Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs
Dominic CussattActing Deputy CIO/ Chief Information Security Officer (CISO)February 22, 2017
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only2
Devices You Use Everyday Are Part of the IoT
“Cars, kitchen appliances, and
even heart monitors can all be
connected through the IoT. And
as the Internet of Things grows in
the next few years, more devices
will join that list.”
Medical
Devices
ComputersCell Phones
Speakers
HVAC
Thermostat
Cars
Microwaves
~ businessinsider.com
“The problem is that the
current Internet addressing
system, IPv4, only has
room for about 4 billion
addresses -- not nearly
enough for the world's
people, let alone the devices
that are online today and
those that will be in the
future: computers, phones,
TVs, watches, fridges, cars,
and so on. More than 4
billion devices already share
addresses. As IPv4 runs
out of free addresses,
everyone will need to
share.” – Vint Cerf, Chief Internet
Evangelist at Google
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only3
The Growth of Connected Devices in Our Society and How They Impact Our Day to Day LivesConnected devices provide our society with beneficial opportunities for efficient and continuous communication among people, networks, and services. However, reliance on this connected environment can have undesirable outcomes.
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only4
The Growth of Connected Devices in Our Society and How They Impact Our Day to Day LivesConnected devices provide our society with beneficial opportunities for efficient and continuous communication among people, networks, and services. However, reliance on this connected environment can have undesirable outcomes.
You go to a fast food drive thru and their system is down – so now you are not just hungry, but also annoyed.
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only5
The Growth of Connected Devices in Our Society and How They Impact Our Day to Day LivesConnected devices provide our society with beneficial opportunities for efficient and continuous communication among people, networks, and services. However, reliance on this connected environment can have undesirable outcomes.
You go to a fast food drive thru and their system is down – so now you are not just hungry, but also annoyed.
You are trying to determine which prayer service to attend and the place of worship’s schedule display is down – so now your personal spiritual practices are impacted.
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only6
The Growth of Connected Devices in Our Society and How They Impact Our Day to Day LivesConnected devices provide our society with beneficial opportunities for efficient and continuous communication among people, networks, and services. However, reliance on this connected environment can have undesirable outcomes.
You are managing an airport’s baggage claim and the directory screen goes down – now your customers are angry and don’t know where to get their luggage.
You go to a fast food drive thru and their system is down – so now you are not just hungry, but also annoyed.
You are trying to determine which prayer service to attend and the place of worship’s schedule display is down – so now your personal spiritual practices are impacted.
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only7
The Growth of Connected Devices in Our Society and How They Impact Our Day to Day LivesConnected devices provide our society with beneficial opportunities for efficient and continuous communication among people, networks, and services. However, reliance on this connected environment can have undesirable outcomes.
You are managing an airport’s baggage claim and the directory screen goes down – now your customers are angry and don’t know where to get their luggage.
You go to a fast food drive thru and their system is down – so now you are not just hungry, but also annoyed.
You are trying to determine which prayer service to attend and the place of worship’s schedule display is down – so now your personal spiritual practices are impacted.
The environment at VA is different, as one may imagine, but the impact on user experience and the Veteran is similar...
...and could even impact healthcare...
Unpatched Software
Unsupported Software
Poor Configuration Management
Networked Devices Not Properly Secured
Access Privileges not Properly Managed
Etc...
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only9
Cybersecurity Threats are a Moving TargetThe adversary can change their tactics much quicker than cyber defenses can be updated and re-deployed. This requires organizations to become more proactive than reactive about securing the end points.
Evolving cyber threats require new approaches to protect organizations
Threats evolving in volume, sophistication,
and impact
And all the while, Technology is changing and advancing in leaps and bounds...
Security Challenges Facing the IoT
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only10
The threat to the security of VA and these network connected devices continues to increase as the capabilities of IoT continue to evolve.
End User
BusinessProcess and Objectives
Data and Information
Architecture
• “Many enterprises are challenged by unclear
business objectives that complicate setting an
IoT architecture strategy to address issues
relating to deployment environments, legacy
infrastructure, complex environments and so
forth” ~ Gartner, Internet of Things —
Architecture Remains a Core Opportunity and
Challenge: A Gartner Trend Insight Report,
2017• “The unprecedented amounts of information
from the IoT and the Internet of Everything
expose organizations to legal, regulatory and
reputational risk.” ~ Gartner, How to Address
the Top Five IoT Challenges With Enterprise
Architecture, 2016
Things
• The Internet of Things will produce two
challenges with information: volume and
velocity. Knowing how to handle large
volumes and/or real-time data cost-effectively
is a requirement for the Internet of Things. ~
Gartner, Hype Cycle for the Internet of Things,
2014
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only11
How the IoT Impacts Healthcare
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only12
What does the internet of things look like through a healthcare lens?Increased connectivity paves the way for enhanced medical care, but also creates potential vulnerabilities that can alter the threat landscape and can impact patient care.
“One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data ― but our experience made us understand it is more than that.” ~ Daniel Nigrin, M.D., Chief Information Officer at Boston Children’s Hospital, which was attacked by the hacker group Anonymous in 2014
“Hospital network security has been under scrutiny in the past few months. The MedStar Health system in Washington, D.C. recently fell victim to a ransomware attack in which a piece of malware blocked access to patient records and demanded payment.” ~nextgov.com
The Ponemon Institute found that nearly 90% of healthcare organizations represented in a recent study had a data breach in the past two years and nearly half had 5 data breaches in the same period. Estimates based on the study suggested that breaches could be costing the healthcare industry $6.2 billion ~ ponemon.org
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only13
The Cyber Threat to HealthcareHackers now employ more sophisticated methods for penetrating networks and devices, making detection and prevention of cyber attacks more difficult. Recent examples of this threat to healthcare providers include:
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only14
What Does the IoT Mean For VA?
Department of Veterans Affairs (VA): By the NumbersAs part of the VA, Veterans Health Administration (VHA) is the largest integrated healthcare system in the United States providing care at:
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only15
1,233 Health Care
Facilities 168 VA Medical
Centers 1,053 Outpatient
sites
Mission Statement: To fulfill President Lincoln’s promise “To care for him who shall have
borne the battle, and for his widow, and his orphan” by serving and honoring the men and
women who are American Veterans
Serving more than 8.9 million Veterans each year
Information on this slide is derived from: https://www.va.gov/health/aboutVHA.asp
Explosive growth and use of information technology devices connected to the Internet –“Internet of Things” (IoT)
Proliferation of information systems and networks with virtually unlimited connectivity via mobile technologies and the cloud lending to a larger attack surface
Increasing sophistication of threats including exponential growth rate in ransomware and distributed denial of service (DDoS) attacks leveraging the IoT vulnerabilities
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only16
The opportunity for a malicious attack or a security breach continues to increase
as more devices are becoming Internet-enabled.
The Threat Landscape at VAThe VA environment spans six data centers with over 1,800 locally-managed facilities and 750,000 network devices. With this complex environment, applying cybersecurity consistently is difficult and requires collaboration across several disciplines to protect the data of our Veterans. Below are factors affecting VA’s threat landscape:
VA’s Approach to Improving SecurityThe Department of Veterans Affairs (VA) Enterprise Cybersecurity Strategy Team (ECST) within the Office of Information Technology (OI&T) was established to mature VA’s cybersecurity posture and safeguard Veteran information that is essential to providing quality health care, benefits, and services to our nation’s Veterans. The ECST encompasses activities around
The Enterprise Cybersecurity Strategy encompasses activities around securing VA’s IoT, such as medical devices and special purpose systems.
Information Security professionals work for VA587
750K
71%
4.5M
$200M Amount allocated for information security in
2014
Number of protected devices on the VA
network
Decrease in overall number of critical or high
vulnerabilities between November 2014 - May
2015
Emails monitored per day, 75% blocked due to
malware and other malicious activity
BY THE NUMBERS
Protecting Veteran information and VA
data1
Defending VA’s cyberspace ecosystem2
Protecting VA infrastructure and assets3
Enabling effective operations4Recruiting and retaining a talented
cybersecurity workforce5
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only
Source: Protecting Veteran Information in a Complex Cybersecurity Landscape, VA. 7/2015
Five Strategic Goals of ECST
The Influence of IoT at VARecent enhancements in technology are allowing federal agencies, including the Department of Veterans Affairs (VA), to find new ways to collect, analyze, share, and act on the data to drive operational efficiencies in support of their mission.
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only18
Examples of IoT at VA
• Networked Medical Devices – used in patient health care for diagnosis, treatment, or monitoring of physiological measurements, or for health analytical purposes*
• Special Purpose Systems (SPS) - network-connected, non-medical systems that play a critical role in supporting a VA facility’s operations and mission fulfillment (e.g., heating, ventilation, and air conditioning (HVAC); water control)*
*Source: U.S. Department of Veterans Affairs
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only19
Examples of VA Addressing the Security Challenges of IoTScaling solutions enterprise-wide and establishing the capability for connected devices on the VA network
* Source: ECST accomplishments as of 1/31/2017
** Source: Fiscal Year 2017 VA Medical Device Incident Response Overview
Implemented an
automated inventory
tool and an inventory
reconciliation process
Implementation of the
Isolation Architecture
Change Advisory
Board to evaluate and
recommend
improvements to
standardized
processes and
procedures established
to control VA IT
infrastructure changes
Deployed of VA’s
Medical Device
Vulnerability
Management Program.*
Created the security
control overlay for
medical devices
Published and integrated
a cyber incident root
cause analysis into
standard operating
procedures (SOP)
Leveraged an isolation
architecture for medical
devices connected to
their network.
Implemented a change
management advisory
board
Vulnerability
Management
Aging
Infrastructure
Asset
Management
Unsupported
Operating
System
Solutions
Governance
and Risk
Management
Deployed a Medical
Device Protection
Program**
Provided security,
guidance, training and
outreach to VA employees
and contractors
Implemented continuous
monitoring of evolving
cybersecurity threats
Implemented configuration
controls
Implemented incident
response to remediate
security breaches
Information Data ArchitectureBusiness
ObjectiveEnd UserBusiness
Process Things
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only20
Evolution of VA’s Approach to Securing IoTVA continues to integrate with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise.
Enhance the
isolation
architecture to
include connected
devices
Deploy a
centralized
automated
inventory solution
Monitor soon to
be unsupported
operating systems
Work with device
owners and
manufacturers to remove
vulnerable devices from
the network without
affecting patient care
Develop a
incident
response
program for
connected
devices
Mirror security
vulnerability
management of medical
devices for connected
devices
Source: ECST Medical Cyber Domain Projects as of 2/1/2017
Principles to Securing the IoT Devices
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only21
As we continue to integrate IoT and become more dependent on network connected technologies, there is an increasing emphasis on securing these devices. The Department of Homeland Security (DHS) has issued six strategic principles to securing IoT:
Incorporate
Security at the
Design Phase
0201
Prioritize Security
Measures According
to Potential Impact04
03
05
06
Promote Security
Updates and
Vulnerability
Management
Promote
Transparency
Across IoT
Build on
Recognized
Security Practices
Connect Carefully
and Deliberately
Information on this slide is derived from: https://www.dhs.gov/sites/default/files/publications/IOT%20fact%20sheet_11162016.pdf
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only22
The Future of the IoT
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only23
What is Next for IoT?
“Security is a special challenge for IoT. IoT systems
operate across the public internet; are deployed outside of the
physical control of the organization; may remain in place in critical
systems for 10 to 20 years; and may control critical infrastructure, or
be capable of coordinated attacks on other systems…The devices
themselves may lack critical hardware capabilities for securing their
operation against attack. Securing IoT requires a balance
of protecting against long-term devastation and
accelerating value generation” – Gartner, Internet of Things Primer 2017
“The Internet of Things Market to reach $267 Billion by 2020”
– Forbes, 1/29/2017
“Connected health devices should grow to $14 billion
by 2020” – Forbes, 9/1/2016
“Clearly the Internet needs more IP addresses. How many more,
exactly? Well, how about 340 trillion trillion trillion (or,
340,000,000,000,000,000,000,000,000,000,000,000,000)? That's
how many addresses the Internet's new "piping," IPv6, can
handle. That's a number big enough to give everyone on
Earth their own list of billions of IP addresses.” -Vint Cerf, Chief Internet Evangelist at Google