CyberPhysical Systems Security - Trends, challenges & opportunities | CXO Panel | Nullcon March 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] the panel that we have which is cyber physical uh systems we have seen a rapid emergence of technology getting inter uh integrated with uh various cyber physical systems and amazing security hacks breach etc have been uh noticed uh in the few past recent years and months for example the recent florida water poisoning and the recent report by which i think it was by recording future where there was a power outage blackout in mumbai which is claimed to be uh done by the chinese uh so yeah to set the context for the uh panel uh let me say some stats uh a motivated advisory can capsize a cargo ship by hacking into its ballast pump controls and causing them to sink this was well written and documented by uh pen tester partners uh from the uk uh they have also put this across on a blog post i will share the link later if you guys are interested to read on it also a remote hacker uh sitting away 100 meters could send unauthenticated commands over bluetooth to target a military drone to perform any malicious shares task i'm told that the control software to run a military class drone is almost 3.5 million lines of code while a boeing aircraft 787 is 6.5 lines of code that's a lot of programming uh also forbes reported about researchers who prepared uh an exploit code and remo and radio hardware uh that took control of a construction crane uh scrapers and large machineries so we all think okay uh uh hacking is only done on hardware infrastructure but also in our uh in construction industry according to wired magazine the advent of sophisticated cloud connected infotainment systems the car software is a modern vehicle apparently uses 100 lines of code and we've all seen the jeep hack uh which has happened uh in 2015 so yes we've put together an amazing panel of thought leaders who would discuss various domains uh and how the cyber physical systems uh are dealing with challenges uh our let me introduce our panelist uh frank sanjay he's from eaton corporation kushwan pavar from etas automotive major mehta from pepsico and dr farooq qazi from vgit mumbai university so i would let uh request our panelist uh to start their discussion and uh frank to moderate the panel hey thank you anthrax awesome thanks for the introductions and thank you for setting the context and by the way it's not 100 lines of code it's 100 million lines of 100 million my bad yes so it's it's really amazing to see that the lines of code that in a car are almost like at least if not four times at least three three times more than on microsoft xp or 2000 so it was startling when i actually came to understand a complexity that goes into building these cyber physical systems thank you so much thanks and i'm really excited to to actually join this panel uh along with young and dynamic emerging leaders from india making a global impact in their own unique ways i mean uh mayur who is joining us from pepsico he's a cto uh associate director with operational technology enterprise architecture and engineering he's a domain expert in industrial control systems manufacturing he has a varied experience within pharma automobile fmcg backgrounds and he's also associated with industry bodies like a smart manufacturing and industrial iot and we have uh kushwant who is joining us from escript and uh he is the he is heading the escript cyber security brand uh which is a part of etas india uh he has been spearheading automotive security so when you when as i mentioned i mean as anthrax mentioned uh this uh automotives are a complex software and cyber physical system right a lot of times when we bring the discussion about cyber physical systems automotives are left behind and i am really excited to have a different perspective of bringing the automotives into cyber physical space and we are really honored to have dr faruq qazi head of electrical engineering vjti mumbai who is a phd in system controls and engineering from iit mumbai and his been his research areas in cyber cyber physical systems and critical infrastructure protection have been critical not only to his university and academics but also to the country overall uh he's the chair of digital architecture at cyber security working group three of india's smart grid forum and he's also a member of isa 99 working group so really excited to be uh to be a part of this panel uh welcome to all of you and i'm frank sanjay product cybers uh leading the product cyber city center of excellence uh for eaton corporation and uh we are responsible for ensuring the security of things uh that eaton sells to its end markets which include a range of cyber physical systems across industrial and electrical sectors so thank you um thank you antarix and welcome to all my panelists uh so before we go into this topic of cyber physical systems i think it's very important to understand this um this concept right uh a lot of times there's a lot of confusion or a lack of clarity about the term uh there are multiple terms that go with the this aspect of cyber physical systems to begin the panel i would like to invite dr farooq uh to give us a brief uh overview of what the cyber physical systems mean and how to understand this maybe uh doctor farooq yeah thank you thank you nalcon and thank you frank for giving this opportunity so it's a cxo panel and in the cxo people usually run to the boardroom and i'm academician so i'll run to the whiteboard or blackboard now so just give me one minute because i i thought that i would give a proper two-minute introduction to the cps and i made some two three slides so if i'm allowed if i'm having permission to share the slides then i think i can properly explain the concept of cyber physical system can i do that sure please thank you thank you thank you so it's a small quick uh run through what is cyber physical system and i was actually amazed when i saw this uh title from the nulcon cyber physical system because this is very typical term of academician or research organization not much popular in the industry i was shocked actually when i saw that the title is themed with cyber physical systems so just give me two minutes and i'll run through that so as far as cps is concerned uh people started using this term from 2006 so it's a very recent phenomena we can call and this was mainly launched by nsf national science foundation which funds a lot of universities in the united states earlier people used to call cps by different names they used to call as cybernetics they used to call as uh mechatronics and all those things but right from 2006 ever since nsf came in the picture with supporting some kind of academia for the research in this area suddenly it get momentum and traction in the academic circles now from the name itself you can make sense what exactly it is so it's a cyber and physical system very clear from the name terminology itself so i will have at one hand a complex physical system combined with a sophisticated cyber environment which makes a cps and in case of cyber environment we typically expect control computing and communication technologies to be present and the physical for example if i talk about smart grid kind of example then i will have generation transmission and distribution as part of my physical so that's how people started looking at it different people call this with the technology of hybrid system network system machine machine communication sometimes people also call this as figital system so as to represent physical and digital environment together and it manifests in manufacturing energy transportation water network almost everything is covered by the term being called the cps now there are two inter or overlapping terms that people usually get confused so cps and iot these are more or less same there is no point in discussing who is subset of what and another related term with the cps which is very common is called as industrial iot or iot or industry 4.0 fourth industrial revolution so just one more minute typically the characteristic which involve in case of cps is that they inherently have network control system they will be obeying hybrid automata i think from cyber security point of view this becomes very critical because in case of cyber physical system the cyber environment evolves in a discrete state whereas physical environment evolves on the continuous state and when you look at a complete holistic viewpoint this becomes a hybrid automata kind of system and that actually poses lot of challenges not just from academic point of view but from the industry point of view as well and the last perspective is real time computing and networking so these are certain characteristics of the cyber physical system now you can actually start visualizing cps as good as a smallest device which can be available like your healthcare devices which collects your biological data puts onto the cloud computing environment and does some kind of analytics it can be a little bit complicated one as a complete system like a automobile or car in case of mobility or connected car or to the other extreme it can be a complete system of system like a smart grid or led a small city as such so you can see the span which which is covered by the cps right from a smallest device to the system to system of system and typically i think all critical infrastructure fall under the category of the cps so i thought that this presentation i will share so that we will have some introductory ideas without taking much of the time now coming back to the cps i think one of the area where the academia is more focused nowadays is about digital twin network control and all those aspects so maybe as we proceed further in our discussion and panel discussion other topics i'll come back back and forth to this areas so thank you very much thank you dr farooq really that's that that gives a very good picture of the uh the ubiquitous nature of cps and uh this is really a good start uh i think we have been hearing about this word cyber physical systems or industrial iot and iot and ot critical infrastructure very much as you rightly mentioned within the conferences like this but we have not heard as much about a cyber physical system when it comes to mobility side right and uh the technology trends that are taking up in the mobility side so i would invite uh kushwan the next panelist on the board to kind of give a quick uh overview of how the technology or when the key technology trends that are coming and affecting the mobility side uh beat automotive e-mobility or uh electrification of the hydraulic systems or the electrification of flight but the huge range of mobility sectors so maybe a quick quick introduction and around that question okay thanks frank and uh yeah you already named some of those so ev electrification is yes a very big trend in automotive as we experience uh electrification is also coupled with a lot of connectivity because the electrical domain usually relies on a lot of information of state of charge of the batteries etc and how much would be the range because the analytics behind it is yet to be uh formed the data needed for analytics is still forming so a lot of data is going back to the cloud so connectivity is an important aspect of electrification and uh also from the telematics perspective a lot of shared mobility uh features are being driven the olas and ubers and zoom and bounce and you name those uh be it electric non-electric um shared is becoming very popular autonomous is picking up and shared autonomous electric all of them need connectivity so it's a classic case uh case um so connected autonomous uh shared and uh electrified so everything that uh manifests us in terms of technology innovations falls under either of these characteristics right right thank you so much i think uh that's that i think bringing automotive uh to to the discussion when we are talking about the security of cps uh is is very important um maybe there are also other other uh areas like health pharma manufacturing uh which also have a lot of relationship when it comes to cyber physical systems and the technology that are getting embedded into these cyber or cyber bringing the cyber into the physical systems may so i would now move on to uh mayur to quickly introduce how these industries like health uh healthcare pharma manufacturing um are getting impacted or getting included into this big space of cps and uh maybe the key drivers that are driving this uh transition of bringing in complex technologies and embedding into these uh physical systems hey over to you um yeah so can you hear me well yes i can thank you thanks uh first of all i would like to tell you this uh what has happened just few minutes ago uh when i was entering this room my office room actually in the home my my daughter asked me where are you going dressed up so i said i'm going to go out let's go so um i mean i'm amazed to see this uh forum and then be uh very humble to be part of this so uh i mean thanks to dr farhook and our colleagues to set up the context so definitely the cyber physical world or smart manufacturing it would keep their in this world uh all across and then you touched upon what is the impact on pharma or manufacturing or or any other medical fields which are actually linking not just devices as such but they are linking with human and the society in general so i was fortunate enough to work in all the multiple domains oil and gas pharma manufacturing right now in fmcg so the perspective of all these is actually always this data modeling in the pharmacies for example using aiml it's it's it's speaking very heavy because uh just to give a context it takes 12 years to bring in a new medicine into the product in olden days it's taking few years uh now actually in the case of poverty we have seen that it's it's just one year so a lot of data modulation bringing these technologies is helping a lot the scientists to the manufacturing guys and all that um i have been hearing a lot of about remote commissioning uh and believe me it's heavy challenging because commissioning is you know its own gigantic work actually in itself basically so remote commissioning bringing in new cameras or thermal cameras um and integrated sliding basically because now uh from the procurement of raw material to the final good products everything is connected and we want to have a digital twin business visualization of the plan um removing that obstacles which previously used to be the air gapping things and all that that is going away because of all these stuff predictive maintenance is one of the most critical look after uh area digitalization it comes under release like jason and most of the companies who are always focusing on b2b model business business model now going to the business to see a business consumer model and that is driving a lot of automation and this uh or the capturing of these technologies um in actual world real world basically and then these are actually uh some of the faster adoption i could see using the id services in the ot environment so i mean there are a lot of areas where not just the in theory or in the concept we are actually seeing the real implementation wow that looks like um i mean you guys are bringing in technologies uh probably much faster than the software world in some senses right uh the the latest technologies that are that we hear about uh in the software world are quickly getting integrated into these physical systems which in the previous times were considered like separate there was a firewall there's like it's an unknown critical system and uh probably it's not really affected by cyber risks but looks like there are so many technologies that are getting embedded into uh this entire cyber physical system space and each technology with it brings a lot of risks so maybe i will ask you to expand upon a little bit on the kind of risks that are kind of coming and affecting uh this transition or this uh rapid transformation uh that is coming into this space okay so yeah yeah so definitely i mean i mean i think this was a dialogue in uh uh one of the movie that uh with power stewards with the responsibility i think these different technologies also bring in a lot of capability but they bring security issues as well right so there is no doubt in that and and what are those challenges so always uh i mean uh till i think uh 2017 uh people were thinking when we have isc 95 which talks about uh mixing up the ot which used to be just the physical world with the id or the the integration of that um will bring in a lot of security challenges right so that that has been dealt with i say 996 standard like we'll talk about that but basically that was the one we looked at now we are looking at the other pieces ot ot integration which is trusted ot network to the untrusted networks so that brings all together complete new uh understanding of how do you deal with that and then we have seen id services by default getting integrated to the ot and in many space secure way many unsecured way which leads to some attacks like wannacry we have seen that actually in most of the companies um and then that has not just on paper it is actually calling causing 300 400 millions in a few hours basically right so there are impacts to the companies and that is huge actually and that's why the the reason we have all these uh the ot folks coming into the leadership forums and and to the top so that from the beginning management understand this impact it's not just cyber impact on uncertainty it's an overall impact basically and and also these technologies um rather than bringing some feeding mac as a mechanism to have right controls we are still lagging a lot in that area so i would say uh they bring is lot of graphs lot of charts we see iot devices coming in the main the data shows the data what else i mean already this plant manager guys you can believe me have enough data to see you need to have possibility to take actions and and on the quick movements basically so there are areas i can keep talking about that i know i think yesterday when we connected we really said that this this field is so enormous that it in itself can have its own conference and we can keep talking about the risks but yeah let me move uh to dr faro can just quickly understand the perspective from civil infrastructure right one is the industries having bringing in technology and that technology adding a lot of risks into the mix but how is this coming or manifesting in the area of civil infrastructure or critical infrastructure where it can affect the public life uh anthrax example of florida water poisoning right increasing story it could really have real life impact affecting the life of people so dr kaz dr faro could you briefly touch upon the risks that that are possible or that you are seeing in reality uh when it comes to civil life of people because of the risks yes sure so i would like to take ahead uh the line uh what mayor said about it and ot uh typically the industry perception is that they are air gapped but we know very well that such kind of air gap does not exist anymore now uh one major challenge for civil infrastructure as well as for critical infrastructure particularly based upon my understanding being in various committees inquiring various different type of incidences is that this critical infrastructure or ot environment is developed over years with legacy protocols with legacy devices and that poses a lot of challenge when we try to actually layer it by the cyber environment on top of that so when you talk about it plus ot integration quite often in an attempt of modernization or digitization we forget that our physical world is having certain kind of restrictions so my rtu for example which is used in case of power grid may not have ability to talk to uh the high bandwidth devices as it is expected to secondly in my it environment the firewall which is installed may not understand ot protocols so essentially this firewall is useless because i can only understand very few protocols and the rest of the protocols which are proprietary in nature in the ot environment are missed as far security is concerned so there are a lot of mismatches which are available between this it and ot and they pose a lot of challenge so if i want to talk about the most important thing in my viewpoint obviously there can be different others as well one biggest thing that i always seen is a patch management that becomes really really really very tough in case of cyber physical system because this systems are live and you cannot have every tuesday in a month or a week or whatever for patch management because downtime is very costly in case of cyber physical or critical infrastructure the second thing that i have seen is these devices the endpoint devices are always having very less amount of bandwidth capability and computation capability as well the third and most important is for example the isc 61850 there is one protocol but different vendor will interpret this protocol in a wide different varieties so there is a lot of regulatory issues a lot of interoperability issues these are all posing the challenges in terms of the cyber security in terms of cps i can say wow thank you thank you dr kazi i think you really put it in a very succinct manner thank you so much now let us move to the other other area which uh is representing the mobility side right so when you can quickly touch upon what are the key cyber risks uh when it comes to mobility space right you understand the mobility space so uh the acknowledgement of cia has come very recently to automotive so it was recovery after thinking about top structures for life the organizations have to move to thinking in terms of defense in depth um and also as dr farooq mentioned one is yes the embedded devices have very very less bandwidth they have less computing capacities now what are the risks that we see occasionally is uh there are several variants that come up in all of this uh embedded devices automotive mode for example any particular model may have anything between five to ten variants and they will be based on more on the same software stack with minor differences now every time you are creating a heterogeneous security for these variant management or security variant management is one big uh problem that uh or a risk because there is always this uh possibility of missing out on vulnerability of um any changes that they have been done so back back tracing the uh vulnerabilities and identifying the source there is far less time to really take these kind of uh steps especially if you have reached the sop start of production in in automotive a second point that i would want to mention just uh in a minute is the the plant to the back end connectivity still is id but when the people are in field and they have to upgrade their credentials or you know simple things like renewing a certificate you know it's a big big big challenge for the automotive dealership networks now you are definitely run a risk of uh having insecure networks at the dealerships you definitely run a possibility of multiple vendors who would be having all of these inheritance risks typical i.t inheritance i'm talking about which can just end up in um in in situations of introducing vulnerabilities in the vehicles so these are two major risks that i see from the supplier and the ecosystem side and the other one is the technical challenges that pose because of the limitations of the system and the variants that automotive sees right so that's a very interesting point i mean uh variation brings in uh the management challenge to manage the security aspect but at the same time standardization brings in familiarity right uh probably you might want to run your cluster on a linux based system and uh that linux based system is now known very well a very well established uh platform for all the attackers and probably that's the transition and that's the challenge that you guys have uh to balance between standardization and managing the variation uh between the platforms yes so in terms of uh regulations automotive has the least amount of uh regulations for cyber security uh okay and uh honestly what has come up is the unece wp29 which is one of the first releases and iso 21434 all of this tells you what to do but honestly nobody tells you how to really achieve those those measures and of course it's up to the communities like this to really figure out what is the best way fastest way to reach the regulatory objectives compliances and regulatory requirements okay hey thank you um i think you brought in a very good perspective to this discussion uh one is i mean we have been discussing about all the challenges but uh i think the response right what is that what are the kinds of responses that we are seeing so let us hear out from the panel uh in your own fields like what is happening when it comes to responses how the customers like asset owners like mayur is responding and uh what are the things that suppliers like kushwanta who are producing secure uh stacks and secure development platforms for the oems oem's entire tier manufacturers and regulators so i'll start with um hey mayor can you give us a quick intro or a peek into how the industries are responding to this challenge it's a really big an enormous challenge and it probably needs to be very coordinated and collaborative in nature so maybe you can give us a quick peek into how the industries are responding to the cybersecurity challenge uh yeah this is a very interesting uh topic and it the peak was not that high but then this is right now so this is also depending on that basically so that time people are actually getting engaged okay let's do the assessment of your plans let's try to understand the security posture and then see where are the gaps but they have understood a lot of areas because to be very honest you talk about any industry down the layer below four which is party model uh everything is actually not secure i mean though we call it the network it's full of xps windows 2000 all sort of possible network you can think of in your imagination i have been to many sites which were actually built before you and i wanted so those sites are running and they are producing millions uh every day right so definitely there is no way we we gonna remove those sites or network basically so what are the opportunities uh i cannot talk about the specifically on my company perspective but in general because i have been part of these in many areas companies are running security programs when i say program is to enhance the security of manufacturing sites supply chain plants everywhere and that are given in the cso organization and actually enterprise architecture the ot network security everything works hand in hand to see the opportunities to secure and as he was mentioning the tax management being one of the difficult parts all these services path management anti-virus uh security monitoring in the planned area because that is one of the very touchy point for some of the manufacturing guys uh recovery these are the areas which are looked at from the free point of view these services are always there in it but now they are from the point of view how we can take a standard consideration there are vendors coming up uh ot has provided this security services i cannot name them but there are other services provided uh by vendors which are coming in these fields specifically uh and then we also see like what are the possibility to enhance the networks because these networks are also legacy then if you want to bring in new security capabilities in these networks i'm not talking about the layers below which starts for the pure manufacturing but because this thread is outside coming in outside network those need to be secure so those enhancements enhancement basically are the main uh things driver driving factors and you are talking about iot right so iot it's on has its own network or the flow of architecture which starting from the sensor to the gateway to the your transport mechanism to the either central servers or in the data centers or the cloud all that need to be built in from the security point of view so industries understand and that's why uh guys like us being part of their core communities and and actually very heavily engaged in these kind of development models basically which which is trying to respond rather than um rather than actually be from the initial days because uh as i mentioned this is growing over the period of time because uh every year uh it is changing uh the security posture and the threats and that's why 2016 assessment time most of the companies were in assessment time now they're in enhancement times development times all that things is happening right thank you uh thank you a lot of times customers might not really know i think if they are educated about cyber security aware of cyber security then yes but in some cases people might not really know the kind of risks that they are actually dealing with and millions of dollars are being produced and millions of people are relying on the product that these particular companies are making or civil lives are probably at stake uh if proper security is not implemented so i will move on to dr faro to just see what are the regulators or i mean what is the regulatory space looking like are the governments doing something about this or um how is that looking uh beat internationally and locally at indian government level so maybe dr faro you can throw a little bit light on that yes sure sure so as far as india is concerned we are having uh two regulators mainly who are addressing uh cyber security eventualities in the cyber physical system one as we everybody knows that certain is one regulator who actually manages the indian cyberspace the second one typically which is used in case of this cyber physical system is nci ipc national critical information infrastructure protection center which is having mandate of looking at the cyber security aspect of critical infrastructure which also involves energy which involves oil and gas petrochemical refineries banking and finance and all those critical infrastructure so from indian point of view these are two major bodies but if you talk about the energy sector particularly then there are certain transmission cert distribution cert generation so domain specific certs are also available uh with respect to the energy sector particularly uh globally if you talk about then there are a lot of bodies lot of bodies in the sense nist is there which talks about how to regulate uh particularly this particular cyber physical environment the another one which i think everybody must be well aware about is nuxif which talks typically for bulk energy systems and there are many more which are there specific to europe and specific to middle east countries as well like qatar is having their own cert and there are many other regulatory bodies which are established either from the industry organizations or from the government bodies as such so a lot of regulatory efforts are happening uh in terms of uh the cyber physical system of critical infrastructure standardization is also being taken care by uh iso iec isa and there are a few more ieee bodies which are there which are giving out standards for different type of uh aspect of the cyber security for example uh this is 62443 is there which looks into this so 27 000 is there so there are a lot of standardization bodies as well which are trying to contribute towards making the cps as secure as possible thank you thank you dr kazi how about i mean what is the space looking like when it comes to mobility um you mentioned that there are not it's it's probably not not yet so regulated but what is what are you observing there so mainly it is coming from um so one of the earlier drivers was let's say gdpr and then the supplier suddenly started gearing up for gdpr the reason is it was the first time that the user data from the vehicles was being uh considered to be sent to back end so that it can be used for analytics and predictive maintenance and diagnostics etc but it had a lot of purple identifiable information so they started taking gdpr uh as first and over the period of time wp29 has come up so at least in europe japan korea the oems and suppliers are supposed to comply to certain set of requirements uh this means what that the oens are going to push a lot of security requirements to their suppliers so uh suppliers like bosch eaton um i don't know several others have already been gearing up for their platform products their uh really very important products uh transform the hardware because it starts from hardware when you start with cyber physical system security and started looking at you know modularization of the stacks uh trying to build in as many standard algorithms uh established algorithms uh uh for crypto function functionalities and uh without experimenting too much or spending on new fancy algorithms they have relied on standard technology so that they could be further used in harmonization of the platform security uh uh platform security uh concepts so with this in in view i see a lot of suppliers already have their set of um security standard operating procedures uh security engineering processes have been implemented already and it will just be a they have a minor steps uh to be taken to really be compliant to the uh regulation on the contrary oems have little more to do that's what i very often see okay yeah thank you i think that's a that's a really good thing but how as a let's say as a c a a c level executive right or a person being made responsible uh like in in case of mayur or anybody who is responsible for the procurement of the systems that you are bringing into your company to run either it's a data center because data center runs on the power infrastructure which again is a cps right kind of a cps with probably maybe small c not a captaincy but a small level of cyber is there when it comes to power infrastructure that is running your data centers so how i mean are there any emerging standards and certifications um which can tell when which we can ask our suppliers or uh which the the companies that are procuring can ask hey are you complying to this are your processes running at this level of security uh what other assurances what is that landscape looking like yeah so um as i said this is a journey right so uh the good part about president movement is we do not have any kind of a government regulations which are forcing us to go through this and that is a big game changer the reason is these certification bodies are also needed first thing and secondly the govern government's bodies who are actually regulating us on certain processes which we are driving for our business basically so fda drives for food and and pharma and then similarly we have other regulation uh bodies who gives us clear indicates what are the regulations we need to follow but in terms of security space basically we are still living with the standard and standard and regulation two things are different right follow the standard nobody can mend it us but regulation is something different and that linking is still uh happening and as that's why i said we are lucky because most of the people cannot apply that very rapidly but the programs are understanding that when we see there is no silver bullet for the uh any problems which we are seeing so defense uh in depth is one of the key space and all your uh products which you are buying you talked about some of the component data centers you talk about component in the manufacture right so even those need to be uh security compliance with the security features with a capability to withstand the denial of service attacks the communication robustness we talk about right so all that kind of uh things we can actually ask but how do you ask that so there are certifications available at the product level like system level at the manufacturing plant level basically just to give some of the examples basically uh six to four three four or two dash which is also um satisfying the product basically and uh um and 3.3 uh specifically that says how do you certify your system basically and there are many governance body there are many companies who are driving these standards for products and systems across the globe and then and they are certifying this but again as i said this this is a challenge of adoption which is a good piece at the moment because we are maturing from stage one to three uh and so on and uh the key part is the how do you certify your people basically because it's not about just that it's the people who run the whole system so there are standards certification coming in that area as well in ot uh yeah thank you thank you mayor um i think we talked a lot about the technical part of it right product certification standardization standards and donations as as a leader right as a leader what are the key non-technical challenges that you that you are experiencing that might provide some insight into the other leaders to the other leaders who are on the on the forum and hearing us can you throw a little bit light into non-technical challenges that you are facing you see me laughing right so you can believe me i can give two days session on this so right so when we when we talk about it ot air gap uh which is not there as kaz mentioned uh mr kashi mentioned but the itot air gap on the knowledge piece is still there what i mean what i mean by that is when i go through a recruitment process for my engineers for my architects for my in any any organization i i receive 400 cvs not even 5 percent are actually meeting that fund that's a big air gap i can see knowledge here the reason i would say i will not blame individuals the reason it is you are finding you are trying to find in one person uh ot domain knowledge which is itself is a ocean and knowledge in the security field and knowledge in iit networking speed in the single person or maybe in a team to fit this requirement basically so that's a big area of concern which which is something not readily available and then you try to say okay i go there and there are things we need to build actually uh and the language we speak so when somebody go to the shop floor they have a different jargons that they they use in the shop floor in terms of the running whole production there they have a plan they have what you call targets for the day not even day hours minutes and all that stuff iot talks different uh languages downtime uh link breakdown also there are a lot of languages various which actually gives lot of challenges because i t want to provide the services or they don't understand their language sometimes they don't even understand what is mean by food so they understand it is a physical but there are in port means the services right so a lot of language barriers basically and it is very hard to find it find a talent which has a passion on this ot field and very patience to continue to run with these kind of environment because believe me it takes lot of time a lot of time to get the things moved from one to two in the plants because of the processes because of the mindset because they are producing money right because if your car is running why you want to do the maintenance every day so there are a lot of people uh or not the people i would say this is the mindset which is non-technical as i said i can talk about this for two days so yeah we we have only a few more minutes to go so quickly kushwan can you talk about the challenges you have and we will go to dr kazi and dr faro to see how uh bjti and their the consortium is actually trying to solve this problem so kushwant over to you quickly yes so just continuing from what mayor said we often get requirements from teams at the oen side that are not from automotive embedded engineering as such but the id teams because somebody in the team is a cyber security expert so the requirements are like okay do you have iso 2700 certification can we audit you and we are like oh really so there is a gap of language yes and understanding from both sides cyber security or cyber physical systems will need cross-functional teams so right however there is a cross-functional team uh sourcing the security technologies i am confident they will come up with far better understandable language as well as far uh more effective uh you know sourcing patterns that's one uh second um challenge that we often see is uh now may you mentioned that out of 100 series not even five are useful uh in our case uh out of maybe 500 we don't even find automotive or well rather embedded automotive cyber security experts it's it's barely half uh percentage point five percentage points so when when we look at this kind of a scenario we need a a play field somewhere where people can come where cross domain experts can come and experiment right of course i cannot give my car to uh you know frank and his colleagues to really blow up right but there is something that is missing for people to try out which will give us far more uh better experts as i see yeah that's great actually that brings me to the next question to dr farooq to just check to understand what what what is the academy or the universities or indian ecosystem is doing to address this challenge and this also looks like a great opportunity for us to play in this field i mean as indian um i mean emerging market and the talent we have great talented guys on this forum and in this area but i think it's it's probably looks like we need to probably overcome some barriers and challenges to make this a global contribution from our side so dr faro can you throw a little bit light about the capabilities that you are building yes sure so uh again i would like to continue with where the khushwant left his uh answer so let's say if i want to talk about uh the hacking or cybersecurity studies for the automobile sector so i cannot provide car for experimentation purpose because that will be huge investment as such so from the academia point of view the challenging part for the cyber physical system is how can we create a test bed which can actually mimic realistically the actual system while authentically preserving all the challenges of cyber security as it is so it should not be too diluted for a person who is interested in doing research in the cyber security at the very same time i should have enough amount of financial resources to create that kind of environment for example ah kushman told about the car car will be still okay but just see that i want to do research in the critical energy infrastructure so it is virtually impossible for me to create kind of environment in my laboratory setup where i can actually have some 500 megawatt of generation plant and then i can showcase how this succinate attack can happen in terms of my industrial control system so the biggest challenge in case of cyber physical system is the test bed which will be helpful for honing the skills of the budding researchers who are interested in doing research in the cyber physical system i think that is the important one so i can put this as a cyber range basically so like if you want to practice shooting you will have shooting range you cannot just walk along the road and start killing the people just for the sake of learning how to shoot like you will have some shooting range similarly for cyber security study and research in critical infrastructure you need to have cyber range to be present i kind of spend lacks of rupees on plc's and giving it to the researcher to see whether vulnerabilities exist or not so typically in case of i.t environment the research in cyber security becomes better because you have os top 10 vulnerabilities you can find out certain websites which will allow you to practice those top 10 vulnerabilities but in case of cyber physical system we are not having such kind of uh cyber range or the test bed where we can actually try our hands and anthrax will agree with me and entire nalcona payatu team also agree will with me is when we talk about cyber security there is a very narrow gap between what is ethical hacking and what is non-ethical hacking so if i am trying to look at how expert i am and infiltrate into some energy utility let us say i do not know what one click of mine will take me to what kind of directions right these are some of the issues i feel personally one is the cyber range or the test bed where people can try their luck and then secondly uh having some kind of understanding about where the ethical and non ethical hacking boundaries uh exist so these two are i feel are the prominent one so um dr farooq you're also a part of some of the government of india initiatives are there any initiatives that are going on in that space or in this space and uh where our young talent can come and either participate or maybe compete or in some way contribute to this this larger problem and we can together uh contribute globally actually not just looking at the indian but globally can you talk a little bit about that definitely definitely so one interesting thing is not many people are aware actually that dst department of science and technology which is equivalent of nsf uh nfs in the us which actually gives funding to a lot of research organizations is having a special initiative on cyber physical system itself that is called as icps interdisciplinary cyber physical system and you will not believe the budget which is allocated for this this initiative started very recently around three years back or so and the budget which is allocated for this initiative is close to 3500 crore rupees and they are not just funding the academic institute they are also funding the startups they are also funding some kind of startup incubation centers which are typically focused around cps or cyber physical systems so government is also ini taking lot of initiatives in the area of cyber physical system in predominantly in the last five years or so and i think a lot of buzz is coming around with the cps term now wow okay so if if anybody has any questions so they can reach out to you can they can they reach out to you just to know a little bit more about this my pleasure it in fact not the dst is funding itself but there are a lot many other opportunities and our own lab actually in bjt mumbai is having almost a very realistic test bed which is done with the industry partnership like siemens then lnt infotech emerson g schneider so all they have contributed in terms of their hardware devices and we have created a close to realistic scenario for the critical infrastructure so we will be open if anybody wants to reach out to us and try to work on certain kind of ideas we can allow the access to these interested passionate people we will be happy thank you thanks thank you dr farooq um quickly i think we are really low on time now uh might probably now uh interrupt us but yes questions from the from the uh audience do you receive any questions that we should ask yes uh i have received few questions and i have some my questions as well to add but uh thank you so much for this amazing uh session uh i think the cyber physical system uh panel was really interesting and we should have more discussions around it rather than just you know uh iot 4.0 and stuff like that uh so yes uh i have uh one suggestion to kushwant uh i i know that you mentioned in india one of the points that it is difficult to find uh embedded security engineers or embedded engineers uh i'm doing a soft selling over here if you're interested uh do contact our pio2 team if you need any resources but we have opened a hardware related uh job channel on hardware.squad server so if you have requirements uh let us know we'll post it out for you you know we have more than 500 hardware security engineers over there uh i think they would like to work with escript uh and itas over there uh dr kazi uh you have spoken at nalcon and you have seen how the community physically interacts uh and uh i think when it comes to test beds right uh i know it involves a lot of finance uh but uh how can we make it uh publicly available to the community uh because when i come from the nulcon community or the industry over here we are eager to play with uh various hardware you give us a car we'll try to find a bug you give us you know let's say a smart meter or something we are willing to do research but the community always says we don't have access to it and the industry says we don't have researchers to uh find uh vulnerabilities of security issues and critical infrastructure so how do we bridge this graph uh i do not know making test beds available which are only for private companies uh if they can make it to public i do not know if there is any public uh or uh private initiative as such where people can work and enroll for doing some kind of hardware related research apart from the academy i know academia has all the funds and connects with the industry but for the public and the private industry is there any forum at least in india or outside uh in india we do not have uh this kind of facility you rightly pointed out this is some kind of weakness that we need to actually approach to concerned government agencies and propose them that we would like to have such kind of test but it will be accessible to everybody so to answer to your question in india we are not having such kind of facility available although institutes and organizations have built the test bed for cyber physical system but that is restricted for their own research and not publicly available now as far as our test bed is concerned we make it open whenever we conduct some hackathons etc and that time people can log in remotely and try to work around and play around with the systems but recently with the corona we actually realized because a lot of our own researchers were accessing our test bed remotely so i take your suggestion as a very valid point and i will try to see if something can be done in such a way that some time zones can be allocated which will not be disturbing our ongoing research whereas some slot may be made known to the people who would like to uh work further so i think this this can be a good outcome of this panel discussion and we will surely work with nalcon and other team members to see that how we can decide the modality of this but that's a good suggestion thank you really really amazing hey hey kushwar do you want to talk about the virtualized platforms which are hardware and loop systems we're now turning virtual yeah so with a very recent announcement and a great amount of learning from 10 years frank and his team are not happy with the decision but but we just decided to move away from hardware platform so uh dr farooq had mentioned that how about making available a a lab car let's say a car that is that can be completely simulated in the lab so we used to have this kind of a solution but over the period of time we realized that the number of such systems needed is so less that there is no break-even from really from the commercial point of view maintaining all of those hardware in the portfolio is is quite a challenge so we have done away with the hardware part of it now what remains is all the electronic control units uh will be virtualized uh slowly steadily so we are coming up with solutions that can virtualize electronic control units that are going to be uh used in a car network for that matter and these uh ecu's virtual ecu's then work on a virtual core simulation platform called as quotient from etas so together what uh we um sort of are offering is a uh software in loop system or model in loop system so removing the hardware and loop part that will also help digitize some of this uh remote operations still need to be explored but uh near real-time behavior can be guaranteed out of this cell platforms now how to do security testing on it uh since 2016-17 in japan we used to use some variants of these products and introduce bugs in those and then conduct some hackathons there similar kind of environment can be created and i don't see a reason why these virtual solutions cannot help in in contributing to such initiatives wow that looks like a very uh very good but i think probably commercial reasons might limit i don't know what is the uh the aspect of uh making these available to the public or even um from a perspective of learning this thing right it's so maybe you can quick peek there so um first part is making a solution that can really create this virtual ecu so there is some time uh that it will take it has been working on the virtual issues we had some solutions that used to give this it is called something isolated or something like that but they have decided to look at some other strategies because uh the original solution used to take a lot of time i mean in terms of a lot of information um simulation now they want to go at uh maybe little higher level of abstraction and that may take a year year and a half research by the time you really introduce the solution in a full budget um and commercially as long as there is less hardware involved uh frank um i can i can say that things can be worked out right right right yeah that's that's a great point i think for all the leaders who are working here i think cyber ranges if yeah publicly that's a big challenge but also even within a corporate environment if you need to have a range where your software experts want to play out on uh cyber security that was a challenge but now with things getting virtualized probably that challenge from a cost perspective is getting uh uh we are mitigated to an extent hey anthrax um yeah thank you for that question any more questions uh frank we are running out of time so apologies for not taking more questions but uh mayor i hope to see you in goa physically uh whenever we do nalcon and uh yeah thank you dr faro thank you kuchwan thank you frank for this amazing session and sharing insights uh like i said uh nalcon and the community in india would like to partner with y'all if y'all have any uh initiatives where the public or this community can uh collaborate in doing any kind of test could be automotive could be you know civil engineering or even uh let's say manufacturing so yes uh we would be more than happy to collaborate with academia and industry so thank you guys again thank you so much thank you for the opportunity thanks

Info

Channel: nullcon

Views: 221

Rating: 5 out of 5

Keywords: cyberphysical system security, IIoT security, Security challenges, System security, CXO, CISO, CTO, CIO, Nullcon Conference, Nullcon Conference March 2021, Industrial cyber security challenges

Id: Owp3R7pKn3c

Channel Id: undefined

Length: 60min 24sec (3624 seconds)

Published: Thu Apr 29 2021