Your SlideShare is downloading. ×
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors

196

Published on

Presented by: Nadya Bartol, Utility Telecom Council …

Presented by: Nadya Bartol, Utility Telecom Council

Abstract: A variety of recent breaches and vulnerabilities demonstrate that software and hardware supply chain is a serious concern in the ICS space. Asset owners/operators and suppliers are in a symbiotic relationship – acquirers cannot conduct business without the supplier products and services. Where do the subcomponents come from and what do we know about their contents? Which code libraries were used by the sub-supplier? Why do we need to know? Several solution sets have emerged over the last 6 years, developed in IT/communications, defense, and ICS space. These include soon-to-be-published ISO and IEC standards, NIST documents, certification framework, Common Criteria extensions, and efforts by software industry consortium. The presentation will survey ICT supply chain security problem space, provide an overview of available solutions developed to date, and recommend how to use these solutions in the ICS context

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
196
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © 2012 Utilities Telecom Council Information and Communication Technology (ICT) Supply Chain Security – Learning from Recent Incidents and Other Sectors Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist
  • 2. © 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 2
  • 3. © 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 3
  • 4. © 2012 Utilities Telecom Council What is ICT Supply Chain Risk Management? • Information and Communication Technology (ICT) products are assembled, built, and transported by geographically extensive supply chains of multiple suppliers • Acquirer does not always know how that happens, even with the primary supplier • Not all suppliers are ready to articulate their cybersecurity and cyber supply chain practices • Abundant opportunities exist for malicious actors to tamper with and sabotage products, ultimately compromising system integrity, reliability, and safety Acquirers need to be able to understand and manage associated risks 4 Problem Definition Source: Nadya Bartol, ACSAC Case Study, December 2010
  • 5. © 2012 Utilities Telecom Council How does this look? “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks” Problem Definition 5
  • 6. © 2012 Utilities Telecom Council From The World Is Flat by Thomas Friedman Dell Inspiron 600m Notebook: Key Components and Suppliers Problem Definition 6 Source: Booz Allen Hamilton and DoD
  • 7. © 2012 Utilities Telecom Council What does this have to do with utilities? • Utilities networks consist of ICT products • These products are purchased by acquirers from suppliers • These suppliers have supply chains of their own 7 Utilities need to ask their vendors questions about security and other practices exercised by the vendors’ upstream suppliers
  • 8. © 2012 Utilities Telecom Council How is ICT SCRM Different from Traditional Supply Chain Risk Management Traditional Supply Chain Risk Management ICT SCRM Will my physical product get to me on time? Will my product (physical or logical) or get to me as it was shipped and as I ordered? Is my supply chain resilient and will it continue delivering what I need in case of disaster? Is my supply chain infiltrated by someone who is inserting extra features into my hardware and software to exploit my systems and get to my information now or later? What is the risk TO my supply chain that delivers critical products and services that I need to mitigate? What is the risk TO AND THROUGH my supply chain to my business and mission that I need to mitigate? Problem Definition 8
  • 9. © 2012 Utilities Telecom Council What are the risks? • Intentional insertion of malicious functionality • Counterfeit electronics • Poor practices upstream 9 Problem Definition
  • 10. © 2012 Utilities Telecom Council Intentional insertion of malicious functionality 10 Problem Definition Provider/ Integrator Supplier Supplier SupplierSupplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Backdoor Virus Extra Features Supplier Supplier
  • 11. © 2012 Utilities Telecom Council Counterfeit Electronics 11 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Counterfeit Component Counterfeit Component Extra Features Poor Performance Supplier Supplier Supplier Supplier Supplier
  • 12. © 2012 Utilities Telecom Council Poor practices upstream 12 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Poor quality Poor coding practices Poor Performance Supplier Supplier Supplier
  • 13. © 2012 Utilities Telecom Council This may impact reliability and safety for years 13 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Poor quality Poor coding practices Poor Performance Counterfeit Component Counterfeit Component Extra Features Backdoor Virus Supplier Supplier Supplier
  • 14. © 2012 Utilities Telecom Council From acknowledgement to reality 14 US government reports on globalization, supplier risk, offshoring, foreign influence in software, and microelectronics 1999-2006 2007-2009 2008 US Comprehensive National Cybersecurity Initiative Stood Up 2010 Stuxnet Oct 2011 ODNI report on foreign industrial espionage Sept-Oct 2012 Telvent hacked US House Intelligence Committee Huawei and ZTE report released European reports on robustness of communications infrastructures and IT supply chain risks Problem Definition 2013 NDAA 2013 Cyber EO PPD 21 Mandiant Report ENISA study on supply chain integrity
  • 15. © 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 15
  • 16. © 2012 Utilities Telecom Council Existing and Emerging Practices 16 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 17. © 2012 Utilities Telecom Council Existing and Emerging Practices 17 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 18. © 2012 Utilities Telecom Council Existing and Emerging Practices 18 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 19. © 2012 Utilities Telecom Council Existing and Emerging Practices 19 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 20. © 2012 Utilities Telecom Council Existing and Emerging Practices 20 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 21. © 2012 Utilities Telecom Council Existing and Emerging Practices 21 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 22. © 2012 Utilities Telecom Council Existing and Emerging Practices 22 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 23. © 2012 Utilities Telecom Council Existing and Emerging Practices 23 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 24. © 2012 Utilities Telecom Council Existing and Emerging Practices 24 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 25. © 2012 Utilities Telecom Council Solutions Are Multidisciplinary 25 Source: NISTIR 7622 Existing and Emerging Practices
  • 26. © 2012 Utilities Telecom Council Who Is the Audience? 26 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] Existing and Emerging Practices
  • 27. © 2012 Utilities Telecom Council Who Is the Audience – ISO/IEC 27036 27 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] Existing and Emerging Practices
  • 28. © 2012 Utilities Telecom Council Who Is the Audience – NIST SP 800-161 28 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] System Integrator An organization that customizes (e.g., combines, adds, optimizes) components, systems, and corresponding processes. The integrator function can also be performed by acquirer. [NISTIR 7628] External Service Provider A provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. [NIST SP 800-53 Rev4] Existing and Emerging Practices
  • 29. © 2012 Utilities Telecom Council Who Is the Audience – OTTF 29 Acquirer One who procures hardware and software products and services to create solutions that meet their customers’ requirements. Supplier An upstream vendor who develops hardware or software components for providers. Integrator A third-party organization that specializes in combining products from several suppliers to produce systems for a customer. Provider A midstream vendor developing products and managing the supply chain to provide acquirers and integrators with trustworthy products. Component Supplier Entity that supplies components, typically as business partners to providers. Existing and Emerging Practices
  • 30. © 2012 Utilities Telecom Council When Should These Standards Be Used? Standard Supplier Relationship  Scope Audience Context of Use ISO/IEC 27036‐1 Any Acquirers and  Suppliers Describes the problem in general and how  to use 27306 ISO/IEC 27036‐2 Any Acquirers and  Suppliers Security in supplier relationships for any  products and services ISO/IEC 27036‐3 ICT products and  services Acquirers and  Suppliers Security in supplier relationships for ICT  products and services ISO/IEC 27036‐4 Cloud services Acquirers and  Suppliers Security aspects of cloud services  acquisition IEC 62443‐2‐4 ICS services Acquirers and  Suppliers Requirements for ICS service providers IEC 62443‐3‐3 ICS products Acquirers  Requirements for ICS products  NIST SP 800‐161 US Fed Agency ICT products and services Acquirers US Federal agency ICT product and service  acquisition The Open Group TTPF Commercial‐off‐the‐ shelf products ICT Providers COTS products development and  component acquisition DHS Procurement  Language Update ICS products ICS Acquirers ICS product acquisition Common Criteria ICT products ICT Acquirers,  Providers, Evaluators,  Certifiers, and Users When putting together evidence for  Common Criteria evaluation SAFECode ICT products ICT Providers To enhance software development  processes 30 Existing and Emerging Practices
  • 31. © 2012 Utilities Telecom Council How do these standards help? By answering the following key question: • How should an organization manage security risks associated with acquiring ICT products and services? AND By providing a rich menu of items to chose from to • Define your own processes for supplier management • Ask your suppliers about their processes 31 Existing and Emerging Practices
  • 32. © 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 32
  • 33. © 2012 Utilities Telecom Council Summary • The problem is real • Practices are available to make things better • Solutions come from multiple disciplines • This is complex – start somewhere and improve 33 Summary and Questions
  • 34. © 2012 Utilities Telecom Council Contact Information • Nadya Bartol nadya.bartol@utc.org 9/9/2013 34

×