Security Challenges and Governance for Smart Manufacturing Mar 4, 2017 Digital Technology Service Group Haier Group Archer Cao
Security Challenges and Governance
for Smart Manufacturing
Mar 4, 2017
Digital Technology Service Group
Haier Group
Archer Cao
Archer Cao
2
Current Role:
Director, Information Security
Background & Experience:
14+ years experiences in IT industry by taking various
roles across design/plan and global operations
management functions
Oversea working experience in US, Germany, Russia,
Philippine
Worked for world classed multi-national companies
such as TrendMicro, Mars/Wrigley, Nielsen
Rich experience in information security strategic
planning, roadmap, business engagement and service
delivery, etc.
Familiar with International security standards, Privacy
and data protection laws and regulations
Agenda
Transforming Traditional Industry – Industry 4.0
Evolving Threat Landscape for Manufacturers
Future of Information Security
1
2
4
Summary5
Building Effective Information Security Program3
3
Transforming Traditional Industry – Industry 4.0
4
Smart
Buildings
Smart
Homes
Social
Web
Business
Web
Smart
Logistics
Smart
Grid
Smart
Mobility
Smart Factory
CPPS
Internet of Things
(IoT)
Internet of Services
(IoS)Internet of People
(IoP)
Internet of Data
(IoD)
Smart Manufacturing Solution Portfolio
5
Vertical networking of
Smart production systems
Horizontal integration via a
new generation of global value chain
network
Through engineering across entire value chain
Acceleration through
exponential technology
Smart
Manufacturing
1
23
4
IT Integration
Analytics and data
management
Cloud-based
applications
Operational efficiency
2.0
Business model
optimization
Smart Supply Chain
Smart Logistics
IT Security
Management
New IP management
Corporate Venturing
The Learning
Organization
Innovation
Efficient management
of innovation
Efficient life cycle
management
Evolving Threat Landscape for Manufacturers
6Dell Annual Threat Report
Insecure product and app design
Lack of Patching
Lack of monitoring and response
Corporate espionage (theft of IP
and trade secret)
Lack of security awareness
Process
Technology
People
Complex technology environment
Lack of defense in-depth design
The Business Model for Information Security
7
Source: USC Marshall School of Business Institute for Critical Information Infrastructure Protection.
Systematic Thinking
• Business-oriented approach
• Four elements
• Six dynamic Interconnections
• Independent of any technology
• Applicable across industries,
geographies, regulatory and
legal systems
Information Security Governance Framework
8
Information
Security
policies
Business
objectives
Compliance
requirements
Laws &
Regulations
Define
Security
threats
International
security
standards
Information
Security
standards
Information
Security
Artefacts
Security
intelligence
Line
Management
Auditors
Risk &
Compliance
Governance
Product
Management
Program
Management
Security
Professionals
Security
Metrics Portal
Information
Security
Processes
Te
ch
no
logy
Policy framework
Security management
Pe
op
le
Define
security controls
Execute
security controls
Information
Security
Metrics
objectives
Metrics
framework
Measure
security controls
maturity
External
security
metrics
Rules Measure
Correction of security processes
Process
framework
Inform
CEO & Board
Drivers
Consists of Security Drivers, Security management (Policy, Process, Technology, Metrics & People)
Adaptive Cybersecurity Framework
9
1.
Identify
2.
Prevent
3.
Detect
4.
Respond
5.
Recover
Business Context
Asset Management
Governance
Risk Assessment
Risk Management Strategy
Access Control
Awareness and Training
Data Security
Information Protection
Processes and Procedures
Protective Technology
Anomalies and Events
Security Continuous Monitoring
Detection Process
Response Planning
Communications
Analysis
Mitigation
Improvements
Recover Planning
Improvements
Communications
Defense-in-depth Model
10
GRC
Information & Event Mgmt.Id
en
tity
, E
ntitle
me
nt,
Acce
ss
Cry
pto
gra
ph
yData Security
Application Security
Host Security
Network Security
Physical Security
Organize security
reporting around the
stack
For each prepare current,
target state analysis and
roadmap
Future of Information Security
11
Static Adaptive
Real-time Context
Transforming information security driven by,
rapidly evolving technology rapidly changing business environment and threat environment1 2 3
Now Future
Supporting context layer includes environmental, community, process, content, identity, application, etc.
Summary
12
• Information security challenges in manufacturing
• Building effective information security management program
• The future of information security
Q&A
14
Thank you !