Cyber supply chain risk management ASDE

1,270 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,270
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cyber supply chain risk management ASDE

  1. 1. Cyber security risks in your supply chain ASDE WA Chapter Version 1.0, 24th October, 2013 Aaron Doggett, BAE Systems Detica, WA Regional Manager © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
  2. 2. What is this about? • Risks to cyber supply chains, and their real-world implications • Disruption • Theft • Failure of output • Security of commercial and bespoke capabilities • National defence and economical significance © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 2
  3. 3. What is this about? • “Governments and commercial organizations worldwide continue to voice concerns over the need to ensure the security of commercial technology products and the integrity of the world’s technology supply chains while maintaining a diverse range of technology options and preserving innovation.” - Open Group White Paper © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 3
  4. 4. Supply chain risk management • “Supply chain risk management (SCRM) is a discipline of risk management which attempts to identify potential disruptions to continued manufacturing production and thereby commercial financial exposure” - Institute of Risk Managers International Journal of Physical Distribution & Logistics Management © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 4
  5. 5. A sample global supply chain Software design Product use Chip manufacture Product assembly Software design Component manufacture Product design Chip design Product use © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 5
  6. 6. SCRM for Defence & cyber security • SCRM in Defence has a number of angles: • Defining operational capability and readiness • Once operational, takes a logistical focus • Focus on capability and resiliency • SCRM as a product or service supplier: • Support the customer’s supply chain requirement • Cost, efficiency, integrity, resiliency of own supply chain • SCRM in cyber security: • Macro (geo-political) concerns about integrity • Risks associated with supplier and component compromise © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 6
  7. 7. Why applicable to this group • SCRM in a cyber security sense has real world implications • Increasing number of cases resulting in: • • • • Theft of intellectual property Direct commercial advantage Brand/reputational damage National damage • Increasingly, attacks are held against a component of the supply chain, not the end entity • Does pose a concern to national security, national economy and specific industry • Generally, is a concern for Defence & Defence suppliers © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 7
  8. 8. To consider • Stages of a product lifecycle • • • • • Where the greatest widescale Development & manufacturing attack could occur (unnoticed) Delivery Where a targeted attack could occur (and go unnoticed) Configure & deploy Where the security industry typically Use / run focuses its attention End of life & disposal • Whilst the ‘run’ stage is where we have the greatest control, do we pay enough attention in the other areas? © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 8
  9. 9. What we are seeing • Increasing public accounts of industrial espionage using ‘cyber’ as an attack vector • Increasing attacks on the supply chain due to: • Weaker links / softer targets than the end entity • Ability to achieve deeper and wider penetration Which of your vendors/suppliers is this? Do any of your customers think that this is you? © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 9
  10. 10. Geo-politics of this problem are not new © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 10
  11. 11. Recent breaches have SCRM at their core An infrastructure “hacked repeatedly by outsiders who stole February 2012. VeriSign wascompany is compromised. undisclosed information from the leading internet infrastructure company” in They are important to you. Fingers crossed. 2010. (smh.com.au) “security breaches … were not sufficiently reported to management” – Verisign SEC Filing An infrastructure company is compromised. March 2011. RSA compromised by an “Advanced Persistent Threat”, stealing They are important to you. Fingers crossed. data related to the SecurID authentication system. “It is likely that RSA growth will remain a bit slower as remediation efforts continue” - David Goulden, EMC CFO The infrastructure breach gets used against cyber May 2011. Lockheed Martin was hit with a “significant and tenacious” you. attack, using the breached RSA SecurID authentication data. "The fact is, in this new reality, we are a frequent target of adversaries around the world." - Sondra Barbour, CIO Your supplier gets compromised; your during a April 2011. DELL Australia’s customer data was compromised,data gets stolen. breach of US-based e-mail service provider epsilon. (Also affected Barclays Bank, Citigroup, JPMorgan Chase, Visa, Marriott International, Kraft, Tivo and others). Your supplier gets compromised; is your data “China-based hackers looking to derail the $40 billion acquisition of the taken? world’s largest potash producer by an Australian mining giant zeroed in on offices on Toronto’s Bay Street, home of the Canadian law firms handling the deal.” - Bloomberg © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 11
  12. 12. More examples - consumer & non-targeted *Sample entries taken from the US Resilience Project © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 12
  13. 13. Two recent examples of attacks on supply chains • NY Times website (end of August 2013) • Attack left website unavailable for close to a day • How performed* • Attacker targets reseller of domain names (personnel divulge their company email addresses and passwords) • Attacker logs into email accounts (identify details of customers, including username & passwords) • Attacker changes domain registry to personal cause (legitimate website unavailable) • Attack via an Indian ISP, against a US reseller of Australian company (that provides domain name services) and disrupts a global company! © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. *The Australian, 29/08/2013 13
  14. 14. Two recent examples of attacks on supply chains • RSA beach (mid- 2011) • Resulted in the theft of SecurID seed data • How performed* • April 2011 – targeted email to EMC employees. • Excel attachment, embedded Flash (zero-day), drops ‘Poison Ivy’ backdoor. • Remote access to workstation and network shares. • Obtained SecurID seed data. • Then (purportedly) used to attack Defence contractors. • Prior to this event, how many people would have risks to the seed data for their RSA tokens used for remote access on their corporate register? *F-Secure, 26/08/2011 © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 14
  15. 15. The ‘advanced threat’ • For the past few years, the phrase ‘advanced persistent threat’ (or APT) has been with us • Typically associated with gaining and maintaining access to high profile / value targets, often over many years • Well resourced, highly skilled entities (search APT1, Hidden Lynx for examples) • Difficult to protect against due to the targeted nature of attacks and often superior sophistication • Relevant to the Defence space due to the appeal of the target to nation states or supported entities • Represents a clear targeted attack • New vector for traditional espionage activities? © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 15
  16. 16. Responses (Macro level) – WEF Report on SCRM • Primarily about physical supply chains… but the issues identified, and the implications, are equally as applicable to cyber security. © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 16
  17. 17. WEF Report on SCRM • “Trends such as globalization, lean processes and the geographical concentration of production have made supply chain networks more efficient, but have also changed their risk profile. “ • “Recent high-profile events have highlighted how risks outside the control of individual organizations can have cascading and unintended consequences that cannot be mitigated by one organization alone.” © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 17
  18. 18. WEF Report on SCRM © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 18
  19. 19. US SCRM Focus • 2012 US Defense Budget contains ~$1.2BN for Cyber Security, focusing on: • Increase funding for the training of cyber analysts. • Improving Global Information Gridwide situational awareness. • Developing pilot programs for supply chain risk management. • Improving intrusion detection and analysis. © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 19
  20. 20. US SCRM Focus • Office of the Secretary for Defense 2012 Budget Estimates • US Department of Homeland Security © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 20
  21. 21. Aus SCRM Focus • Cyber security and SCRM are generally not linked in any public directives • 2013 Defence whitepaper: • Building and maintaining pre/operational supply chains • Promoting Aus entities to be part of international supply chains • “Innovation in Australian industry must be focused on products that have a clearly defined path into defence capability.” • Separate points around cyber security, specifically: • “Australia, the United States and the United Kingdom have committed to developing a comprehensive cyber partnership to address mutual threats and challenges emerging in and from cyberspace.” © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 21
  22. 22. Aus SCRM Focus • Australian Govt Cyber Security Strategy (2009) • “Promote a secure, resilient and trusted global electronic operating environment that supports Australia’s national interests” • “Australia is vulnerable to the loss of economic competitiveness through the continued exploitation of ICT networks and the compromise of intellectual property and other sensitive commercial data.” • Australian businesses operate secure and resilient information and communications technologies to protect the integrity of their own operations and the identity and privacy of their customers” © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 22
  23. 23. Responses (Organisational level) – Board Ownership • A cyber security breach is no longer an IT problem. It may: • • • • • • Create significant reputational damage Impact on share price Compromise strategic negotiations or transactions Provide an opportunity for a class action Result in market disclosures and compliance breaches Diminish competitive advantage © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 23
  24. 24. Supply chain risk management practices - NIST • Uniquely identify supply chain elements, processes and actors • Limit access and exposure within the supply chain • Establish and maintain the provenance of elements, processes, tools, and data • Share information within strict limits • Perform SCRM awareness and training • Use defensive design for systems, elements, and processes • Perform continuous integrator review • Strengthen delivery mechanisms • Assure sustainment activities and processes • Manage disposal and final disposition activities throughout the life cycle *NIST IR 7622 © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 24
  25. 25. WEF Report Recommendations © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 25
  26. 26. WEF Report Recommendations © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 26
  27. 27. Responses (Individuals) • Role to influence cyber SCRM will obviously vary • Consider the value of the product/service to you • Consider the value to other competitors (to you or your customer if a supplier) • Look at your work habits, the weaknesses/strengths associated • Work to identify the weaknesses in your supply chain for your ‘most critical’ product/data/function • Work backwards from there • We need to work to prevent compromise from occurring, but more importantly, to detect and recover from it. © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 27
  28. 28. Additional resources • Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust, Microsoft, July 2011 • NIST IR 7622 - Notional Supply Chain Risk Management Practices for Federal Information Systems, NIST, October 2012 • World Economic Forum • New Models for Addressing Supply Chain and Transport Risk, 2012 • Building Resilience in Supply Chains, January 2013 • Cyber Supply Chain Risks, Strategies and Best Practices, Chapter 4, US Resilience Project, 2011. © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 28
  29. 29. Contact details BAE Systems Detica Suite 1, 50 Geils Court Deakin ACT 2600 Australia Tel: +61 1300 027 001 Fax: +61 2 6260 8828 Email: australia@baesystemsdetica.com Web: www.baesystemsdetica.com.au Aaron Doggett 0404 07 431 aaron.doggett@baesystemsdetica.com Copyright © Stratsec.net Pty Ltd (2012). All Rights reserved. BAE Systems and DETICA are trade marks of BAE Systems plc. Other company names, trade marks or products referenced herein are the property of their respective owners and are used only to describe such companies, trade marks or products. Stratsec.net Pty Limited, trading as ‘BAE Systems Detica’, is registered in Australia under ACN 111 187 270 and has its registered office at 50 Geils Court, Deakin ACT 2600. © Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved. BAE SYSTEMS and DETICA are trade marks of BAE Systems plc. 29

×