Cyber Security for Advanced Manufacturing Next Steps



Similar documents
How To Protect Your Data From Being Hacked

Implementing Program Protection and Cybersecurity

CYBERSECURITY FOR ADVANCED MANUFACTURING

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

CYBERSECURITY RISK MANAGEMENT

Supplier Vigilance: A Critical Layer of Defense

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

U. S. Attorney Office Northern District of Texas March 2013

System Security Engineering and Program Protection Integration into SE

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

How To Write A Cybersecurity Framework

System Security Engineering and Comprehensive Program Protection

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Business Continuity for Cyber Threat

Implementation of the Cybersecurity Executive Order

Cybersecurity Risks, Regulation, Remorse, and Ruin

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

Cybersecurity: What CFO s Need to Know

Cybersecurity..Is your PE Firm Ready? October 30, 2014

NICE and Framework Overview

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

ENSURING SECURITY IN AND FACILITATING INTERNATIONAL TRADE. Measures toward enhancing maritime cybersecurity. Submitted by Canada SUMMARY

Changing Legal Landscape in Cybersecurity: Implications for Business

DoD Software Assurance (SwA) Overview

Cyber Security Metrics Dashboards & Analytics

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence

DoD CIO UNCLASSIFIED. DIB CS Program Value-Added

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Cybersecurity Awareness. Part 1

Recent Data Security Developments for Government Contractors

Why you should adopt the NIST Cybersecurity Framework

Small Business Cybersecurity Dos and Don ts. Helping Businesses Grow and Succeed For Over 30 Years. September 25, 2015 Dover Downs

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO

DOD Takes Data-Centric Approach To Contractor Cybersecurity

AT&T Cybersecurity Policy Overview

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Managing Cyber Risks to Transportation Systems. Mike Slawski Cyber Security Awareness & Outreach

Compliance Risk Management IT Governance Assurance

Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA Utilities Telecom Council 1

National Initiative for Cyber Security Education

Energy Industry Cybersecurity Report. July 2015

DFARS UCTI

Security Intelligence

CYBER SECURITY GUIDANCE

Presidential Summit Reveals Cybersecurity Concerns, Trends

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

Department of Homeland Security

Cybersecurity Framework: Current Status and Next Steps

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Cybersecurity: Learn Critical Strategies to Protecting Your Enterprise November 6, :00PM EST

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

GEARS Cyber-Security Services

Ty Miller. Director, Threat Intelligence Pty Ltd

Combating Cyber Risk in the Supply Chain

Emerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP

Cybersecurity Primer

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

Working with the FBI

ARC Forum Orlando 2015 Building a Secure Industrial Internet of Things

Presentation of April 22, 2015

BlacKnight. Cyber Security international A BUSINESS / MARKETING PRESENTATION

OCIE CYBERSECURITY INITIATIVE

Framework for Improving Critical Infrastructure Cybersecurity

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

Cyber Security Risk Management: A New and Holistic Approach

System Security Engineering

National Institute of Standards and Technology Smart Grid Cybersecurity

CYBER SECURITY INFORMATION SHARING & COLLABORATION

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

THE WHITE HOUSE Office of the Press Secretary

How To Write A National Cybersecurity Act

DHS, National Cyber Security Division Overview

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Modeling and Simulation (M&S) for Homeland Security

What are you trying to secure against Cyber Attack?

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

THE WORLD IS MOVING FAST, SECURITY FASTER.

Data Driven Assessment of Cyber Risk:

Critical Infrastructure in a CyberPhysicalHuman World

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

United States Coast Guard Cyber Command. Achieving Cyber Security Together. Homeland Security

BigData Analytics per la sicurezza delle Infrastrutture Critiche

Framework for Improving Critical Infrastructure Cybersecurity

Ideas for Cybersecurity Leadership by the Commonwealth

Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS)

CYBERSECURITY FOR GOVERNMENT CONTRACTORS

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

National Health Information Sharing & Analysis Center. The National Health ISAC (NH-ISAC) NH-ISAC

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

CYBER SECURITY: PERILS AND OPPORTUNITIES

William Hery Research Professor, Computer Science and Engineering NYU-Poly

Security Analytics for Smart Grid

Transcription:

Status Update Cyber Security for Advanced Manufacturing Next Steps NDIA Manufacturing Division February 19, 2015 Michael McGrath Consultant, Analytic Services Inc. michael.mcgrath@anser.org

NDIA White Paper May 2014 Joint Working Group Study Manufacturing Concerns: Theft of technical info -- can compromise national defense and economic security Alteration of technical data -- can alter the part or the process, with physical consequences to mission and safety Disruption or denial of process control -- can shut down production IT solutions do not fit Manufacturing Operations needs! www.ndia.org/divisions/divisions/manufacturing 2

Recommendations for USD(AT&L) 1. Designate a focal point to work with industry on risk-based, voluntary standards and practices for factory floor cybersecurity. Evaluate NIST framework as starting point. 2. Conduct forums with industry to help understand and implement DFARS clause, including factory floor implications. NDIA host factory floor discussion within AIA/Multi-association forum 3. Update DoD guidance on the Program Protection Plan (PPP) to address protection of manufacturing systems 4. Use red teams to expose vulnerabilities, sponsor R&D to fill gaps 5. Assist SME suppliers with training and investments. Explore: NIST Manufacturing Extension Partnership to deliver training Defense Prod Act Title III and Manufacturing Technology possibilities Training for DoD contracting officers 3

Dialogue Initiated with DoD NDIA Letter to USD(AT&L), May 2014 Industry preference for voluntary framework 5 recommendations USD(AT&L) Reply, July 2014 Voluntary compliance insufficient Let s get together 4

Current Status 19 Dec 2014 Meeting with Kristen Baldwin, ODUSD(SE): (Gen Bates and Mike McGrath from NDIA) 1. Designate a focal point to work with industry 2. Conduct forums with industry to help understand and implement DFARS clause, including factory floor implications. 3. Update DoD guidance on the Program Protection Plan (PPP). 4. Use red teams to expose vulnerabilities, sponsor R&D to fill gaps Melinda Reed will be OSD interface coordinator NDIA will form new Joint Working Group to work with DoD on recommendations 2-5 Manufacturing, Cyber, SE and Logistics Divisions 5. Assist SME suppliers with training and investments 5

What We Need Today Volunteers for the new JWG! Need members and potential co-chair. michael.mcgrath@anser.org 6

Backup DMC 2014 Summary of the White Paper 7

Cyber Division & Manufacturing Division Joint Working Group Cyber Security for the Advanced Manufacturing Enterprise Defense Manufacturing Conference December 1, 2014 Michael McGrath Consultant, Analytic Services Inc. michael.mcgrath@anser.org

Manufacturing is a Cyber-physical Business Industry Week Common Visions Smart Manufacturing, Industrial Internet, Industry 4.0, The Internet of Things! Advanced Manufacturing is: Driven by a Digital Thread of product and process information valuable intellectual property (IP) Networked at every level to gain efficiency, speed and quality Targeted by global cyber threats 9

The Threat is Global and Growing Manufacturing is an inviting target Cyber Security German jitters over cyber attacks www.dw.de, 8 Mar 2013 Manufacturing: a 1 in 3 chance of being targeted by at least one Spear Phishing attack in 2013 Symantec Internet Security Report 2014 Cost to Global Economy > $400 B IBM Security Services Cyber Security Intelligence Index 2014 10

Part of the Internet of Things (IoT) Smart Processes, Smart Products Source: Alain Louchez, Georgia Tech Center for Development and Application of IoT Technologies www.cdait.gatech.edu 11

NDIA White Paper Protecting the Digital Thread Manufacturing Concerns: Theft of technical info -- can compromise national defense and economic security Alteration of technical data -- can alter the part or the process, with physical consequences to mission and safety Disruption or denial of process control -- can shut down production A risk management problem. Need resilience! www.ndia.org/divisions/divisions/manufacturing 12

Scope: Protecting the Digital Thread Technical Data in the Advanced Manufacturing Enterprise Targeted by nation states, terrorists, criminals and hacktivists.... Digital Interchange and Online Access Customer Data Systems Enterprise IT System Product & Process Data Suppliers Prime Product Support System Engineering Data System Manufacturing Operations Systems Increasing Vulnerability? IT Cyber Security Solutions May Not Fit Manufacturing Operations Needs 13

What We Heard from Interviews Gov t, Industry, Academia CIOs/CISOs in the defense primes are implementing strong cyber risk management and sharing info through the DIB CS/IA and DSIE programs Concerned about suppliers and willing to work with them Have not yet seen threat to factory systems, but acknowledge the possibility Need cost/risk tradeoffs to arrive at an affordable solution Industrial Control Systems (ICS) are soft targets. Culture differs from IT. Standards and guides* for ICS provide good risk management approaches. Implementation is spotty. DoD has mandated protection of critical information Primes address in the program protection plan, but ICS security is not emphasized in DoD guidance Defense R&D for cybersecurity is not currently focused on factory floor *E.g. ANSI/ISA99 standards and NIST SP 800-82 14

2014 Developments (1 of 2) Federal Register 18 Nov 2013 -- DFAR 252.204 7012 Safeguarding of unclassified controlled technical information. Specifies 54 minimum security controls linked to NIST SP 800-53 Reporting of cyber incidents to DoD within 72 hours Reviews and data retention to support DoD Damage Assessments Mandatory flow-down to subcontracts NIST Cybersecurity Framework for Critical Infrastructure Protection (Feb 2014) Common vocabulary, core standards and practices Risk-based. Voluntary adoption. Sector-specific implementation, including training and incentives. 15

2014 Developments (2 of 2) NIST ICS Security Guide, 800-82 R2 (for comment May-July 2014) Updates threats and vulnerabilities, risk management, recommended practices, security architectures, and security capabilities and tools for Industrial Control Systems. NSTAC Report to the President on Internet of Things (Draft Nov 2014) NDIA White Paper to USD(AT&L) (May 2014, discussions ongoing) Industry preference for voluntary framework 5 recommendations 16

NDIA White Paper Recommendations for USD(AT&L) 1. Designate a focal point to work with industry on risk-based, voluntary standards and practices for factory floor cybersecurity. Evaluate NIST framework as starting point. 2. Conduct forums with industry to help understand and implement DFARS clause, including factory floor implications. 3. Update DoD guidance on the Program Protection Plan (PPP). Let industry make appropriate risk/cost tradeoffs. 4. Use red teams to expose vulnerabilities, sponsor R&D to fill gaps 5. Assist SME suppliers with training and investments NIST Manufacturing Extension Partnership to deliver training Defense Prod Act Title III and Manufacturing Technology investments Training for DoD contracting officers 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information