before we begin...iot / iiot suppliers why do we need to secure ot? 9 document classification: kpmg...

©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 1

Before we beginAdministrative matters…— For the optimal webinar experience, please use headphones and close all

other applications that could interfere with the webinar.— Please keep your microphone muted throughout the whole presentation to

avoid interruption of the webinar.— However, questions can be asked throughout this presentation using the

chat functionality: domain experts are following up on questions that mightpop up in the chat during the presentation.

— At the end of the presentation a short Q&A is foreseen to address aselection of your questions to the speakers and/or experts in the live chat.

— Speakers participating in this webinar comply with the COVID-19measures, respecting the social distancing rules. The presentation desk isdisinfected each time a new speaker is participating.

Cybersecurity with an IT-OT Convergence

June 2nd, 2020

3

Document Classification: KPMG Confidential

©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 3

Content01 Setting the scene

02 How do I secure OT environments?

03 Industry insights

04 Q&A

Quick Operational Technology Overview

5



Operational Technology

OT=

Technologies that focus on industrial processes

The evolution of OT

7



Evolution of Operational Technology

Stand-AloneIn the past there were no requirements to have the IT and the OT environments connected; therefore, were completely separated (Air Gap) and independently governed by IT and Engineering.

Loosely Connected

Nowadays, due to efficiency and costs, advanced network connectivity between IT and OT is required. This brings confusion with regards to governance, risk management and control implementation effectiveness between IT and Engineering.

IT OT

IT OT

Highly ConnectedTomorrow the intercommunication of all components – from the supplier to the customer – will be reality. Therefore, sustainable governance, risk management and control implementation effectiveness between IT and Engineering MUST be established.

Integrated IT/OT

Industry 4.0

Customers

Manufacturing

IoT / IIoT

Suppliers

Why do we need to secure OT?

9



Why is this important?

Discovering vulnerable OT systems is becoming more and more easy thanks to search engine like Shodan Safari – the search engine for any internet connected service/device, including Internet of Things (IoT), Power plants, building cameras, …

EU Commission is attempting to increase the overall EU cybersecurity level with the Network and Information Systems (NIS) directive. It defines requirements around incident response and technical security measures based on potential risks.

However OT infrastructure is suffering from a paradoxAustralia 2001: sewage spill

Iran • 2009: centrifuge

failure

North and Latin America2012: TelventEspionage

Germany2014: Furnace loss of control

Ukraine2015-2016 Power Outages

Saudi Arabia• 2017: (un)Safety

System

The OT paradox

11



What is the OT paradox?

If we look at the risks of IT and OT, the impact of OT incidents is significantly higher than that of IT incidents.

The OT paradox is that companies are investing a lot of money in securing their IT systems whereas it’s actually their OT systems that are key to their survival.

From a business perspective, OT is carrying the most critical business processes. So focus should be more on OT security than IT.

Simple example:• IT: mailbox downtime is tolerable• OT: production process downtime is lethal (24/7/365 uptime required)

Shifting the focus

How do I secure this?

13



5 Pillars of OT Cyber Security Outlined below are the five pillars of effective safeguarding against cyber threats for OT and IIoT environments.

Governance & Strategy

Risk Management

Security Integration

Security Implementation

Security Operations

Plan-Do-Check-Act

Accept-Treat-

Transfer

Security = Safety &

Reliability

Detect-Respond-Recover

People-Process-

Technology

Risk Management

15



The Safety Bow-Tie Model & Cyber

Malware Infection

USE OF PORTBALE

MEDIA

CONTRACTOR

HACTIVIST

NATION STATE

LOSS OF VIEW

LOSS OF CONTROL

LOSS OF FUNCTION

BARRIERS BARRIERS

LIKELIHOOD / PROBABILITY CONSEQUENCE

16



HSE Swiss Cheese ModelMitigating Barriers

Pressure relief system

Heat Exchangers

MoC PPETraining

Incident

CONSEQUENCE

Hazard

Procedures

Fire Suppression

System

Human Behaviour

Poor Design

Near Miss

17



Understanding the key differencesClassic IT Security Classic OT Security

Priorities/Focus

Consequences • Loss of (sensitive) date. • Loss of human life.• Loss of functionality of the

industrial plant.

Impact • Financial• Reputational

• Environmental• Safety

Availability

Integrity

Confidentiality

Control Design & Implementation

19



KPMG ICS Security FrameworkGovernance— SCADA/DCS security framework and assessments— SCADA/DCS security policies, procedures and guidelines— Risk management— SCADA/DCS criticality analysis

Process— Change management— Patch and software version management— Physical security and situational awareness— Security monitoring— Asset management— User management— Third party/vendor (contractor management)— (Security) incident management— Cyber defence— Vulnerability management— Threat management

People— Security awareness— Education on cyber security in SCADA/DCS— Commitment, integrity and adherence to client’s SCADA/DCS security

standards

Technology— System hardening and protection— Anti-virus and malware protection— System failsafe and resilience— Logical access controls— Secure failsafe infrastructure and administration— Secure remote and third party access

OT Specifics

21



The Purdue Model

Zone 5: Enterprise

Zone 4: Site Business Planning & Logistics

Zone 3: Site Manufacturing Operations & Control

Zone 2: Area Supervisory Control

Zone 1: Basic Control

Zone 0: Process

Safety Zone

Internet Zone DMZ Email

Web FTP

Reporting Scheduling Inventory Email Phones Printers

Plant Historian IT Services

Production Systems Eng Workstations

Alarm / Alert SystemsHMI

CR Workstations

DCS PLC RTU

Pumps Actuators Sensors

Safety Systems

22



What does this actually look like?

3

2

1

0

Operator Workstation

Safety Sensor /

Instrument Safety Instrumented System

Process Automation System

Process Sensor /

InstrumentIndustrial ProcessControl Valve Safety Valve

Safety Engineering WorkstationEngineering

Workstation

Local Historian

ApplicationServer

Control and Safety parameters may be

connected in line with IEC 61508 and the equivalent

industry standard

3rd Party networks where the data may

be collated in the Plant Historian

3rd Party networks where the data is

required to be incorporated into the main control system

CloudInternet

IoT devices collate information from the cloud and the corporate networks for wider

analytics.

NOTE: Firewall can be two physical devices or one physical device that is

logically configured to form the DMZ

Jump Server

WSUSAnti-Virus

Plant Historian

DATA FLOW

Control and Safety parameters are kept

separate at source from IIoT devices

IIoT may collect monitoring data direct from the industrial process or receive information from the Plant historian.

If connected into the Operational Technology network as shown the device will be hardened and have now internet

access.

Mobility Worker handheld device

5

4

SZ

Industry insights

24



Five Cyber Security Myths of OT

1 The risks OT systems face are exactly the same as for IT systems.

2

3

4

5

A single or common cyber security strategy is impossible to develop and implement for OT and IT.

A single team reporting to one Executive should be responsible for OT, IT and IIoT cyber security

OT cyber security programmes are ‘just another’ IT cyber security programme

OT vendors and suppliers will ensure cyber security needs are met every time.

25



IT/OT Convergence – Top 10 Challenges1

Not having a cyber security

strategy

Lack of ownership /

governance to manage cyber

risks

Lack of Secure-By-Design in products and ecosystems

Not having cyber security skills and

general cyber awareness for employees and

ecosystems

Insufficient OT cyber security and privacy resources

2 3 4 5

6

Lack of security event

identification monitoring

Insufficient operational cyber hygiene practices

Insufficient asset inventory and

systems life cycle management

Lack of vulnerability

identification and management

Lack of effective incident response

processes

7 8 9 10

Thank you

28



One more thing

Supply Chain and Manufactur ing4 Will existing supply chains return to normal or be reconfigured? Localisation?

Purpose, ESG6Will Purpose-driven companies take the lead? Will ESG be core to how businesses recover? Can this be done while sustaining desired economic outcomes?

Debt Burden of states and companies7

Will the large debts weaken the recovery out of the crisis? Could it trigger a financial crisis? Will it increase inequality between competitors and trigger distressed M&A?

Global izat ion8Will countries increasingly look inwards for prosperity? Will regional and national borders be strengthened?

Labor Force2Will displaced jobs come back or will automation accelerate? What about labour shortage? New bottleneck professions?

Change in customer behaviour3

Is this the tipping point for the dominance of the digital economy over the physical economy? Will consumer behavior change permanently?

Continuity and Resi l ience5How will BCP be bolstered to ensure resilience in future crises? How to increase responsiveness of an organization/ be more agile for future shocks?

Does remote work become the new normal and in office / business travel become the exception? (work / life balance) Ways of Work ing 1

before we begin...iot / iiot suppliers why do we need to secure ot? 9 document classification: kpmg...

Documents