This presentation by Cynthia James discusses steps to take towards cyber-securing the supply chain of Energy sector organizations in the U.S. From the biggest challenges to a review of regulation and compliance guidelines, this deck covers three areas of Energy: nuclear, electric and "other".
Cynthia James is a CISSP (Certified Information Systems Security Professional) and frequent presenter for the TABD group at Kaspersky Lab, global provider of cybersecurity solutions. With 9 years of experience in the cybersecurity space, Cynthia is a regular speaker on the subject and has authored a book on cybercrime: “Stop Cybercrime from Ruining Your Life".
At Kaspersky Lab, in the Technical Alliances group, we often develop cyber security material to suit the special needs of our partners. This presentation was created by request from OPSWAT – a US-based organization which provides scanning and security products for the Energy industry. They requested a presentation which would cover challenges for cyber-securing the supply chain, including compliance regulations and guidance (which currently exists for Nuclear and Electric).
Today we will take a look at how cybercriminals go about mapping supply chains and we’ll talk about the challenges inherent in securing any supply chain. Then we’ll discuss what resources are available in terms of guidance and the laws which currently exist in this area. Finally we’ll cover the ideal cybersecurity posture for an organization and the most important elements to consider when putting a plan in place to improve cybersecurity in this critical area.
This is an example of a supply chain for a secure energy facility. A determined attacker will develop just this type of map in order to select the easiest entry point. We can see that it’s not just our direct suppliers we need to be concerned with, but the suppliers to those suppliers (example: a company providing hardware components for products we purchase from a trusted reseller). Also, we should be concerned with providers of even basic services like facilities management if they have access to the building and/or they are granted network access (perhaps to submit invoices). These organizations may not even know they have been compromised or that the devices they have connected to your network are infected. A common tactic would be to launching a phishing attack against links in the chain which have much lower security standards than the secure energy facility. Threats can also come from within the supply chain itself when a malicious insider gets involved. When considering the breadth of your supply chain, don’t neglect connections with customers. One reason I like the nomenclature of “External Dependencies Management” (EDM, a phrase coined by DHS and Dept of Energy in their ES-C2– M2 document we will discuss later) is that it describes this entire picture, including post-supply connections such as those to customers. These links can also be compromised when they are bidirectional.
Cybercriminals will conduct reconnaissance on key targets to determine who we are connected to and who is connected to us. This will establish a set of potential entry points which are easier to hack than attempting to enter through a highly secure network. When we advertise jobs the company is trying to fill, the more specific we are with regard to requirements, the clearer it becomes as to what hardware, software or systems the company runs on. This provides explicit targets for cybercriminals. The same information often shows up in employee or ex-employee profiles, company blogs, and RFQs. Sometimes suppliers publicize the nature of their relationship with a secure facility, making themselves (or their suppliers) targets as well. In the case where a cybercriminal “gets lucky” and only realizes after hacking a supplier that there is a connection from that organization to a secure facility, they have the option of selling that access on an underground market where everything has a price and can be put up for bid. A more specialized cybercriminal will then take over where the opportunistic one left off.
It always helps to raise awareness within the company of the fact cybercriminals are seeking information to assist them in developing more successful attack plans. Where it’s possible for HR or employees to use more generic terms to describe the systems they work with, that would be better for the company (it can help to provide employees with suggestions). Assigning someone the task of receiving google alerts when your company name is mentioned or subscribing to a service which crawls websites looking for company branding can alert you to instances where suppliers are tempted to use your name. Getting stakeholders like the executive team on board is also critical – it makes them less likely to discuss specifics of internal systems in their public conversations (press quotes, panel discussions, etc.). One teaching tool which has proven effective is to develop a reconnaissance profile entirely from external sources to demonstrate the ease with which it can be done. Most organizations cannot legally restrict what employees post about their jobs (the government being a notable exception), but helping employees understand which of their behaviors entail risks to the company still may make them think twice before they post.
This image is courtesy of the NIST Special Publication 800-161. It is a useful reminder that although many organizations are waking up to the implications of an insecure supply chain, many of those suppliers have their suppliers who have their suppliers. At some point a supplier’s supplier’s supplier may very well be a single individual working out of a home office using a non-secured wi-fi router. What this means is that a very industrious cybercriminal may well succeed in developing a map which leads them to the ultimate prize: compromising the secure facility. Unfortunately we live in an incredibly connected world now, so even when suppliers along the way are relatively diligent, all it takes is one infected device which gains access the right network and a criminal potentially has access. All of this also brings up the challenge of leverage: how much power do we have to get suppliers to comply to our security requests or demands? This is a question which operates at every other level in the chain as well. Even if our suppliers follow good standards, do they have the ability to demand that their suppliers will do the same? The closer we look, the more complex the supply chain threat gets.
We covered specific attacks in some detail in the previous Kaspersky-OPSWAT webinar, Top Five Cyber Security Challenges for the Energy Industry in 2015. Here we are just touching on the tactics which are increasingly used to gain entry through the supply chain. HAVEX was malware which was successfully injected into software updates which were commonly used by Industrial Control Systems. The infection point was the software company delivering the updates and they did not know they had been infected until alerted by anti-cybercrime companies. IceFog originally targeted Western companies but the entry points were Asian manufacturing suppliers. The next version of IceFog directly targeted US Oil and Gas in the US using a Java exploit (in fact Kaspersky notified at least three such oil and gas companies in the US directly that they were infected). So-called “watering hole attacks” are a type of supply chain focused attack where adversaries establish websites or information sources which many of their targets use, and then attempt to “poison” that “watering hole” by infecting it with malware. In such a fashion, everyone visiting the site has a chance of becoming infected. (The chance of infection is of course increased if the criminals already know exactly what vulnerable software is being used by visitors.)
Once we have decided to somehow foist stronger security practices upon our suppliers, we need to consider how likely it is that they can or will comply. Will they even accurately disclose their current practices? Will they disclose vulnerabilities across the board or only practices relating to the product we source from them? Would they submit to annual audits or any other form of checking? Most of these questions go to the matter of leverage – how much influence we can exert over a given supplier. If a supplier is small and we are their largest customer, we will have influence. But then the question is whether they have the resources to run a more secure facility. If they do, will prices increase? With larger organizations you may have less leverage but more confidence: a global supplier, for example, may already complies to relatively clear security standards. There’s no magic answer here: as with all of cybersecurity it’s only a matter of the best choice among all the tradeoffs which must be made: larger companies are more interesting targets for cybercriminals so they are attacked more vigorously and more often. Smaller companies are targeted less but also have fewer protections. We have more leverage with small companies but larger companies are more able to comply.
When communicating about cybercrime it’s presumptuous to assume we share the same vocabulary. In fact, a paper by Nadya Bartol of the Utilities Telecomm Council in 2014 tells us that the term “cybersecurity” only came into common usage in about 2009. She also took inventory of all the then-existing terms for “supply chain”. There were at least six which were (and still are) widely used. One of the reasons completely different vocabulary evolved is that vertical industry sectors have gone about solving cybersecurity differently and independently for years. What makes this so significant? For two reasons: first, it’s hard to do the research to determine what security guidelines best fit your organization if only looking for “supply chain” so try the other terms as well. Second, we need to be aware of the fact that each supplier we talk to may be part of a different sector which uses different terminology to explain, track and solve supply chain problems. We should endeavor to be understood: to ensure that we share terms and have a common vocabulary with regard to compliance.
So don’t forget to ask your supply chain partners what their preferred terminology is. Also, when seeking out internet resources - there are many excellent public repositories with helpful guidance like NIST – but it’s useful to know the terms they favor. Personally I love the term “EDM”, coined by the US government (Department of Energy and the Department of Homeland Security in their co-published document) because it includes every potential vulnerability including bi-directional relationships like those with customers. Any external relationship which can be used as a lever to penetrate the organization should be considered when attempting to “harden” the supply chain against threats. Whatever term you favor, the bi-directional nature of many supply relationships should be considered when assessing risk: they may be providing you with a product or service, but you may be granting them access to your systems, information about your activities, and other data which could be stolen and abused.
So again, securing the supply chain involves communicating across suppliers and across sectors. But even within sectors there can be variation regarding the common risk and cybersecurity nomenclature which will be used. For example, if you expect to be notified when suppliers experience “security incidents” which might affect the product you receive from them, you must define “incident” (by level of severity, type of incident, affected data or services, etc.) before determining reporting requirements (which may vary depending on the type or severity of the incident). It also helps to be clear when communicating your objective: perhaps you believe a supplier can help you by reporting an attack. For example, if there is an incident where Supplier A is attacked and you have reason to believe you are the ultimate target, you might wish to warn others in your supply chain. But in order to know about the attack, you’ll have to get suppliers to agree to share information which may expose them to liability. Such trust takes time to develop, and usually involves a mutual sharing of threat data and breach experience. With regard to these and other security needs, the key is to be sure that the entities on both sides – the one requesting compliance and the one acquiescing – are applying terminology the same way. Ideally there will be public domain documents which can be referred to as the source of agreed-upon definitions.
The US government is very concerned about the security of Critical Infrastructure, otherwise known as CI. Although there are 16 CI sectors, only a handful are currently subject to regulation. Within the Energy sector, only electric utilities and nuclear are currently regulated (as of July 2015). Regulations carry penalties with them of course; “guidance” is offered in the hopes organizations will see the value and comply voluntarily. However, what is considered guidance today often turns into policy tomorrow and then regulation after that. The US Nuclear Regulatory Committee pushes regulation and guidance through their policy organization, Nuclear Energy Institute (NEI). The Federal Energy Regulatory Commission (FERC) uses NERC (the North American Electric Reliability Corporation). We will discuss NEI rules in a moment. FERC rules became effective in 2014 with mandatory compliance of some regulations by 2016 and others by 2017.
This slide is self-explanatory except to say that it’s often worthwhile to check the exact wording which is considered the source statute for a regulation to see if it truly is specific enough to be enforceable.
This document is a useful tool in terms of helping the Electricity sector implement the NIST Cybersecurity Framework. This document uses the term EDM (External Dependencies Management) which stresses the importance of looking at the potential risk of all inbound and outbound relationships, regardless of whether we consider them to be “suppliers” or not.
The ES-C2M2 provides excellent guidance. Here is an example of the EDM component, which provides the basic steps of starting supply chain security management. It begins with listing suppliers and then ranking them in terms of priority and then again in terms of known vulnerabilities. Risk is not just related to how easily suppliers can be penetrated and infected but also what risk it represents if their product stops flowing due to a security breach. It’s also critical to identify any entities to whom products or services are delivered.
In order to accomplish true compliance – with full accountability – we must move beyond “good will” and “best faith efforts”, although good intentions are a good place to start. Ideally, the security responsibility of suppliers is specified by contract, to include at least this basic information. Not to forget it’s important to have clarity around what types of incidents must be shared and also to define whether that data (or an anonymized version of it) can then be shared with others (perhaps in the same supply chain) to help them guard against the same threats.
There are too many different security standards to count. This is one of the great challenges of the cybersecurity field: it has evolved extremely quickly (as fields of study go) so there are many different tools, rules, standards people use. Since security always involves a set of tradeoffs – usability versus security, efficiency versus security, etc. – there maybe be competing products which fit different industries better. Some of the appropriate questions to ask about products received by your organization (to query suppliers with) include: what security protocols were followed in the development process and what opportunities exist for any type of malware injection. Two industry wide issues called out in the ES-C2M2 are also the fact that first, most RFPs still don’t specify what type of security should be included or integrated into products or during product development, nor do they define ideal security QA practices. Second, in Energy, branch offices are often given too much leeway in terms of procurement – often engaging with smaller suppliers who are more likely to be vulnerable. In such a case, the branch itself becomes a target as a way to get into the main office. We have seen cybercriminals target smaller companies after being acquired because they know security is likely to be more lax in the smaller one, and once they get in they can move upstream to the larger corporation.
“CDAs” in NEI terminology are “critical digital assets”. In fact, the terminology used previously was “critical cyber assets” – a cool term, but they realized that they are just as concerned with data when it is at rest. These words are taken directly from NEI ‘s 9-09 document published in April of 2010. You can see that there is a lack of specificity in these rules. This highlights one of the biggest problems in cybersecurity: the more specifically a problem is solved or mandated to be solved – with technology or products – the more likely it will lag behind newer, better solutions. Also, any industry who dictates the use of specific technology is begging to be hacked. When a hacker knows that, say, all 2000 highly-valued sector organizations are using a certain hardware/software configuration, they already know what their ROI will be if they can find the vulnerabilities within that configuration.
This is a new concept: the idea of demanding that suppliers comply to a similar level of security as the receivers of their products do. It’s a great idea but challenging in practice. Once again the vagueness with regard to specifics means NEI is expecting attempts to be made in this area, and for processes to be put into place. They expect these conversations to occur and be on-going with suppliers, but they are not mandating a specific format. At least not yet. By the way, I’d like to acknowledge Barbara Weber for her help – she is a consultant to North American nuclear companies – she is extremely knowledgeable on the topic and provided me with information on this and the next slide.
This slide is self-explanatory – these are NEI expectations in more detail, courtesy of Barb. Of course if every level of the supply chain were to comply we would finally have in-depth, end-to-end supply chain security.
These are the basic steps required to secure a supply chain.
Because the improvement of cybersecurity is a never-ending process but we have limited resources, we have to make choices about how far to take it. For many categories of products there are mature processes which govern security measures. Obviously there need to be limits on these so that they don’t incur unreasonable cost. It’s worth asking though whether it makes better sense from a risk perspective to select a supplier who is already security-compliant than to coax existing suppliers into better practices. Also, if strong cybersecurity is your goal, you should be ahead of compliance requirements since regulations always lag behind what is known to be good security practice.
Very often executive stakeholders will say to the IT team after an industry breach becomes known, “make sure this doesn’t happen to us!”. But such a request is practically meaningless without understanding how much budget will be allocated to ensure that result. Perfect security is not impossible – it’s as easy as building a castle with a moat and letting no one in or out - it’s just unworkable for a thriving, competitive organization. Where executives or company stakeholders agree on priorities, it’s useful to understand what they really want: something which is quick to implementation? The best solution? Or minimum compliance? Whatever the answer, the same level of diligence should be applied to suppliers. A cursory survey of supply chain threats which face your organization may help management prioritize cybersecurity risk assessments for them. What we know for certain is that money is unlikely to be applied to threats people are unaware of.
In this graphic, the size of the bubbles are the number of first place finishes among independent organizations who tested anti-malware in 2014. You can see that the Kaspersky bubble is the biggest. We’re quite proud of this result, because if you understand the tests, one will be looking at thoroughness – which sometimes mean a heavy product which slows a system down – and another will look at speed, which often means a smaller footprint. Kaspersky did the best job of balancing all requirements to beat out every other anti-malware company in the world.
Supply Chain Threats to the US Energy Sector
SUPPLY CHAIN CYBERTHREATS TO
THE US ENERGY SECTOR
Cynthia James, CISSP
Global Director Business Development Technical Alliances
SUPPLY CHAIN MAPPING…AND RECONNAISSANCE
SUPPLIERS: LACK OF LEVERAGE & COMMUNICATION
GOVERNMENT GUIDANCE, POLICY, LAW
ENERGY VS ELECTRIC VS NUCLEAR
DEVELOPING THE IDEAL CYBERSECURITY POSTURE
THE SUPPLY CHAIN MAP
Who do we
Is there bi-directionality? If so, what data or access?
RECONNAISSANCE: SUPPLY CHAIN MAPPING
• RFQs…press releases or any public notification
• Conferences & Working Groups
• Speakers make technology references & recommendations
• Vendor criteria
• Jobs available
• Profiles of employees
• Experience, background
• Blogs about company policies, etc.
• Information shared by others about you
• What is your supply chain saying?
• “XYZ Energy is a customer” or “we now adhere to these specs”
• Filling in the gaps
• An opportunistic infection
LOWER YOUR RECONNAISSANCE PROFILE
Raise awareness, reduce specifics
Management oversight of profiles, request that
certain details are omitted
Set up google search alerts for key phrases
Boost awareness of the issue in the company -
start at stakeholder level?
Create a recon profile and circulate it
Note: going “stealth mode” with on-line resumes helps
the organization but not the individual (legally
employers can’t interfere with your job search)
SUPPLIERS HAVE SUPPLIERS WHO HAVE SUPPLIERS WHO…
SUPPLY CHAIN ATTACK EXAMPLES
HAVEX – infecting software updates
v1: hitting Western companies through
entry points in Asia – mostly defense
v2: oil & gas in the US (using java)
Most likely cyber mercenaries
“Watering Hole attack”
ICS-CERT & NCCIC Monitor: 79% of all
2014 attacks were on Energy; infection
vector for the majority was unknown
LEVERAGE AND COST: DIRECTLY ASSOCIATED
How much leverage do you have now with
Do you need it? (Are they already compliant?)
Can you require compliance or request it?
Can you conduct reviews remotely?
What they say they do
Probability of them doing it
To what degree?
Risk represented by them not doing it
Where customizations of practice are required,
compliance and cost may be affected: added
testing, collection, analysis, data protection
But…it doesn’t cost to ask (and it’s always better to
OUR COMMUNICATION CHALLENGE
PAGE 9 |
Few groups talking to each
Government agencies (1999)
Chemical Defense etc
Total lexicon in existence describing
all things cybersecurity related
Just for “supply chain”: ICT, SCRM, ICT SCRM (NIST favors), cyber supply chain,
cyber supply chain security, supply chain risk management, EDM (DoE/DHS favors)*
* paper in 2014, Nadya Bartol, Utilities Telecom Council
NIST says “ICT
SCRM” it’s the
same as when
2009 – the word cybersecurity starts being used*
2009 – NERC first uses the term “Critical Cyber Assets”
Current terms used for “supply chain”: *
Information and Communication Technology (ICT) Supply Chain Risk
Information and Communication Technology (ICT) supply chain security
Supply Chain Risk Management
Cyber supply chain
Cyber supply chain security
Cyber supply chain risk management
Finally in 2014 “External Dependencies Management” EDM (Electricity
Subsector Cybersecurity Capability Maturity Model (ES-C2-M2) by
Although NIST SP800-161, the mother of all such docs (282 pages,
dedicated to supply chain, 2015) currently calls it ICT SCRM
*paper in 2014, Nadya Bartol, Utilities Telecom Council
THE PROBLEM WITH NEW LANGUAGES…
• Agreeing on terms and usage
• Collaborating across sectors and supply chain
• Sharing cyber incident information
• Defining best practices which underlie multiple
• Educating across sectors
Recommendation: be sure to reference the document
with the definitions you are applying
GOVERNMENT REGULATION AND “GUIDANCE”
Electric utilities and Nuclear – the only
CI “mandatory” cybersecurity
standards enforceable through FERC
US NRC – US Nuclear Regulatory
NEI – Nuclear’s “policy organization”
FERC (Fed Eng Reg Commission)
NERC –North American Electric Reliability
Corporation – FERC policy org; rules became
effective 2014, compliance by 2016 and 2017
SUMMARY OF GOVERNING RULES
• NERC Reliability Standards are mandatory within the
• These include CIP (Critical Infrastructure Protection)
rules which address the security of cyber assets
“essential to the reliable operation of the electric grid”
• CIP first released in 2008, the latest ones were approved
by FERC in 2013 (v5) – enforceable by April 2016, some in
• Code of Federal Regulations (law) which is applicable to all
Energy is Title 10 CFR (“Energy”). But no laws about
cybersecurity except for Chapter 1.
• Chapter 1 of that are rules set forth by the Nuclear Regulatory
Commission. Section 73 covers “physical protection of plant
and resources”; 73.54 covers the information systems part of
that https://www.law.cornell.edu/cfr/text/10/73.54 -
• Nuclear Energy Institute 08-09, April 2010 Cyber Security Plan
for Nuclear Power Reactors with heavy reference to 10 CFR
NEW GUIDELINES TO FOLLOW – ENERGY
• “The Energy Department released guidance to help the energy
sector establish cybersecurity risk management programs”
• This was:
• The Electricity Subsector Cybersecurity Capability
Maturity Model (ES-C2M2) of February 2014. “Developed by
the Department of Energy and contributors…and other
government agencies” (jointly published with DHS) “to help
critical infrastructure organizations evaluate and potentially
improve their cybersecurity practices. As this section
demonstrates, using the C2M2 also provides a means for any
energy sector organization to implement the NIST
• Follow NEI 08-09
DEPARTMENT OF ENERGY “ES-C2M2”
Provides: “an organization-wide approach to managing
cybersecurity risk that uses risk-informed policies,
processes, and procedures to address potential
• One component = “Supply Chain or External
Dependencies Management” (EDM) covers:
• Asset Management (catalogue, prioritize)
• Business Environment (roles defined and ranked)
• Dependencies and critical functions for delivery of critical
services and product are established
Now you have a list of External Dependencies…
External dependencies must be managed
a.) vendor responsibilities (reference specific
b.) auditing rights and monitoring;
c.) sharing of cybersecurity “threat information”;
d.) reporting of cyber incidents;
e.) must adhere to a defined risk assessment process
ES-C2M2 DESCRIPTION OF RISK
• Security of products varies
• How was SW developed? What code
• Counterfeit HW or malware injection
• RFPs don’t specify detailed security or
• Utility branches granted leeway in
Not to forget: security capabilities of organizations varies widely
NEI -8-09 CYBERSECURITY PLAN FOR NUCLEAR
11.2 SUPPLY CHAIN PROTECTION
“This security control protects against supply chain
threats by employing the following measures…to
maintain the integrity of the CDAs that are acquired:
1. Establishment of trusted distribution paths,
2. Validation of vendors, and
3. Requirement of tamper proof products or
tamper evident seals on acquired products.”
(NEI April 2010)
CYBERSECURITY PLAN BASED ON NEI 08-09: GOALS
Procure CDA products and software
from vendors who practice good
cyber security and are capable of
implementing NEI 08-09, Rev. 6
Negotiate with vendors to ensure their
environment and products are secure
Develop a program to ensure that
products received are secure *
* Author: Barbara Weber
Sheffield Scientific, LLC
Senior Cyber Security Consultant
EXPECTATIONS OF CDA SUPPLIERS
Should be operating at the same level of security as the
• Establish a secure developing and operating
• Verify staff is trustworthy
• Verify they are managing their suppliers
• They are obligated to patch vulnerabilities in
products or services provided
• All received products are hardened
• Access Control is managed
Note: 10 CFR 74.53 comparable to NQA-1
Author: Barbara Weber
Sheffield Scientific, LLC
Senior Cyber Security Consultant
TO BEGIN THE PROCESS…
• Perform an evaluation (mini-risk
assessment/risk analysis) on top priority
• Identify security gaps
• Evaluate partnership versus their security
weaknesses: What upgrades possible?
What auditing rights? What level of priority?
• Periodically audit and reevaluate
SUPPLY CHAIN SHOULD COMPLY TO WHAT LEVEL?
• Many aspects of supply chain management
are their own mature specialties with
expertise, tools, processes – ie, software
assurance or the receiving/testing of goods.
These need to be integrated at the level
which makes sense
• Is it better to use a supplier who already
have adequate security in place?
• Cybersecurity challenges grow so much
faster than guideline adoption by regulatory
agencies (so far)
THE “IDEAL” SUPPLY CHAIN SECURITY POSTURE
Locating the best information depends upon goals
Are organization goals to find:
• Easiest to implement? Fastest? Cheapest? Best?
• Easiest to get stakeholders to agree to?
Do we search:
• Guiding principles (not compliance yet)
• Search by terms
• Search by agency
Most important: compliance
Next level: best security practices
Ensure that “supply chain risk” (all external
dependencies) are identified and included in
your organization’s risk assessments
Determine the needs/desires of stakeholders
in your organization regarding supply chain
• Choose between NEI compliance or ES-
• Identify the best source documents
• Identify supporting documents (like NIST
Follow the process
Repeat! (all suppliers, annually)
KASPERSKY LAB PROVIDES BEST INTHE INDUSTRY PROTECTION*
20 40 60 80 100
N of independent tests/reviews
Intel Security (McAfee)
In 2014 Kaspersky Lab products participated in 93
independent tests and reviews. Our products were
awarded 51 firsts and received 66 top-three finishes.
• According to summary results of independent
tests in 2014 for corporate, consumer and mobile
• Summary includes tests conducted by the
following independent test labs and magazines:
Test labs: AV-Comparatives, AV-Test, Dennis
Technology Labs, MRG Effitas, NSS Labs, PC
Security Labs, VirusBulletin
• The size of the bubble reflects the number of 1st
1st places – 51
Participation in 93
TOP 3 = 71%
THANK YOU! QUESTIONS?
Cynthia James – firstname.lastname@example.org
Technology Alliances & Business Development