Cybersecurity and mobility in the Energy Industry Advanced Energy 2013 1 May 2013
Christian Glover Wilson"Vice President, Technology & Strategy"
Tigerspike
Cybersecurity and mobility in the Energy Industry
Abstract
Enterprise mobility has progressed from email on a BlackBerry to a vast proliferation of personal media devices in the hands of employees, engineers and the end consumers. Mobility is key to how remote teams now collaborate and access files and data with the advent of cloud computing accelerating that further. The distributed nature of energy production and distribution make this even more pronounced for the energy industry. This new ecosystem has led to a variety of new cybersecurity threats that need to be understood and prevented. The widespread adoption of smart devices and the rise of the Internet of Things need to be secured with a combination of best practice and technology – protecting but not limiting the continuous push towards anywhere and any device productivity.
Rise of Mobility
Understanding the Threats
Addressing the Problem
Cybersecurity and mobility in the Energy Industry
Contents
Cybersecurity and mobility in the Energy Industry
Rise of Mobility
Proliferation of Personal Technology Devices
Cybersecurity and mobility in the Energy Industry
• As of late 2010, smartphone sales started surpassing those of traditional computers.
• “By 2015 shipments of tablets will outstrip those of conventional PCs such as desktops and notebooks”-Gartner
Source: Gartner, April 2013
Proliferation of Personal Technology Devices
Cybersecurity and mobility in the Energy Industry
• Tablets will overtake desktop and notebook shipments combined, while 'ultra-mobiles' will grow
• Shift in device preference is coming from a shift in user behavior • Leads to a bigger embrace of the cloud for sharing and for access
to content
Source: Gartner, April 2013
Enterprise Mobility
Cybersecurity and mobility in the Energy Industry
• Rapidly growing adoption of BYOD
• Easy to push real-time alerts and crucial messages to users, based on location
• Can capture vital analytics about usage and devices used
• Enterprise apps can provide offline access to keep using the app and entering data, with an automatic sync once the device comes back into range
Enterprise Mobility
Cybersecurity and mobility in the Energy Industry
Mobile devices empower employees to do what they need to do — whenever and wherever; enterprise mobility is not telecommuting.
A rapidly maturing ecosystem of mobile app tools, technologies and platforms.
Internet of Things
Cybersecurity and mobility in the Energy Industry
• Growing network of IP-enabled components and appliances
• Meters and devices reporting their usage allowing reactive modeling
• Locks and control devices controlled over the Internet
• Connected installations managed remotely
Internet of Things
Cybersecurity and mobility in the Energy Industry
Supply/Demand Alterna1ve Oil/Gas
Loca%ons Power Genera%on, Transmission and Distribu%on Low Voltage Power Quality Energy Management
Solar Wind Co-‐genera%on Electrochemical
Rigs Derricks Well Heads Pumps Pipelines
Devices Turbines, Windmills, UPS, BaJeries, Generators, Meters, Drills, Fuel Cells, etc.
Every industry has an individual set of uniquely
identified “things” generating data and able to
controlled remotely.
For example:
The mobile world changes with every new device and set of devices. Smartphones and tablets are being joined in the marketplace by new consumer devices. Wearable and augmented reality products will fast become widespread.
New Devices
Cybersecurity and mobility in the Energy Industry
Mobile device uses
Cybersecurity and mobility in the Energy Industry
• Voice • Video • Data • Control • NFC Interaction (RFID, Bluetooth, etc) • Thin client for cloud-stored data • BigData aggregation visualization
Cybersecurity and mobility in the Energy Industry
Understanding the Threats
The Device
Cybersecurity and mobility in the Energy Industry
• Vulnerable to malware, malicious apps posing as benign apps
• Legitimate apps can allow data loss and data leakage if poorly-written
• Vulnerabilities in Hardware, OS, Application and Third-Party Applications
• Unsecured or Rogue Marketplaces
The Device
Cybersecurity and mobility in the Energy Industry
• Malware and attacks on mobile devices are on the rise
• Vulnerabilities found almost as soon as a device hits the market
Accidental breaches and device loss
Cybersecurity and mobility in the Energy Industry
• 68% of employees reported that they did not have their devices cleaned when upgrading
• Access and data breaches are the most common results of lost phones... not recovery
• Social engineering tactics lead users to click malicious URLs spammed by trusted sources via SMS, social media and email.
BYOD – Statistics around usage
Cybersecurity and mobility in the Energy Industry
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
...user a personal electronic device for work-related functions
...who use a laptop for work will connect to the company's network via a free or public WiFi connection
...who use a personal device for work have let someone else use it
...who use personal device(s) for work have not activated the auto-lock feature
...who use their personal device for work admit that their organization's data and/or files are not encrypted
...who use a personal device for work say their organization has not implemented a "bring-your-own-device" policy
...of employees U.S. adults have been a victim of malware or hacking on a personal electronic device
81%
31%
46%
37%
33%
66%
25%
Encryption of DAR and signal
Cybersecurity and mobility in the Energy Industry
• Given sufficient time, a brute force attack is capable of cracking any known serial encryption algorithm.
• To crack AES with 128-bit key would take 1 billion billion years for a supercomputer of today.
• Using quantum technology with the same throughput, exhausting the possibilities of a 128-bit AES key would take about six months
• Encryption only ever as secure as the implementation
Connectivity weakness
Cybersecurity and mobility in the Energy Industry
• Unsecured WiFi and rogue access points add vulnerability
• NFC/RFID has a low threat of breach but can allow mimicry
• Bluetooth defects allow "eavesdropping and caller "identification
Mobility introduces all these threats
Cybersecurity and mobility in the Energy Industry
Internet of Things
Cybersecurity and mobility in the Energy Industry
• Increases exponentially the quantity of systems that will have to be protected
• Route of data to the provider is obvious weakness
• Multiple points of failure • DDoS attacks on individual appliances • Introduce vulnerability to associated financial
records
Wearable
Cybersecurity and mobility in the Energy Industry
New devices means new threats and fresh cyber security considerations
Cybersecurity and mobility in the Energy Industry
Wearable
Cybersecurity and mobility in the Energy Industry
Addressing the Problem
Cybersecurity and mobility in the Energy Industry
Securing the Device
Securing the Device
Cybersecurity and mobility in the Energy Industry
• MDM Notification, access control, quarantine, selective wipe
• MAM Authentication, storage control, copy/paste limitation
• Data and apps • Event monitoring • Keep OS updated
People are demanding to use their own gadgets in their jobs. Trying to thwart
them is futile The Economist
92% of Fortune 500 companies are testing or deploying
the iPad Tim Cook, CEO Apple
When young employees first come across business-application screens,
they scream in horror Willem Eelman, CIO Unilever
Enterprise Mobility
Cybersecurity and mobility in the Energy Industry
Enterprise Mobility
Cybersecurity and mobility in the Energy Industry
• BYOD vs COPE (Corporate owned, personally enabled)
• Clear policy required • Control non-work device use
Encryption
• Invest in parallel solutions, be prepared for Quantum Computing
• Encrypt data stored to cloud storage • Encrypt any sensitive data stored on the device
as well as while being transmitted • Pay attention to key exchange • Harden networks
Cybersecurity and mobility in the Energy Industry
Internet of Things
Cybersecurity and mobility in the Energy Industry
• Assume each device or appliance is the weakest part of the system
• Protect data captured even if it caches on the device or local network
• Consider remote control locks as insecure as those operated locally
• Have lock passwords change"frequently and on demand to"allow temporary access
Securing mobile devices
Cybersecurity and mobility in the Energy Industry
Christian Glover WilsonVice President, Technology & Strategy"[email protected]
+1 917 310 5249
"
San Francisco 875 Howard Street"6th Floor"San Francisco, CA 94103"+1 415 562 4001"[email protected]
New York 133 W 19th St"7th Floor"New York, NY 10011"+1 646 330 4636"[email protected]
Contact me
San Francisco New York London Dubai Singapore Sydney Melbourne