Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions

Similar documents
Managing Supply Chain Risks for SCADA Systems

ICT Supply Chain Risk Management Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist

HELLO, MOSCOW. GREETINGS, BEIJING. ADDRESSING RISK IN YOUR IT SUPPLY CHAIN

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

IoT Utility Day. Securing Critical Infrastructure. Nadya Bartol, CISSP, CGEIT. Vice President of Industry Affairs and Cybersecurity Strategist

Cybersecurity in Acquisition

What can an Acquirer do to prevent developers from make dangerous software errors? OWASP AppSec DC 2012 April 5, 2012

CNCI-SCRM US Comprehensive National Cybersecurity Initiative Supply Chain Risk Management

Supply Chain Risk Management Practices for Federal Information Systems and Organizations by Boyens et al. comprises public domain material from the

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview

Seagate Supply Chain Standards and Operational Systems

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

We Cannot Blindly Reap the Benefits of a Globalized ICT Supply Chain!

Information Systems Security Requirements for Federal GIS Initiatives

External Supplier Control Obligations. Cyber Security

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Procurement Language for Supply Chain Cyber Assurance

European Union Agency for Network and Information Security

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Technical Guidance and Examples

Supply Chain (In)Security

Cyber Security Requirements for Supply Chain. June 17, 2015

Building Secure Systems

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cybersecurity, safety and resilience - Airline perspective

Systems Engineering Update/SD-22

Systems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch

Prepared Testimony of Dean C. Garfield President & CEO Information Technology Industry Council (ITI)

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

FDA & Medical Device Cybersecurity

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Tool-Supported Cyber-Risk Assessment

INFORMATION ASSURANCE DIRECTORATE

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

NCSF Foundation Certification

Altius IT Policy Collection Compliance and Standards Matrix

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

Understanding the Changing Cybersecurity Problem

The NIS Directive and Cybersecurity in

Committee on the Internal Market and Consumer Protection

SAC PA Security Frameworks - FISMA and NIST

Medical Device Cybersecurity: FDA Perspective

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Siemens view and approach on critical infrastructure resilience against cyberthreats Joint OECD-JRC Workshop, Paris September 2018

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

FISMAand the Risk Management Framework

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Altius IT Policy Collection Compliance and Standards Matrix

Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Ensuring System Protection throughout the Operational Lifecycle

Statement for the Record

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

Cyber Security for Process Control Systems ABB's view

A Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services

Internet of Things Security standards

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Protecting your data. EY s approach to data privacy and information security

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Training and Certifying Security Testers Beyond Penetration Testing

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS

CONE 2019 Project Proposal on Cybersecurity

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Mozilla position paper on the legislative proposal for an EU Cybersecurity Act

Vulnerability Assessments and Penetration Testing

AMRDEC CYBER Capabilities

Combating Cyber Risk in the Supply Chain

Cybersecurity in Government

TEL2813/IS2621 Security Management

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Appendix 12 Risk Assessment Plan

Akin Gump Client Update Alert

Cyber Attacks & Breaches It s not if, it s When

Joint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?

Cybersecurity Fundamentals

Securing Industrial Control Systems

Cybersecurity and Program Protection

Appendix 12 Risk Assessment Plan

Rapid Communications Deployment: Federated Service Management to Support Multi-National Preparedness in Crisis

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Cyber Hygiene: A Baseline Set of Practices

Rethinking Information Security Risk Management CRM002

Innovation policy for Industry 4.0

NW NATURAL CYBER SECURITY 2016.JUNE.16

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

DFARS Cyber Rule Considerations For Contractors In 2018

Cloud Security Standards

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

HITRUST CSF: One Framework

ISO/IEC Information technology Security techniques Code of practice for information security management

Cybersecurity Auditing in an Unsecure World

Transcription:

Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist

Agenda Problem Definition Existing and Emerging Practices Ten Key Questions Summary and Questions 2

Agenda Problem Definition Existing and Emerging Practices Ten Key Questions Summary and Questions 3

Problem Definition What is ICT Supply Chain Risk Management? Information and Communication Technology (ICT) products are assembled, built, and transported by geographically extensive supply chains of multiple suppliers Acquirer does not always know how that happens, even with the primary supplier Not all suppliers are ready to articulate their cybersecurity and cyber supply chain practices Abundant opportunities exist for malicious actors to tamper with and sabotage products, ultimately compromising system integrity, reliability, and safety Acquirers need to be able to understand and manage associated risks Source: Nadya Bartol, ACSAC 2012 Case Utilities Study, Telecom December Council 2010 4

Problem Definition How does this look? Scope of Expansion and Foreign Involvement graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article Software Development Security: A Risk Management Perspective synopsis of May 2004 GAO-04-678 report Defense Acquisition: Knowledge of Software s Needed to Manage Risks 5

Problem Definition From The World Is Flat by Thomas Friedman Dell Inspiron 600m Notebook: Key Components and s Source: Booz 2012 Allen Utilities Hamilton Telecom and Council DoD 6

Problem Definition What are the risks? Intentional insertion of malicious functionality Counterfeit electronics Poor practices upstream 7

Problem Definition Intentional insertion of malicious functionality Virus Extra Features Backdoor Provider/ Integrator 8

Problem Definition Counterfeit Electronics Counterfeit Component Counterfeit Component Extra Features Provider/ Integrator Poor Performance 9

Problem Definition Poor practices upstream Poor coding practices Poor quality Provider/ Integrator Poor Performance 10

Problem Definition This may impact reliability and safety for years Poor coding practices Counterfeit Component Virus Extra Features Backdoor Counterfeit Component Provider/ Integrator Poor Performance Poor quality 11

Problem Definition Some History US government reports on globalization, supplier risk, offshoring, foreign influence in software, and microelectronics US Comprehensive National Cybersecurity Initiative Stood Up ODNI report on foreign industrial espionage ENISA study on supply chain integrity NDAA 2013 Cyber EO PPD 21 Mandiant Report 1999-2006 2007-2009 2008 2010 Oct 2011 Sept-Oct 2012 2013 European reports on robustness of communications infrastructures and IT supply chain risks Stuxnet Telvent hacked US House Intelligence Committee Huawei and ZTE report released 12

Agenda Problem Definition Existing and Emerging Practices Ten Key Questions Summary and Questions 13

Government Industry Existing and Emerging Practices Existing and Emerging Practices Comprehensive National Cybersecurity Initiative Stood Up 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Assurance Framework IEC 62443-2-4 Industrialprocess measurement, control and automation Energy Delivery Systems Procurement Language ISO/IEC 27036 Guidelines for Information Security in Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) 14

Government Industry Existing and Emerging Practices Existing and Emerging Practices Comprehensive National Cybersecurity Initiative Stood Up 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Assurance Framework IEC 62443-2-4 Industrialprocess measurement, control and automation Energy Delivery Systems Procurement Language ISO/IEC 27036 Guidelines for Information Security in Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) 15

Government Industry Existing and Emerging Practices Existing and Emerging Practices Comprehensive National Cybersecurity Initiative Stood Up 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Assurance Framework IEC 62443-2-4 Industrialprocess measurement, control and automation Energy Delivery Systems Procurement Language ISO/IEC 27036 Guidelines for Information Security in Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) 16

Government Industry Existing and Emerging Practices Existing and Emerging Practices Comprehensive National Cybersecurity Initiative Stood Up 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Assurance Framework IEC 62443-2-4 Industrialprocess measurement, control and automation Energy Delivery Systems Procurement Language ISO/IEC 27036 Guidelines for Information Security in Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) 17

Government Industry Existing and Emerging Practices Existing and Emerging Practices Comprehensive National Cybersecurity Initiative Stood Up 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Assurance Framework IEC 62443-2-4 Industrialprocess measurement, control and automation Energy Delivery Systems Procurement Language ISO/IEC 27036 Guidelines for Information Security in Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) 18

Existing and Emerging Practices How do these standards help? By answering the following key question: How should an organization manage security risks associated with acquiring ICT products and services? AND By providing a rich menu of items to chose from to Define your own processes for supplier management Ask your suppliers about their processes 19

Agenda Problem Definition Existing and Emerging Practices Ten Key Questions Summary and Questions 20

(1) What ICT assets and processes are critical to your business? Ten Key Questions Assets and Processes ICT Products and Services ICT s Network gear 90% 10% Control systems 50% 50% Servers 50% 25% 25% Database software 100% Laptops 100% 21

Ten Key Questions (2) Have you defined what security you want? Network gear Control systems Critical Assets 90% 10% 50% 50% Servers 50% Database software 25% 25% 100% Laptops 100% Security Requirements Confidentiality Integrity Availability Validated Against Standards and Best Practices and can you use these requirements to negotiate security with your suppliers? 22

(3) How will you know that the supplier is doing what they said they will do? Ten Key Questions Attestation Self Assessment Assessment Results Acquirer Assessment Certification Independent Third Party Certification 23

Ten Key Questions (4) Has the supplier implemented a secure lifecycle? Secure Lifecycle Certification OR Security reviews are conducted throughout the lifecycle Developers are trained in secure coding practices Secure code repositories are used knows the origins of critical components Lifecycle stops until critical weaknesses are fixed heard of best practices (e.g., OWASP or Microsoft SDL) 24

Ten Key Questions (5) How will your data be protected when it is exchanged with the supplier? With the acquirer? Acquirer Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 25

(6) How will you and the supplier communicate vulnerabilities? You and the acquirer? Ten Key Questions Disclose or not disclose? How to disclose? Who will fix? New Vulnerability If cannot fix, who will remediate? 26

(7) How will you and the supplier communicate about incidents? You and the acquirer? Ten Key Questions Disclose or not disclose? How and what to disclose? How to minimize the impact to both? Incident or Breach Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 27

Ten Key Questions (8) How will you (acquirer and supplier) protect yourself for the entire life span of the system? Development/ Engineering Operations/ Maintenance Retirement/ Termination Support discontinued out of business Parts no longer available 28

Ten Key Questions (8) How will you (acquirer and supplier) protect yourself for the entire life span of the system? Development/ Engineering Operations/ Maintenance Retirement/ Termination Support discontinued out of business Parts no longer available Component disposal 29

Ten Key Questions (8) How will you (acquirer and supplier) protect yourself for the entire life span of the system? Development/ Engineering Operations/ Maintenance Retirement/ Termination Support discontinued out of business Parts no longer available Component disposal Provisions for hardware and software to be available in the future for maintenance and sustainment Software escrow Buy parts for the future Approved resellers and disposers 30

Ten Key Questions (9) How will this relationship be terminated securely? Development/ Engineering Operations/ Maintenance Retirement/ Termination Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 31

Ten Key Questions (10) How will the people know what to do? Points of Contact 1 2 3.. X Awareness for All Involved Acquisition/procurement Legal Developer/engineer Delivery/shipping/receiving Executives Others? 32

Ten Key Questions (10) How will the people know what to do? Points of Contact 1 2 3.. X Awareness for All Involved Acquisition/procurement Legal Developer/engineer Delivery, shipping, receiving Executives Others? 33

Ten Key Questions (10) How will the people know what to do? Points of Contact 1 Frodo Baggins 2 Harry Potter 3 Peter Pan.. X Cinderella Awareness for All Involved Acquisition/procurement Legal Developer/engineer Delivery, shipping, receiving Executives Others? What about your suppliers? 34

Agenda Problem Definition Examples Existing and Emerging Practices Ten Key Questions Summary and Questions 35

Summary and Questions In Summary ICT supply chain concerns are at the heart of today s technology acquisition Acquirer practices and supplier practices are equally critical You may already have these practices somewhere in your organization Use ten basic questions together with existing standards and practices to get started 36

Questions 37

Contact Information Nadya Bartol nadya.bartol@utc.org 3/17/2014 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback