Managing Supply Chain Risks for SCADA Systems

Size: px

Start display at page:

Download "Managing Supply Chain Risks for SCADA Systems"

Darrell Sherman
6 years ago
Views:

1 Managing Supply Chain Risks for SCADA Systems Nadya Bartol, Vice President of Industry Affairs and Cybersecurity Strategist, UTC 2014 Utilities Telecom Council

2 Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 2

3 Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 3

4 Problem Definition What is ICT Supply Chain Risk Management? Information and Communication Technology (ICT) products are assembled, built, and transported by geographically extensive supply chains of multiple suppliers Acquirer does not always know how that happens, even with the primary supplier Not all suppliers are ready to articulate their cybersecurity and cyber supply chain practices Abundant opportunities exist for malicious actors to tamper with and sabotage products, ultimately compromising system integrity, reliability, and safety Acquirers need to be able to understand and manage associated risks 2014 Utilities Telecom Council Source: Nadya Bartol, ACSAC Case Study, December

5 What does this have to do with SCADA? 2014 Utilities Telecom Council 5

6 Problem Definition How does this look? Scope of Expansion and Foreign Involvement graphic in DACS Secure Software Engineering, July 2005 article Software Development Security: A Risk Management Perspective synopsis of May 2004 GAO report Defense Acquisition: Knowledge of Software s Needed to Manage Risks 2014 Utilities Telecom Council 6

7 Problem Definition From The World Is Flat by Thomas Friedman Dell Inspiron 600m Notebook: Key Components and s 2014 Utilities Telecom Council Source: Booz Allen Hamilton and DoD 7

8 Problem Definition What are the risks? Intentional insertion of malicious functionality Counterfeit electronics Poor practices upstream 2014 Utilities Telecom Council 8

9 Intentional insertion of malicious functionality Problem Definition Virus Extra Features Backdoor Provider/ Integrator 2014 Utilities Telecom Council 9

10 Counterfeit Electronics Problem Definition Counterfeit Component Counterfeit Component Extra Features Provider/ Integrator Poor Performance 2014 Utilities Telecom Council 10

11 Poor practices upstream Problem Definition Poor coding practices Poor quality Provider/ Integrator Poor Performance 2014 Utilities Telecom Council 11

12 This may impact reliability and safety for years Problem Definition Counterfeit Poor Component coding practices Virus Extra Features Backdoor Counterfeit Component Provider/ Integrator Poor Performance Poor quality 2014 Utilities Telecom Council 12

13 Some History Problem Definition US government reports on globalization, supplier risk, offshoring, foreign influence in software, and microelectronics US Comprehensive National Cybersecurity Initiative ODNI report on foreign industrial espionage 2011 ENISA study on supply chain integrity 2012 NDAA 2013 Cyber EO PPD 21 Mandiant Report ENISA reports on robustness of communications infrastructures and IT supply chain risks Stuxnet Telvent hacked US House Intelligence Committee Huawei and ZTE report Havex/Energetic Bear Overall increase in targeted SCADA attacks 2014 Utilities Telecom Council 13

14 Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 14

15 Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference NIST SP Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC Requirements for IACS Solution s ISO/IEC Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 15

16 Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference NIST SP Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC Requirements for IACS Solution s ISO/IEC Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 16

17 Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference NIST SP Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC Requirements for IACS Solution s ISO/IEC Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 17

18 Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference NIST SP Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC Requirements for IACS Solution s ISO/IEC Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 18

19 Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference NIST SP Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC Requirements for IACS Solution s ISO/IEC Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 19

20 Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference NIST SP Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC Requirements for IACS Solution s ISO/IEC Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 20

21 Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference NIST SP Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC Requirements for IACS Solution s ISO/IEC Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 21

22 Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference NIST SP Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC Requirements for IACS Solution s ISO/IEC Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 22

23 Existing and Emerging Practices How do these standards help? By answering the following key question: How should an organization manage security risks associated with acquiring ICT products and services? AND By providing a rich menu of items to chose from to Define your own processes for supplier management Ask your suppliers about their processes 2014 Utilities Telecom Council 23

24 Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 24

25 Using standards and best practices to facilitate the dialog Seven Key Questions How should an organization manage security risks associated with acquiring and supplying ICT products and services? Standards and best practices provide a rich menu of items to chose from to Define your own processes for supplier management Ask your suppliers about their processes 2014 Utilities Telecom Council 25

26 (1) What ICT assets and processes are critical to your business and have you defined what security you need? Seven Key Questions Assets and Processes ICT Products and Services ICT s Security Requirements SCADA 90% 10% RTUs 50% 50% Relays 50% 25% 25% Network Gear 100% Servers 100% Availability Integrity Confidentiality Use these requirements to discuss security with your suppliers 2014 Utilities Telecom Council 26

27 (2) How will your data be protected when it is exchanged with the supplier or the acquirer? Seven Key Questions Acquirer Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 2014 Utilities Telecom Council 27

28 (3) How will you know that the supplier is doing what they said they will do? Seven Key Questions Attestation Self Assessment Assessment Results Acquirer Assessment Certification Independent Third Party Certification 2014 Utilities Telecom Council 28

29 (4) How will you and the supplier communicate about incidents and vulnerabilities? Seven Key Questions Disclose or not disclose? How and what to disclose? If cannot fix, who will remediate? Who will fix? How to minimize the impact New Vulnerability, Incident, or Breach Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 2014 Utilities Telecom Council 29

30 (5) How will you ensure uninterrupted operations for the entire life span of the system? Seven Key Questions Development/ Engineering Operations/ Maintenance Retirement/ Termination Support discontinued out of business Parts no longer available Component disposal Provisions for hardware and software to be available in the future for maintenance and sustainment Software escrow Buy parts for the future Approved resellers and disposers 2014 Utilities Telecom Council 30

31 (6) How will this relationship be terminated securely? Seven Key Questions Development/ Engineering Operations/ Maintenance Retirement/ Termination Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 2014 Utilities Telecom Council 31

32 (7) How will your people know what to do? Seven Key Questions Points of Contact 1 Frodo Baggins 2 Harry Potter 3 Peter Pan.. X Cinderella Awareness for All Involved Acquisition/procurement Legal Engineers/technicians Developers Delivery, shipping, receiving Executives Others? What about your suppliers? 2014 Utilities Telecom Council 32

33 Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 33

34 In Summary SCADA is ICT which is critical to the utilities ability to provide reliable services to their customers ICT supplier security practices have an impact on utility service reliability and dependability in the long term Utilities need to engage in a productive dialog with SCADA and other ICT suppliers to communicate, discuss, and agree upon security expectations This dialog is essential to managing security risks to utility infrastructure 2014 Utilities Telecom Council 34

35 Questions 2014 Utilities Telecom Council 35

Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions

Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist Agenda Problem Definition Existing and Emerging Practices