Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Supply Chain Threats to the US Energy Sector

2,139 views

Published on

This presentation by Cynthia James discusses steps to take towards cyber-securing the supply chain of Energy sector organizations in the U.S. From the biggest challenges to a review of regulation and compliance guidelines, this deck covers three areas of Energy: nuclear, electric and "other".
Cynthia James is a CISSP (Certified Information Systems Security Professional) and frequent presenter for the TABD group at Kaspersky Lab, global provider of cybersecurity solutions. With 9 years of experience in the cybersecurity space, Cynthia is a regular speaker on the subject and has authored a book on cybercrime: “Stop Cybercrime from Ruining Your Life".

Published in: Technology
  • Be the first to comment

Supply Chain Threats to the US Energy Sector

  1. 1. SUPPLY CHAIN CYBERTHREATS TO THE US ENERGY SECTOR Cynthia James, CISSP Global Director Business Development Technical Alliances
  2. 2. AGENDA 2 SUPPLY CHAIN MAPPING…AND RECONNAISSANCE SUPPLIERS: LACK OF LEVERAGE & COMMUNICATION CHALLENGES GOVERNMENT GUIDANCE, POLICY, LAW ENERGY VS ELECTRIC VS NUCLEAR DEVELOPING THE IDEAL CYBERSECURITY POSTURE FINAL RECOMMENDATIONS
  3. 3. THE SUPPLY CHAIN MAP PAG | Equipment Reseller Critical Provider Secure Energy facility boards apps landscaping Paper supplier SW consultant Malicious insider (consultant) 1 degree 3 degrees 2 degrees Phishing attacks Customers Who do we Supply? branch Is there bi-directionality? If so, what data or access?
  4. 4. RECONNAISSANCE: SUPPLY CHAIN MAPPING 4 • RFQs…press releases or any public notification • Conferences & Working Groups • Speakers make technology references & recommendations • Vendor criteria • Jobs available • Profiles of employees • Experience, background • Blogs about company policies, etc. • Information shared by others about you • What is your supply chain saying? • “XYZ Energy is a customer” or “we now adhere to these specs” • Filling in the gaps • An opportunistic infection
  5. 5. LOWER YOUR RECONNAISSANCE PROFILE 5 Raise awareness, reduce specifics Management oversight of profiles, request that certain details are omitted Set up google search alerts for key phrases Boost awareness of the issue in the company - start at stakeholder level? Create a recon profile and circulate it Note: going “stealth mode” with on-line resumes helps the organization but not the individual (legally employers can’t interfere with your job search)
  6. 6. SUPPLIERS HAVE SUPPLIERS WHO HAVE SUPPLIERS WHO…
  7. 7. SUPPLY CHAIN ATTACK EXAMPLES 7 HAVEX – infecting software updates (ICS) IceFog – v1: hitting Western companies through entry points in Asia – mostly defense v2: oil & gas in the US (using java) Most likely cyber mercenaries “Watering Hole attack” ICS-CERT & NCCIC Monitor: 79% of all 2014 attacks were on Energy; infection vector for the majority was unknown
  8. 8. LEVERAGE AND COST: DIRECTLY ASSOCIATED 8 How much leverage do you have now with suppliers? Do you need it? (Are they already compliant?) Can you require compliance or request it? Can you conduct reviews remotely? Site review: What they say they do Probability of them doing it To what degree? Risk represented by them not doing it Where customizations of practice are required, compliance and cost may be affected: added testing, collection, analysis, data protection But…it doesn’t cost to ask (and it’s always better to know)
  9. 9. OUR COMMUNICATION CHALLENGE PAGE 9 | Few groups talking to each other Government agencies (1999) Cybersecurity industry 2015 Infosec journalists NuclearSCADA IT 2006 Chemical Defense etc 2010 Mainstream journalists Total lexicon in existence describing all things cybersecurity related Just for “supply chain”: ICT, SCRM, ICT SCRM (NIST favors), cyber supply chain, cyber supply chain security, supply chain risk management, EDM (DoE/DHS favors)* * paper in 2014, Nadya Bartol, Utilities Telecom Council So…when NIST says “ICT SCRM” it’s the same as when DHS/DoE say: “EDM”
  10. 10. WORD GAMES… 10 2009 – the word cybersecurity starts being used* 2009 – NERC first uses the term “Critical Cyber Assets” Current terms used for “supply chain”: * Information and Communication Technology (ICT) Supply Chain Risk Management (SCRM) Information and Communication Technology (ICT) supply chain security Supply Chain Risk Management Cyber supply chain Cyber supply chain security Cyber supply chain risk management Finally in 2014 “External Dependencies Management” EDM (Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2-M2) by DoE/DHS) Although NIST SP800-161, the mother of all such docs (282 pages, dedicated to supply chain, 2015) currently calls it ICT SCRM *paper in 2014, Nadya Bartol, Utilities Telecom Council
  11. 11. THE PROBLEM WITH NEW LANGUAGES… 11 • Agreeing on terms and usage • Collaborating across sectors and supply chain organizations • Sharing cyber incident information • Defining best practices which underlie multiple sectors • Educating across sectors Recommendation: be sure to reference the document with the definitions you are applying
  12. 12. GOVERNMENT REGULATION AND “GUIDANCE” 12 Electric utilities and Nuclear – the only CI “mandatory” cybersecurity standards enforceable through FERC & NRC US NRC – US Nuclear Regulatory Committee NEI – Nuclear’s “policy organization” FERC (Fed Eng Reg Commission) NERC –North American Electric Reliability Corporation – FERC policy org; rules became effective 2014, compliance by 2016 and 2017
  13. 13. SUMMARY OF GOVERNING RULES 13 • NERC Reliability Standards are mandatory within the US • These include CIP (Critical Infrastructure Protection) rules which address the security of cyber assets “essential to the reliable operation of the electric grid” • CIP first released in 2008, the latest ones were approved by FERC in 2013 (v5) – enforceable by April 2016, some in 2017 • Code of Federal Regulations (law) which is applicable to all Energy is Title 10 CFR (“Energy”). But no laws about cybersecurity except for Chapter 1. • Chapter 1 of that are rules set forth by the Nuclear Regulatory Commission. Section 73 covers “physical protection of plant and resources”; 73.54 covers the information systems part of that https://www.law.cornell.edu/cfr/text/10/73.54 - • Nuclear Energy Institute 08-09, April 2010 Cyber Security Plan for Nuclear Power Reactors with heavy reference to 10 CFR 73.54
  14. 14. NEW GUIDELINES TO FOLLOW – ENERGY 14 • “The Energy Department released guidance to help the energy sector establish cybersecurity risk management programs” (energy.gov) • This was: • The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) of February 2014. “Developed by the Department of Energy and contributors…and other government agencies” (jointly published with DHS) “to help critical infrastructure organizations evaluate and potentially improve their cybersecurity practices. As this section demonstrates, using the C2M2 also provides a means for any energy sector organization to implement the NIST Cybersecurity Framework.” • Nuclear: • Follow NEI 08-09
  15. 15. DEPARTMENT OF ENERGY “ES-C2M2” 15 Provides: “an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.” • One component = “Supply Chain or External Dependencies Management” (EDM) covers: • Asset Management (catalogue, prioritize) • Business Environment (roles defined and ranked) • Dependencies and critical functions for delivery of critical services and product are established Now you have a list of External Dependencies…
  16. 16. ES-C2M2 16 External dependencies must be managed contractually: a.) vendor responsibilities (reference specific standards: RM-1c) b.) auditing rights and monitoring; c.) sharing of cybersecurity “threat information”; d.) reporting of cyber incidents; e.) must adhere to a defined risk assessment process
  17. 17. ES-C2M2 DESCRIPTION OF RISK 17 • Security of products varies widely • How was SW developed? What code input? • Counterfeit HW or malware injection • RFPs don’t specify detailed security or QA • Utility branches granted leeway in procurement Not to forget: security capabilities of organizations varies widely
  18. 18. NEI -8-09 CYBERSECURITY PLAN FOR NUCLEAR 18 11.2 SUPPLY CHAIN PROTECTION “This security control protects against supply chain threats by employing the following measures…to maintain the integrity of the CDAs that are acquired: 1. Establishment of trusted distribution paths, 2. Validation of vendors, and 3. Requirement of tamper proof products or tamper evident seals on acquired products.” (NEI April 2010)
  19. 19. CYBERSECURITY PLAN BASED ON NEI 08-09: GOALS 19  Procure CDA products and software from vendors who practice good cyber security and are capable of implementing NEI 08-09, Rev. 6 controls  Negotiate with vendors to ensure their environment and products are secure  Develop a program to ensure that products received are secure * * Author: Barbara Weber Sheffield Scientific, LLC Senior Cyber Security Consultant Barbara.Weber@SheffieldScientific.com
  20. 20. EXPECTATIONS OF CDA SUPPLIERS 20 Should be operating at the same level of security as the plant itself: • Establish a secure developing and operating environment • Verify staff is trustworthy • Verify they are managing their suppliers • They are obligated to patch vulnerabilities in products or services provided • All received products are hardened • Access Control is managed Note: 10 CFR 74.53 comparable to NQA-1 Author: Barbara Weber Sheffield Scientific, LLC Senior Cyber Security Consultant Barbara.Weber@SheffieldScientific.com
  21. 21. TO BEGIN THE PROCESS… 21 • Perform an evaluation (mini-risk assessment/risk analysis) on top priority suppliers • Identify security gaps • Evaluate partnership versus their security weaknesses: What upgrades possible? What auditing rights? What level of priority? What cost? • Periodically audit and reevaluate
  22. 22. SUPPLY CHAIN SHOULD COMPLY TO WHAT LEVEL? 22 • Many aspects of supply chain management are their own mature specialties with expertise, tools, processes – ie, software assurance or the receiving/testing of goods. These need to be integrated at the level which makes sense • Is it better to use a supplier who already have adequate security in place? • Cybersecurity challenges grow so much faster than guideline adoption by regulatory agencies (so far)
  23. 23. THE “IDEAL” SUPPLY CHAIN SECURITY POSTURE 23 Locating the best information depends upon goals Are organization goals to find: • Easiest to implement? Fastest? Cheapest? Best? • Easiest to get stakeholders to agree to? Do we search: • Compliance • Guiding principles (not compliance yet) • Search by terms • Search by agency Most important: compliance Next level: best security practices
  24. 24. FINAL RECOMMENDATIONS 24 Ensure that “supply chain risk” (all external dependencies) are identified and included in your organization’s risk assessments Determine the needs/desires of stakeholders in your organization regarding supply chain risk • Choose between NEI compliance or ES- C2-E2 • Identify the best source documents • Identify supporting documents (like NIST SP 800-161) Follow the process Repeat! (all suppliers, annually)
  25. 25. KASPERSKY LAB PROVIDES BEST INTHE INDUSTRY PROTECTION* 25 0% 20% 40% 60% 80% 100% 20 40 60 80 100 N of independent tests/reviews ScoreofTOP3places Kaspersky Lab Bitdefender Sophos G DATA Symantec F-Secure Intel Security (McAfee) Trend Micro Avira Avast BullGuard AVG ESET AhnLab Microsoft Panda Security In 2014 Kaspersky Lab products participated in 93 independent tests and reviews. Our products were awarded 51 firsts and received 66 top-three finishes. * Notes: • According to summary results of independent tests in 2014 for corporate, consumer and mobile products. • Summary includes tests conducted by the following independent test labs and magazines: Test labs: AV-Comparatives, AV-Test, Dennis Technology Labs, MRG Effitas, NSS Labs, PC Security Labs, VirusBulletin • The size of the bubble reflects the number of 1st places achieved. ThreatTrack (VIPRE) Qihoo 360 Kingsoft Tencent 1st places – 51 Participation in 93 tests/reviews TOP 3 = 71%
  26. 26. THANK YOU! QUESTIONS? Cynthia James – cynthia.james@kaspersky.com Kaspersky Lab Technology Alliances & Business Development

×