KKI I2/R2/K2
Hal. 1
File: I4.0 Platform and Security 1.0
!
!
KKI I2/R2/K2
Hal. 2
File: I4.0 Platform and Security 1.0
What is Internet of Things (IoT)?
Kevin Lonergan at Information Age, a business-
technology magazine, has referred to the terms
surrounding IoT as a “terminology zoo”. The
lack of clear terminology is not “useful from a
practical point of view” and a “source of
confusion for the end user”.
https://en.wikipedia.org/wiki/Internet_of_things
KKI I2/R2/K2
Hal. 3
File: I4.0 Platform and Security 1.0
"
"
#$%#%# %&'( ) $
#$%#%# %&'( ) $
"*+
"*+
,-&.(/(''/''
,-&.(/(''/''
01
01
KKI I2/R2/K2
Hal. 4
File: I4.0 Platform and Security 1.0
Who am I?
Gildas Arvin Deograt Lumy
7 years supporting industrial automation system infrastructures in some
big Indonesian companies.
8 years in Total Group, the 4th world largest oil gas company, with
following Industry 3.0 responsibilities:
3 years operation to manage secure connections in the fields of Total EP Indonesie.
3 years reviewing and advising the DCS security in all subsidiaries of Total
Exploration and Productions (EP).
2 years creating Total EP Industrial Security Architecture Standard and its security
organization structure.
2 years creating and implementing Total Group high grade cyber security
architecture.
10 years doing R&D of High grade security architecture Industry 4.0 and its
solution.
KKI I2/R2/K2
Hal. 6
File: I4.0 Platform and Security 1.0
2
2
KKI I2/R2/K2
Hal. 8
File: I4.0 Platform and Security 1.0
/3
/3
'42#%/45
'42#%/45
KKI I2/R2/K2
Hal. 9
File: I4.0 Platform and Security 1.0
SCADA (in)security
FORMASI (d/h KKI), 6th Security Night, 2006
SCADA=Supervisory Control And Data Acquisition
Also called as Distributed Control System (DCS) or Human Machine Interface (HMI)
Components
Supervisory (Console), Engineering Workstation, PLC alias RTU, Input/Output devices,
Communication Infrastructure (network)
Engineering Workstation:
To programme the PLCs = The “key” to configure the kingdom
PLC (Programmable Logic Control) alias RTU (Remote Terminal Unit)
PLCs needs to be properly managed
PLCs are distributed across the plant. Oil and Gas pipeline can be thousands KM.
Primary Constraint
It must very high availability and work well in extreme condition
Very sensitive in term of integrity and performance
KKI I2/R2/K2
Hal. 10
File: I4.0 Platform and Security 1.0
SCADA (in)security
FORMASI (d/h KKI), 6th Security Night, 2006
KKI I2/R2/K2
Hal. 11
File: I4.0 Platform and Security 1.0
SCADA (in)security
FORMASI (d/h KKI), 6th Security Night, 2006
Real threat
Worldwide cases: various major disruption or incident due to attack on DCS by
worm or disgruntled employees
Cyberwar is real. Possibility of terrorist threats is becoming higher
It is critical infrastructure: Major Safety, Environmental, Economic,
Legal and Organization Image Risks
Vulnerable SCADA hosts (DCS Gateway and PDS)
Only certififed patch and security hardening are allowed
Anti virus could decrease the performance
Unknown vulnerability on un-common applications
The industry trend is to use more and more common OS with known
vulnerabilities
KKI I2/R2/K2
Hal. 12
File: I4.0 Platform and Security 1.0
SCADA (in)security
FORMASI (d/h KKI), 6th Security Night, 2006
Production monitoring and reporting from business network
Users needs to access PDS system using PDS client or web interface
from business network using business PC/ Laptop located in office
building with weaker physical protection.
Local and remote maintenance by SCADA engineer (outsourced)
It's complex. Different systems combinations need different
types of traffic
Control Systems product (such as Yokogawa, Honeywell, Foxboro, etc)
combines with PDS product (such as PI, IP-21, SIM-21, etc)
Various types implementation for each combination, for example: 3
possibilities for Yokogawa with IP-21 implementation
KKI I2/R2/K2
Hal. 13
File: I4.0 Platform and Security 1.0
SCADA (in)security
FORMASI (d/h KKI), 6th Security Night, 2006
Swiss Cheese Firewall
Does not analyze the packet content of non-standard traffics
More and more PDS products use RPC (Remote Procedure Call) and
(sometimes) NetBIOS between PDS server and its client using dynamic ports
Need to open inbound all ports above 1024/TCP
Firewall Tunneling – old concept, but new issue and becoming more
popular
Accessing internal host from external through authorized outbound traffic
Need to transfer file from PDS to office systems, i.e. outbound FTP to PDMS
Security by obscurity simply does not work
Widespread availability of detail technical information about control systems
Low level of awareness
KKI I2/R2/K2
Hal. 14
File: I4.0 Platform and Security 1.0
SCADA (in)security
FORMASI (d/h KKI), 6th Security Night, 2006
KKI I2/R2/K2
Hal. 16
File: I4.0 Platform and Security 1.0
Industry 3.0 to Industry 4.0
The Security Revolution: More Oups!
40 years evolution = More fragile digital ecosystem
across industry sectors
More Open
More Unmanaged
More Unskill
More Physically insecure
More Security nigthmare
Qualitatif Risk Analysis Scoring
(1 less secure, 10 more secure)
1980-2000, score 8-9
2000-2010, score 6-7
2010-now, score 4-5
KKI I2/R2/K2
Hal. 17
File: I4.0 Platform and Security 1.0
Industry 3.0 to Industry 4.0
The Security Revolution: More Oups!
More Open
More open connection
More open systems and protocols
More open knowledges and tools
More Unmanaged
More Unmanaged Security
Policies Implementation
More Unmanaged Access Control
More Unmanaged Vulnerability
More Unskill
More Unskill Users
More Unskill Attackes
More Physically insecure
More Mobile and Public
Location
More Accessible to Configure
More Security nigthmare
More incident quantity
More incident quality
KKI I2/R2/K2
Hal. 23
File: I4.0 Platform and Security 1.0
6
6
7
7
$
$
8
8
#
#
KKI I2/R2/K2
Hal. 24
File: I4.0 Platform and Security 1.0
The I4.0 High Grade Security Objective
KKI I2/R2/K2
Hal. 25
File: I4.0 Platform and Security 1.0
The I4.0 High Grade Security
The Biggest Challenge:
Cyber Security Mindset Revolution
KKI I2/R2/K2
Hal. 26
File: I4.0 Platform and Security 1.0
The I4.0 High Grade Security :
Components
High security (and high privacy) business model
High grade security strategy
Effective risk identification
Integrated information security concept
Integrated Cybersecurity strategy
High grade security tactical
Effective attacks mitigation concepts
High grade security architecture and procedures
High grade security operation
Effective implementation of the architecture and procedures
High grade security solution
KKI I2/R2/K2
Hal. 27
File: I4.0 Platform and Security 1.0
Integrated Cybersecurity Strategy
(P1) Integrated National Strategy
(P2) Capacity and Capability
(P3) Capacity & Capability
(P4) Culture
(L1) Energy
(L2) Cyber Infrastructure
(L3) IT system
(L4) Information &
Transaction
(S4) Berkembang (Evolve)
(S3) Pemulihan (Recover)
(S2) Withstand
(S1) Readiness
PILLAR (P)
STAGE (T)
LAYER (L)
VARIABEL (V)
(V1) Strategic Objectives and Policies
(V2) Tactical Steps
(V3) Operational Resources (Funds, People, Technology, Physical)
KKI I2/R2/K2
Hal. 28
File: I4.0 Platform and Security 1.0
High Grade Security Architecture:
Illustration
KKI I2/R2/K2
Hal. 29
File: I4.0 Platform and Security 1.0
High Grade Security Architecture:
Inconsistent Implementation
KKI I2/R2/K2
Hal. 30
File: I4.0 Platform and Security 1.0
High Grade Security Architecture:
Primary Objectives
1. Clear Visibility
2. Consistent Implementation
KKI I2/R2/K2
Hal. 31
File: I4.0 Platform and Security 1.0
High Grade Security Architecture
Example: SAKTTI
Standar Arsitektur Keamanan Tingkat Tinggi
Informasi (SAKTTI)
An architecture to achieve high grade level of
integrity, confidentiality, and availability to
build a highly secure interconnected digital
fortresses system through effective
implementation of the key principles based on
the key factors.
KKI I2/R2/K2
Hal. 32
File: I4.0 Platform and Security 1.0
High Grade Security Architecture
Example: SAKTTI
Key Principles
Ensure holistic and balance information security
control techniques (deterrent, preventive, detective,
corrective, compensating and recovery).
Integrate information security control components
(People, Administrative, Technology, Physical).
Cover all information life cycle: create, distribute,
use, maintain, archive, destroy.
KKI I2/R2/K2
Hal. 33
File: I4.0 Platform and Security 1.0
High Grade Security Architecture
Example: SAKTTI
Key Factors
White list approach
Change management
Integrity assurance
Monitoring
Defense in depth
Least privilege
Separation of duties
Traffic flow control
Hardening
Comprehensive Encryption
Capacity
Performance
Redundancy
Backup
KKI I2/R2/K2
Hal. 37
File: I4.0 Platform and Security 1.0
SAKTTI Implementation Example
Local database encryption
Dedicated End Point to End Point Authentication Key
End-to-End encryption with Dedicated Dynamic Key between PS Client,
including within group discussion
Anti SSL MITM attack traffic encryption between PS Client and PS Server
PS Server
Hi Hi
Content end to end encryption between PS Client.
Traffic encryption between PS Client and PS Server.
KKI I2/R2/K2
Hal. 38
File: I4.0 Platform and Security 1.0
SAKTTI Implementation Example
Content end to end encryption between PS Client and PS PS BS.
PS Server
Business
Micro App.
Business
Application
Server
PS BS
PS Bisnis Server (PS BS)
encrypt/decrypt data
to/from PS Client.
Business Application Server
actively pull/put data
from/to PS BS storage.
KKI I2/R2/K2
Hal. 39
File: I4.0 Platform and Security 1.0
SAKTTI Implementation Example
Content end to end encryption between PS PS BS.
PS Server
Business
Application
Server
PS BS
Business
Application
Server
PS BS
PS Bisnis Server (PS BS)
encrypt/decrypt data
to/from other PS BS.
Business Application Server
actively pull/put data
from/to PS BS storage.
KKI I2/R2/K2
Hal. 40
File: I4.0 Platform and Security 1.0
SAKTTI Implementation Example
PS Secure Mobile Application Architecture
Customer’s focus PS Secure Ecosystem Platform
Data Utilities Service ToolsData Access
Secure Data
Process
Components EntitiesWorkflow
Business
Process
Application Facade
User
Presentation
User Interface
Presentation Logic
Configuration
Security
Communication
Mobile Device (Hardware, Operating System, Storage)
Public Server
Infrastructure
Business
Application
Server
Infrastructure
Business Server (PS BS)
Data Security Air Gap
Secure Data Process Forwarder
Common
Process
KKI I2/R2/K2
Hal. 41
File: I4.0 Platform and Security 1.0
SAKTTI Implementation Example
PS/SAKTTI Architecture Level 0
BAS
M
P
A
P
A
Firewall
Allow Outbound
SSL
User Layer
App-Svc Layer
Internet Segment Extranet / Intranet Segment
PS
Client
Internal Zone : eBusiness AMiddle Zone (Data Security Air Gap)
PS
BS
PS Public
Server
Infrastructure
BAS
M
P
A
P
A
Firewall
Allow Outbound
SSL
Internal Zone : eBusiness B
PS
BS
External Zone
Firewall
Allow In/Out
SSL
Firewall
Allow In/Out
SSL
Middle Zone (Data Security Air Gap)
PS BS : PS Business Server
MP : Message Pool
BAS : Business Application Server
APA : Active Pool Adapter
File: PS Business Plan 2.3
Hal. 42
KKI I2/R2/K2
Hal. 42
File: I4.0 Platform and Security 1.0
!
!
9
9
