Managing Supply Chain Risks for SCADA Systems

Similar documents
Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions

ICT Supply Chain Risk Management Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist

HELLO, MOSCOW. GREETINGS, BEIJING. ADDRESSING RISK IN YOUR IT SUPPLY CHAIN

IoT Utility Day. Securing Critical Infrastructure. Nadya Bartol, CISSP, CGEIT. Vice President of Industry Affairs and Cybersecurity Strategist

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Cybersecurity in Acquisition

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

CNCI-SCRM US Comprehensive National Cybersecurity Initiative Supply Chain Risk Management

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Supply Chain Risk Management Practices for Federal Information Systems and Organizations by Boyens et al. comprises public domain material from the

European Union Agency for Network and Information Security

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Seagate Supply Chain Standards and Operational Systems

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview

What can an Acquirer do to prevent developers from make dangerous software errors? OWASP AppSec DC 2012 April 5, 2012

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

We Cannot Blindly Reap the Benefits of a Globalized ICT Supply Chain!

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Supply Chain (In)Security

Statement for the Record

Information Systems Security Requirements for Federal GIS Initiatives

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Cyber Attacks & Breaches It s not if, it s When

Siemens view and approach on critical infrastructure resilience against cyberthreats Joint OECD-JRC Workshop, Paris September 2018

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

External Supplier Control Obligations. Cyber Security

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

Committee on the Internal Market and Consumer Protection

Cyber Security Requirements for Supply Chain. June 17, 2015

Technical Guidance and Examples

Systems Security Engineering: A Framework to Protect Hardware Down to the Last Tactical Inch

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Security Standardization and Regulation An Industry Perspective

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

SAC PA Security Frameworks - FISMA and NIST

TEL2813/IS2621 Security Management

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cybersecurity, safety and resilience - Airline perspective

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Procurement Language for Supply Chain Cyber Assurance

Securing Industrial Control Systems

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cybersecurity in Government

Cybersecurity is a Journey and Not a Destination: Developing a risk management culture in your business. Thursday, May 21, 2015

Critical Infrastructure Partnership

Ensuring System Protection throughout the Operational Lifecycle

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS

Vulnerability Assessments and Penetration Testing

Secure Product Design Lifecycle for Connected Vehicles

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in

Tool-Supported Cyber-Risk Assessment

Cyber Security. June 2015

ISA99 - Industrial Automation and Controls Systems Security

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cyber Security of Industrial Control Systems (ICSs)

Cyber and information security applicable for the maritime sector

ENISA s Position on the NIS Directive

Control Systems Cyber Security Awareness

Cyber security - why and how

CYBER SECURITY AIR TRANSPORT IT SUMMIT

FDA & Medical Device Cybersecurity

Section One of the Order: The Cybersecurity of Federal Networks.

CYBER RISK AND SHIPS :PRACTICAL ISSUES FOLLOWING BIMCO GUIDELINE

Combating Cyber Risk in the Supply Chain

EU policy on Network and Information Security & Critical Information Infrastructures Protection

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Cyber Security. Cyber Physical Systems Systems Engineering Perspective

Internet of Things Security standards

National Policy and Guiding Principles

Cybersecurity Overview

Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities

Cybersecurity Auditing in an Unsecure World

INFORMATION ASSURANCE DIRECTORATE

NCSF Foundation Certification

Akin Gump Client Update Alert

ISO/IEC Information technology Security techniques Code of practice for information security management

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

Building Secure Systems

Altius IT Policy Collection Compliance and Standards Matrix

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Prepared Testimony of Dean C. Garfield President & CEO Information Technology Industry Council (ITI)

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

The Africa Utilities Telecom Council Johannesburg CC, South Africa 1 st December, 2015

Cloud Security Standards Supplier Survey. Version 1

TAN Jenny Partner PwC Singapore

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

This document is a preview generated by EVS

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

NW NATURAL CYBER SECURITY 2016.JUNE.16

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Altius IT Policy Collection Compliance and Standards Matrix

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

A Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services

Transcription:

Managing Supply Chain Risks for SCADA Systems Nadya Bartol, Vice President of Industry Affairs and Cybersecurity Strategist, UTC Nadya.bartol@utc.org 2014 Utilities Telecom Council

Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 2

Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 3

Problem Definition What is ICT Supply Chain Risk Management? Information and Communication Technology (ICT) products are assembled, built, and transported by geographically extensive supply chains of multiple suppliers Acquirer does not always know how that happens, even with the primary supplier Not all suppliers are ready to articulate their cybersecurity and cyber supply chain practices Abundant opportunities exist for malicious actors to tamper with and sabotage products, ultimately compromising system integrity, reliability, and safety Acquirers need to be able to understand and manage associated risks 2014 Utilities Telecom Council Source: Nadya Bartol, ACSAC Case Study, December 2010 4 4

What does this have to do with SCADA? 2014 Utilities Telecom Council 5

Problem Definition How does this look? Scope of Expansion and Foreign Involvement graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article Software Development Security: A Risk Management Perspective synopsis of May 2004 GAO-04-678 report Defense Acquisition: Knowledge of Software s Needed to Manage Risks 2014 Utilities Telecom Council 6

Problem Definition From The World Is Flat by Thomas Friedman Dell Inspiron 600m Notebook: Key Components and s 2014 Utilities Telecom Council Source: Booz Allen Hamilton and DoD 7

Problem Definition What are the risks? Intentional insertion of malicious functionality Counterfeit electronics Poor practices upstream 2014 Utilities Telecom Council 8

Intentional insertion of malicious functionality Problem Definition Virus Extra Features Backdoor Provider/ Integrator 2014 Utilities Telecom Council 9

Counterfeit Electronics Problem Definition Counterfeit Component Counterfeit Component Extra Features Provider/ Integrator Poor Performance 2014 Utilities Telecom Council 10

Poor practices upstream Problem Definition Poor coding practices Poor quality Provider/ Integrator Poor Performance 2014 Utilities Telecom Council 11

This may impact reliability and safety for years Problem Definition Counterfeit Poor Component coding practices Virus Extra Features Backdoor Counterfeit Component Provider/ Integrator Poor Performance Poor quality 2014 Utilities Telecom Council 12

Some History Problem Definition US government reports on globalization, supplier risk, offshoring, foreign influence in software, and microelectronics US Comprehensive National Cybersecurity Initiative 1999-2006 2007-2009 2008 2010 ODNI report on foreign industrial espionage 2011 ENISA study on supply chain integrity 2012 NDAA 2013 Cyber EO PPD 21 Mandiant Report 2013 2014 ENISA reports on robustness of communications infrastructures and IT supply chain risks Stuxnet Telvent hacked US House Intelligence Committee Huawei and ZTE report Havex/Energetic Bear Overall increase in targeted SCADA attacks 2014 Utilities Telecom Council 13

Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 14

Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 NIST SP 800-161 2014 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC 62443-2-4 Requirements for IACS Solution s ISO/IEC 27036 Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 15

Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 NIST SP 800-161 2014 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC 62443-2-4 Requirements for IACS Solution s ISO/IEC 27036 Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 16

Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 NIST SP 800-161 2014 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC 62443-2-4 Requirements for IACS Solution s ISO/IEC 27036 Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 17

Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 NIST SP 800-161 2014 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC 62443-2-4 Requirements for IACS Solution s ISO/IEC 27036 Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 18

Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 NIST SP 800-161 2014 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC 62443-2-4 Requirements for IACS Solution s ISO/IEC 27036 Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 19

Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 NIST SP 800-161 2014 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC 62443-2-4 Requirements for IACS Solution s ISO/IEC 27036 Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 20

Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 NIST SP 800-161 2014 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC 62443-2-4 Requirements for IACS Solution s ISO/IEC 27036 Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 21

Existing and Emerging Practices Existing and Emerging Practices Government Comprehensive National Cybersecurity Initiative 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 NIST SP 800-161 2014 Industry DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers IEC 62443-2-4 Requirements for IACS Solution s ISO/IEC 27036 Guidelines for Information Security in Relationships Cybersecurity Procurement Language for Energy Delivery Systems SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Open Trusted Technology Framework and Conformity Assessments 2014 Utilities Telecom Council 22

Existing and Emerging Practices How do these standards help? By answering the following key question: How should an organization manage security risks associated with acquiring ICT products and services? AND By providing a rich menu of items to chose from to Define your own processes for supplier management Ask your suppliers about their processes 2014 Utilities Telecom Council 23

Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 24

Using standards and best practices to facilitate the dialog Seven Key Questions How should an organization manage security risks associated with acquiring and supplying ICT products and services? Standards and best practices provide a rich menu of items to chose from to Define your own processes for supplier management Ask your suppliers about their processes 2014 Utilities Telecom Council 25

(1) What ICT assets and processes are critical to your business and have you defined what security you need? Seven Key Questions Assets and Processes ICT Products and Services ICT s Security Requirements SCADA 90% 10% RTUs 50% 50% Relays 50% 25% 25% Network Gear 100% Servers 100% Availability Integrity Confidentiality Use these requirements to discuss security with your suppliers 2014 Utilities Telecom Council 26

(2) How will your data be protected when it is exchanged with the supplier or the acquirer? Seven Key Questions Acquirer Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 2014 Utilities Telecom Council 27

(3) How will you know that the supplier is doing what they said they will do? Seven Key Questions Attestation Self Assessment Assessment Results Acquirer Assessment Certification Independent Third Party Certification 2014 Utilities Telecom Council 28

(4) How will you and the supplier communicate about incidents and vulnerabilities? Seven Key Questions Disclose or not disclose? How and what to disclose? If cannot fix, who will remediate? Who will fix? How to minimize the impact New Vulnerability, Incident, or Breach Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 2014 Utilities Telecom Council 29

(5) How will you ensure uninterrupted operations for the entire life span of the system? Seven Key Questions Development/ Engineering Operations/ Maintenance Retirement/ Termination Support discontinued out of business Parts no longer available Component disposal Provisions for hardware and software to be available in the future for maintenance and sustainment Software escrow Buy parts for the future Approved resellers and disposers 2014 Utilities Telecom Council 30

(6) How will this relationship be terminated securely? Seven Key Questions Development/ Engineering Operations/ Maintenance Retirement/ Termination Sensitive Confidential Personally Identifiable Information Intellectual Property Publicly Releasable 2014 Utilities Telecom Council 31

(7) How will your people know what to do? Seven Key Questions Points of Contact 1 Frodo Baggins 2 Harry Potter 3 Peter Pan.. X Cinderella Awareness for All Involved Acquisition/procurement Legal Engineers/technicians Developers Delivery, shipping, receiving Executives Others? What about your suppliers? 2014 Utilities Telecom Council 32

Agenda Problem Definition Existing and Emerging Practices Seven Key Questions Summary and Questions 2014 Utilities Telecom Council 33

In Summary SCADA is ICT which is critical to the utilities ability to provide reliable services to their customers ICT supplier security practices have an impact on utility service reliability and dependability in the long term Utilities need to engage in a productive dialog with SCADA and other ICT suppliers to communicate, discuss, and agree upon security expectations This dialog is essential to managing security risks to utility infrastructure 2014 Utilities Telecom Council 34

Questions 2014 Utilities Telecom Council 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback