Is Your Enterprise Security Insured?

In 2012, the World Economic Forum published a research report titled “The future of manufacturing: opportunities to drive economic growth [ref 1]. The development and adoption of the Internet of Things (IoT) is a critical element of smarter manufacturing. The next wave of manufacturing with IoT enabled systems is referred to Industrie 4.0, which raised a new concept of “Smart Factory”, linking production and supply chains to implement real-time information and real-time management. IoT delivers new value by connecting People, Process and Data in manufacturing sector. Data from supply chain networks will be valued asset of enterprises.

On one hand, manufacturers are just beginning to harness a new generation of machine-to-machine systems, mobile apps and cloud-based services. On the other hand, corporations worldwide are challenged with securing these growing connections in a rapidly changing threat environment. The increasing use of Internet and mobile devices means that the boundary of an enterprise is disappearing, and as a result, the risk landscape becomes unbounded. IoT enabled systems could be threatened with various cyberattacks, crimes and terrorism from Internet. For example, a malicious actor had infiltrated a German steel facility in 2014. The adversary used a spear phishing email to gain access to the corporate network and then moved into the plant network, resulting in massive physical damage and large economic loss [ref 2]. Therefore, cybersecurity has become a critical challenge in the IoT enabled cyber-physical world, from connected supply chain, Big Data produced by huge amount of IoT devices, to industry control systems.

Cybersecurity now has become the priority of nations. In 2010, UK government announced a £650m investment strategy into Cybersecurity, and declared that Cybersecurity has become a ‘tier 1’ priority alongside international terrorism and major national incidents [ref 3]. The Cyber Essentials Scheme [ref 4] has been developed by Government and industry to fulfil two functions. It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security. Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and potentially build upon. The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs to be light-touch and achievable at low cost.

To respond to the security requirements for the existing and emerging security threats in Internet of Things, IoT Security Foundation (IoTSF) has been established. The mission of IoTSF is to help secure the Internet of Things, in order to aid its adoption and maximise its benefits. To reach the goal, IoTSF will promote knowledge and guide best practice in appropriate security to those who specify, make and use IoT products and systems.

UK Cyber Essential Scheme and IoTSF are promoting the security awareness of enterprises or organisations via governmental strategies and collaborative initiatives. Cybersecurity enables manufacturers to expand into emerging markets, merge and acquire more easily, build positive brand awareness, benefit from the cloud and other next-gen technologies — and ultimately, safeguard customer trust. However, organisations or enterprises within the connected supply chain could have different levels of security. A determined aggressor, e.g. an advanced persistent threat (APT), usually identifies the organisation with the weakest cybersecurity within the supply chain, and uses these vulnerabilities presented in their systems to gain access to other members of the supply chain. The smaller organisations within a supply chain, due to more limited resources, often have the weakest cyber-security arrangements [ref 5].

In the continuously changing environment, it is important to leverage the resources of enterprises or organisations in order to identify, contain, eradicate, and remediate cyber security incidents faster to minimise the impact to the organisation [ref 6]. Security metrics allow organisations to show progress on continual improvements in identifying incidents faster and providing detection and analysis at an advanced stage before an attack has occurred. In respects of UK Security Essential Scheme, following the standard of information security management within the context of the organisation (ISO/IEC 27001/2), security metrics could answer:
(1) How well do the firewalls and internet gateways work on the boundary of the organisation’s internal networks?
(2) How well do system configurations affect the security of the organisation?
(3) How well is the user access control of your enterprise system configured?
(4) How well is your enterprise system protected?
(5) How well are you able to maintain the patch state of your systems?
(6) How well do you detect, accurately identify, handle, and recover from security incidents?
(7) How well do you manage the exposure of the organisation to vulnerabilities by identifying and mitigating known vulnerabilities?
(8) How well is the risk assessment of industry manufacturing systems covered within your organisation?

Traditional industrial control system devices and architectures are often developed for reliability and performance, not security, which leaves such systems at the mercy of predetermined adversaries. In particular, security metrics could provide a measurable solution to improve the security of legitimate systems within enterprises.

Today, higher education is a major contributor to economic success, producing, changing and transferring cutting edge knowledge from research, and continues updating our education to match the pace of technology development. As a founder member of IoTSF, Cranfield Manufacturing offers world-class and niche research, education, training and consultancy. One of our research focuses is on the cybersecurity for manufacturing enterprises. In order to help enterprises to improve their practice in security, three MSc research projects will be launched:
(1) Development of security metrics for manufacturing systems: It is to develop security metrics, to provide a whole vision of the enterprise security, and improve best practices for cybersecurity in Manufacturing Enterprise Systems, in response to the enterprise security objectives.
(2) Development of a cybersecurity framework for enterprises using TOGAF, which is an Open Group Architecture Framework. TOGAF could provide a fundamental architecture. By extending existing architectures, the security architecture could be specific to an Industry enterprise in the manufacturing sector.
(3) Economical cost and risk management for cybersecurity insurance of enterprises. This project aims at developing a framework to assess economic cost for cybersecurity insurance and risk management, thus to increase enterprise awareness of cybersecurity, and promote the implementation of cybersecurity solution in the enterprises.

In order to respond to our continuous changing society, a new MSc Course in Cyber-Secure Manufacturing has been developed to culture the next generation of manufacturing engineers who are able to protect manufacturing systems & machines against cyber threats. We expect to start the MSc course in 2016/2017. Correspondingly, several short courses from the MSc course will be launched in response to the need of professionals in enterprises:
(1) Secure Cloud Manufacturing
(2) Data Mining Technology for Cyber Threats Identification
(3) Security of Machine Tool Systems
(4) Secure IoT and System Architecture

References

1. Building Smarter Manufacturing With The Internet of Things (IoT), http://cisco.cioal.com/2013/12/20/whitepapper-1/
2. R. M. Lee, M. J. Assante, and T. Conway. ICS defense use case (duc): German steel mill cyber-attack. Report, SANS, DEC 2014.
3. The UK Cyber Security Strategy, Protecting and promoting the UK in a digital world, Cabinet Office, London, Nov. 2011.
4. Cyber Essentials Scheme — Requirements for basic technical protection from cyberattacks, HM Government, June 2014.
5. Cyber-security risks in the supply chain CERT-UK, Feb. 2015
6. Cyber-Security Metrics: Getting Measurable Results, Enterprise Risk Management, Inc. 2012. http://www.emrisk.com/sites/default/files/newsletters/2496_erm_newsletter_sept4.pdf , accessed on 1 Apr 2016.