 7 Similarly, the National Highway Traffic Safety Administration has issued a preliminary policy on self-driving automobiles. 8 More broadly, the US National Institute of Standards and (NIST) has developed a Cybersecurity Framework that aims to reduce cyber risks related to critical infrastructure. 9 The framework provides risk-based cybersecurity guidelines that, while voluntary, will in effect set a standard for cybersecurity that may be used in legal and regulatory investigations. As a result, security organizations may need to adapt to new regulatory, compliance, and safety requirements. For many, operational and consumer technologies will be a particular challenge because organizations may not have a holistic view of threats and an integrated approach to manage risks. 4. Department of Homeland Security, ICS-CERT Monitor, January April 2014, May Department of Homeland Security, ICS-CERT Year in Review 2013, February Symantec Corp., Linux Worm Targeting Hidden Devices, Nov. 27, Food and Drug Administration, Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication, June 2013; Food and Drug Administration, FDASIA Health IT Report, April National Highway Traffic Safety Administration, U.S. Department of Transportation Releases Policy on Automated Vehicle Development, May 30, National Institute of Standards and, Framework for Improving Critical Infrastructure Cybersecurity, February 2014 The convergence of everything digital 5

7 Assess the potential impact and take action now Organizations that want to get ahead of the convergence curve should take action now The convergence of technologies is already well under way, and connected devices will continue to proliferate and evolve in ways that are impossible to predict. So, too, will security risks. Organizations that want to get ahead of the convergence curve should take action now to formulate a strategic approach to integrated security, one that balances the security objectives unique to information, operational, and consumer technologies. This holistic approach should be coordinated and integrated among the organization s various business areas and functions. Today, the IT department may be in the best position to facilitate collaboration among stakeholders. In the future, it may become necessary to create a new leadership role with responsibility for driving cross-functional processes, information resources, and relationships across the enterprise. Managing the security challenges of convergence will require keen leadership skills and an unflagging commitment to collaboration as a means to share security intelligence and improve threat awareness. Our research shows that 50% of companies currently collaborate with others to improve security. 10 That s a good start, but the convergence of digital ecosystems will require pervasive knowledge sharing, both internally and externally. In developing an integrated security initiative, businesses should consider the following steps: 1. Identify potential stakeholders: First, identify across all functions the stakeholders who should be involved in the security initiative. Continue by establishing a steering committee that, at a minimum, includes representation from IT and information security, as well as key members of business operations and the design and engineering teams. It will be essential to have a deep commitment to knowledge sharing and collaboration, both internally and externally. 2. Evaluate the scope of the challenge: Perform a disciplined, enterprise-wide assessment of the scope of assets that are potentially at risk. Take care to consider assets from all domains, and map interdependencies and determine the criticality of assets from the perspective of each stakeholder. 3. Perform a risk assessment: Evaluate enterprise-wide risks to assets and identify controls to mitigate these risks or otherwise remediate any impacts. Next, determine the gaps and integration points between existing security program practices, and draft an integrated plan to implement necessary controls and security mechanisms across all domains. 4. Determine business impacts: Explore how technology convergence will affect your organization, and then establish an initial set of goals for securing information and operations for future convergence. 5. Develop a plan to integrate security: Craft a roadmap to holistically integrate security activities and initiatives across all domains and functions, with an emphasis on improving weaknesses in existing control and security practices. It will be absolutely critical to ensure that forensics and incidentresponse capabilities are in place to quickly address security incidents that may span multiple technologies and platforms. 6. Continuously monitor and address the risks of change: Design an internal centralized process for monitoring the future integration of the organization s technology or operations, and holistically update security practices across all domains to manage risks that may result from these changes. Taken together, these six steps will very likely represent a considerable challenge for many businesses. The advantage will go to those that take action now to build a holistic security model for the convergence of information, operational, and consumer technologies. 10. PwC, CSO magazine, CIO magazine, The Global State of Information Security Survey 2014, September 2013 The convergence of everything digital 6

8 Contacts To have a deeper discussion, please contact: David Burg Principal, US and Global Cybersecurity Leader david.b.burg@us.pwc.com Michael Compton Principal, Cybersecurity Strategy and Operations michael.d.compton@us.pwc.com Peter Harries Principal, Health Industries peter.harries@us.pwc.com John Hunt Principal, Public Sector john.d.hunt@us.pwc.com Gary Loveland Principal, Consumer and Industrial Products and Services gary.loveland@us.pwc.com Joe Nocera Principal, Financial Services joseph.nocera@us.pwc.com Shawn Panson Partner, Risk Assurance shawn.panson@us.pwc.com Contributing author: Kevin Mickelberg Director kevin.j.mickelberg@us.pwc.com Mark Lobel Principal,, Information, Communications and Entertainment mark.a.lobel@us.pwc.com 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. LA