Cyber Security for Building Management

Slides:

Advertisements

Similar presentations

Life Science Services and Solutions

Advertisements

BalaBit Shell Control Box

DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.

David A. Brown Chief Information Security Officer State of Ohio

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

Website Hardening HUIT IT Security | Sep

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Banking Clouds V International Youth Banking Forum.

InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

July, 2008 Impati – Software Test Solutions. July, Contents Testing Service Overview and Approach Test Services and Industries Key Services Offering.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

INFORMATION SECURITY DISCUSSION © 2015 Trojan Horse Security Inc., all rights reserved1.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

CYBER SECURITY & ITS IMPACT ON FINANCIAL STATEMENTS AUDITS BOB WAGNER TUESDAY, NOVEMBER FLORIDA SCHOOL FINANCE OFFICERS ASSOCIATION CONFERENCE.

BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.

Cloud Computing HOW PROFITABLY CLOUD COMPUTING IS TO YOUR BUSINESS?

Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair.

September 20, 2016 How to Defend Your Organization from a Cyber Breach LTC Tim Bloechl (U.S. Army, Ret.) Director, Cyber Security Business.

Defining your requirements for a successful security (and compliance

Managed IT Solutions More Reliable Networks Are Our Business

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Aligning Business Strategy and IT Strategy Gerhard Barth

Chapter 6: Securing the Cloud

3 Do you monitor for unauthorized intrusion activity?

Cybersecurity - What’s Next? June 2017

Case Study - Target.

Team 1 – Incident Response

Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.

Security Standard: “reasonable security”

Team 4 – Mack, Josh, Felicia, Kevin and Walter

Team 2 – understand vulnerabilities

Business Continuity Plan Training

Cyber Protections: First Step, Risk Assessment

Joe, Larry, Josh, Susan, Mary, & Ken

Uptime All The Time: Doing Business In The Cloud

DETAILED Global CYBERSECURITY SURVEY Summary RESULTS

Forensics Week 11.

COMPTIA CAS-003 Dumps VCE

Company Overview & Strategy

Audit Plan Michelangelo Collura, Folake Stella Alabede, Felice Walden, Matthew Zimmerman.

NCHER Knowledge Symposium Federal Contractor/TPS Session

National Cyber Security

Prepared By : Binay Tiwari

Information Security Awareness

AppExchange Security Certification

Cybercrime and Canadian Businesses

Increase and Improve your PC management with Windows Intune

Cyber Security: What the Head & Board Need to Know

3 Do you monitor for unauthorized intrusion activity?

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

In the attack index…what number is your Company?

3 Do you monitor for unauthorized intrusion activity?

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

Anatomy of a Common Cyber Attack

Presentation transcript:

Cyber Security for Building Management A CIOs view

Fortium Partners National consulting firm of senior CIOs and CISOs providing executive guidance to the middle and large business market ($50m-10b) F500 experience in IT strategy, operations, M&A and turnarounds Provide service in interim, fractional or project basis Brad Wheeler has been a F500 CIO in numerous international companies in financial services, internet services, defense and high tech, and has provided interim and fractional consulting to companies from $10m startups to $12b international conglomerates.

Cyber Crime Originally was focused on individual hackers, but now High School hackers Formalized cyber ‘gangs’ Competitors Dark web market for PHI and PII Nation state Additionallywe have the cyber risk related to ongoing operations (power, fire, network outages, service provider and cloud outages, disaster recovery, etc.)

CIOs Cyber concerns Financial and Admin systems (SOX, HIPPA, PCI, etc) Customer Facing (SAAS, Web, Cloud Shared Services) Operations Technology (BMS, EMS, FLS, PACS, HVAC) Risk Management (Planning, Assessment, Incident Mgmt, Cyber Insurance)

Cyber Incidents Majority are caused by employees falling for phishing incidents either giving away information (account names/passwords) loading malware without knowing (‘whale’ phishing, ransome ware, zero day) Target incident caused by 3rd party cyber hack of an HVAC vendor - using default passwords onsite Sony incident caused by system admins failing basic functions leaving default passwords (‘password’) in remote access certificates …..in other words, the vast majority of security incidents are due to a combination of back doors and weak controls over privileged accounts!

Building Management Systems (BMS) concerns BMS are commercialized versions of Industrial Control Systems (ICS) Inherently weak protocols and controllers Vendor products are not standardized and cyber weak by themselves Vendor installation and service personnel have immature cyber processes & procedures SMART buildings only concentrate networks and services, thereby heightening risks and outcomes

5 Key Areas of Cyber Concern Privileged Accounts - Password Management and Two Factor Authentication Network Management - websites, servers, apps User Management - limit access, MFA, age out accounts Software Management - patching, authorized software only Vulnerability Management - vendor security, assessment, scanning, testing, priority (bug bounty)

Current biggest area of concern 3rd party vendors, or which building managers are part of! CIOs/CISOs have control over their own teams, systems and tools But really zero control over 3rd party tools, services, appliances, etc This is changing as vendor contracts are now requiring some level of proactive cyber verification (SSAE 16 in data center speak) We don’t care about a vendor’s SOX status, but rather their customer face BOMA members are seen as 3rd party providers, with their own downstream providers that are just as critical to tenants and their CIOs!

3rd Party System VARs Typical building system VARs have limited expertise in network architecture, particularly with the middle layers Knee-jerk reaction is to seek VAR compliance with some security framework – but that is limited to questions asked A better approach is to have the VARs provide you with an affirmative statement of their cyber practices related to touching your building's systems Most VARs will need assistance in preparing this statement Nearly all VARs will be able to positively conform with the statement following a little training Fortium has an active practice in this very area because it is such a problematic and unmanaged area

Cyber Insurance Virtually all public firms have some level of cyber insurance as part of their risk mitigation strategy Early contracts focused on incident costs (~$256M in Targets case, and more for some banks) AON Risk Insurance is now seeing multi-levels on customer interface BOD risk assessment and appetite CIO/CISO/CSO on technical assessment, planning and remediation CFO and CRO on various Cyber lines, now including business interruption and client impact

Summary Human failings are the largest of all risks 3rd parties are currently the low hanging fruit for commercial hackers and need to be ‘managed’ Expect IT security budgets will jump from current 6-10% to 15-20% in next 3 years (up to 20% of operations security) Cyber risks are here to stay (because that’s where the MONEY is!)