CYBER SECURITY: SECURING YOUR CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS MAY 6 th 2014 Francesca Schuler Business and Technology Strategy Motorola Solutions Inc. Dr. Brenda Connor Business and Solution Creation Expert Ericsson
CYBER SECURITY: SECURING YOUR CRITICAL INFRASTRUCTURE
AGAINST CYBER ATTACKS
MAY 6th 2014
Francesca Schuler Business and Technology Strategy
Motorola Solutions Inc.
Dr. Brenda Connor Business and Solution Creation Expert
Ericsson
• INTERCONNECTED SYSTEMS
• AGENCY-AGENCY COLLABORATION
• CLOUD SERVICES & DISSOLVING
PERIMETER
• MOBILITY
• BYOD
• UBIQUITOUS OPERATING SYSTEM
• CONSUMER BASED TECHNOLOGIES
• SHARED SPECTRUM
• SELF CONTAINED SYSTEMS
• AGENCIES IN SILOS
• LOCAL / ON-PREMISE & DEFINED
PERIMETER
• FIXED DEVICES
• ENTERPRISE PROVIDED DEVICES
• CONTROLLED OPERATING SYSTEMS
• NON-CONSUMER TECHNOLOGIES
• PRIVATE SPECTRUM
CHANGING PUBLIC SAFETY LANDSCAPE
INCREASING RISKS
NEW LANDSCAPE • INTERCONNECTED SYSTEMS
• AGENCY-AGENCY COLLABORATION
• CLOUD SERVICES & DISSOLVING
PERIMETER
• MOBILITY
• BYOD
• UBIQUITOUS OPERATING SYSTEM
• CONSUMER BASED TECHNOLOGIES
• SHARED SPECTRUM
RIS
K
CHANGES IN SECURITY
THREAT PROFILE
GREATER ATTACK
SURFACE
CHANGES IN RISK
MITIGATION STRATEGY
LOW HIGH SECURITY RISK
CO
NT
RO
LS
/ C
OS
T
NETWORK ITSELF BECOMES SUBJECT TO OPEN INTERNET-BASED THREATS.
FIXED DEVICES
LOCAL / ON PREMISES
& DEFINED PERIMETER
AGENCY SILOS
SELF CONTAINED
MOBILITY
BYOD
AGENCY
COLLABORATION
UBIQUITIOUS OS
CLOUD SERVICES &
DISSOLVING PERIMETER
FULLY
INTERCONNECTED
PUBLIC SAFETY DEVICES OPERATING ON
PUBLIC SAFETY NETWORK
PUBLIC SAFETY DEVICES OPERATING ON
COMMERCIAL NETWORK
COMMERCIAL DEVICES OPERATING ON
PUBLIC SAFETY NETWORK
DEVICES BECOME TARGETS OF INTERNET-BASED THREATS.
DEVICES ARE LOST, TAMPERED, OR MODIFIED AT THE OPERATING SYSTEM LEVEL, OR INFECTED VIA USB DATA TRANSFER.
INCREASING CONTROLS & COSTS
SINCE 2006: CYBER SECURITY EVENTS INCREASED
782%
NATION
STATES
ORGANIZED CRIME
SINDICATES
NONTECHNICAL
OPPORTUNISTS
CRIMINAL HIERARCHY LEVERAGE NEW TECHNOLOGIES
TRENDS
KNOWN MALWARE
100,000+ NEW SAMPLES PER DAY
100,000,000+
UNINTENTIONAL VULNERABILITIES
HACKERS FIND A HOLE IN THE SECURITY
MEASURES USED TO PROTECT SENSITIVE DATA,
THE VULNERABILITY IS EVENTUALLY EXPLOITED
BY HACKERS WHO TAKE ADVANTAGE OF THE
HOLE BECAUSE SOME SITES AND USERS ARE
SLOW TO UPDATE THEIR SYSTEMS.
THREATS ARE OUT THERE …
INCIDENT RESPONSE PROCEDURES
TO DETECT AND ADDRESS SWIFTLY
THREATS
DEVICES &
APPLICATIONS
RADIO ACCESS
NETWORK
PUBLIC SAFETY
BROADBAND
CORE
AGENCIES &
ENTERPRISE
MALWARE
UNAUTHORIZED ACCESS
DATA VULNERABILITIES
ADVANCED PERSISTENT THREATS
NETWORK EXPLOITS
INFORMATION LEAKS
HOLISTIC END-TO-END SOLUTION
MINIMIZE ATTACK SURFACE
DEFENSE IN DEPTH
APPLICATIONS & DEVICES
NETWORKS CORE / AGENCY / ENTERPRISE / INTERNET
SERVICES
SECURE ALL LAYERS
MINIMIZE ATTACK SURFACE Defense in Depth with Flexibility
SECURITY INTEGRATED INTO OPERATIONS Providing the Right Balance of Security and Ease of Use
& Manage the Lifecycle
SECURE INTEROPERABILITY Removing Security Silos & Enabling Secure Interoperability of
voice and data
SECURE THE EDGE Identity is the New Perimeter for Access & Control Decisions
SECURE ALL LAYERS Leverage Encryption, Certificates at all Levels
MINIMIZE SECURITY POLICY COMPLEXITY Keep a base set of policies understanding that one size
may not fit all; Ensure Contingency plans in place
IDENTITY
MANAGEMENT
ENABLER
SECURITY’S CHANGING PARADIGM
IDENTITY MANAGEMENT Secure the Edge
• CREDENTIAL
FEDERATION
• SECURITY TOKEN
SERVICE
• STRONG MULTI-
LEVEL AND MULTI-
FACTOR
AUTHENTICATION
• MULTI-LEVEL AND
MULTI-FACTOR
AUTHORIZATION
Encryption
LTE access Network
Network Services Layer (e.g. Dynamic QoS)
IMS apps (e.g. VoLTE, SMS/MMS)
Non-IMS apps (e.g. status-info
“homepage”)
ISIM USIM
First Responder LTE device
FirstNet Network (FNN)
PSE apps (e.g.
Video/CAD)
Authentication using
Federated PSE Credentials
(e.g. SAML)
ISIM and USIM credentials
provisioned within FNN/HSS
Directory (e.g. Active
Directory)
Public Safety Enterprise (PSE)
Authentication using
PSE credentials
HSS
Note: ISIM and USIM identities both identify the device subscriber NOT the human user
TRIAD OF IDENTITIES
DIGITAL IDENTITY
Improved identity provider services:
Easier and safer to sign in and access sites
Security Services to Subscriber:
Leveraging the SIM for application security
OTT SERVICE
PROVIDERS AGENCIES
Human
Authorization (OAuth)
Subscription Security (GBA)
Human
Authentication (Open ID)
Service Enablement
Authentication Federation Gateway
Consent
(resource owner)
Application
Authentication
Authorization
DATA EXCHANGE Secure Data Management at Edge
Secure data
management
at edge.
PRIVACY STATEMENT
Privacy matters to all of us. It is a given that all
data regulations are strictly complied with but
in addition to this, it is our belief that data, in the
context of analytics or specific applications can be
used responsibly in two ways:
– Either it must be anonymous and aggregated so that
no individual can be identified or
– The appropriate resource owner permissions must be
in place.
ENHANCE FIRST
RESPONDER
EXPERIENCE BY
TRANSFORMING
DATA INTO RELEVANT
INFORMATION
FirstNet
Agency
Personalize
Simplify
TRUST RELATIONSHIP
WITH AGENCY
QoS Delivery
Service Enablement
2
3
Assets 1
ENHANCE RESPONDER
EXPERIENCE
EXAMPLE USE CASE
Q & A
Follow APCO at…
facebook.com/apcointernational @apcointl