Cyber supply chain risk management ASDE

Cyber security risks in your supply chain

ASDE WA Chapter
Version 1.0, 24th October, 2013
Aaron Doggett, BAE Systems Detica, WA Regional Manager

© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

What is this about?

• Risks to cyber supply chains, and their real-world
implications
• Disruption
• Theft
• Failure of output

• Security of commercial and bespoke capabilities
• National defence and economical significance


2

What is this about?

• “Governments and commercial organizations worldwide
continue to voice concerns over the need to ensure the
security of commercial technology products and the
integrity of the world’s technology supply chains while
maintaining a diverse range of technology options and
preserving innovation.”
- Open Group White Paper


3

Supply chain risk management
• “Supply chain risk management (SCRM) is a discipline of risk
management which attempts to identify potential disruptions to continued
manufacturing production and thereby commercial financial exposure”
- Institute of Risk Managers

International
Journal of
Physical
Distribution &
Logistics
Management


4

A sample global supply chain

Software design
Product use
Chip manufacture

Product assembly
Software design

Component
manufacture

Product design
Chip design
Product use


5

SCRM for Defence & cyber security

• SCRM in Defence has a number of angles:
• Defining operational capability and readiness
• Once operational, takes a logistical focus
• Focus on capability and resiliency

• SCRM as a product or service supplier:
• Support the customer’s supply chain requirement
• Cost, efficiency, integrity, resiliency of own supply chain

• SCRM in cyber security:
• Macro (geo-political) concerns about integrity
• Risks associated with supplier and component compromise


6

Why applicable to this group

• SCRM in a cyber security sense has real world implications
• Increasing number of cases resulting in:
•
•
•
•

Theft of intellectual property
Direct commercial advantage
Brand/reputational damage
National damage

• Increasingly, attacks are held against a component of the
supply chain, not the end entity
• Does pose a concern to national security, national economy
and specific industry
• Generally, is a concern for Defence & Defence suppliers

7

To consider

• Stages of a product lifecycle
•
•
•
•
•

Where the greatest widescale

Development & manufacturing
attack could occur (unnoticed)
Delivery
Where a targeted attack could
occur (and go unnoticed)
Configure & deploy
Where the security industry typically
Use / run
focuses its attention
End of life & disposal

• Whilst the ‘run’ stage is where we have the greatest control, do
we pay enough attention in the other areas?


8

What we are seeing

• Increasing public accounts of industrial espionage using
‘cyber’ as an attack vector
• Increasing attacks on the supply chain due to:
• Weaker links / softer targets than the end entity
• Ability to achieve deeper and wider penetration

Which of your vendors/suppliers is this?
Do any of your customers think that this is you?

9

Geo-politics of this problem are not new


10

Recent breaches have SCRM at their core
An infrastructure “hacked repeatedly by outsiders who stole
February 2012. VeriSign wascompany is compromised.
undisclosed information from the leading internet infrastructure company” in
They are important to you. Fingers crossed.
2010. (smh.com.au)
“security breaches … were not sufficiently reported to management” –
Verisign SEC Filing
An infrastructure company is compromised.
March 2011. RSA compromised by an “Advanced Persistent Threat”, stealing
They are important to you. Fingers crossed.
data related to the SecurID authentication system.
“It is likely that RSA growth will remain a bit slower as remediation efforts
continue” - David Goulden, EMC CFO

The infrastructure breach gets used against cyber
May 2011. Lockheed Martin was hit with a “significant and tenacious” you.
attack, using the breached RSA SecurID authentication data.
"The fact is, in this new reality, we are a frequent target of adversaries
around the world." - Sondra Barbour, CIO
Your supplier gets compromised; your during a
April 2011. DELL Australia’s customer data was compromised,data gets
stolen.
breach of US-based e-mail service provider epsilon.
(Also affected Barclays Bank, Citigroup, JPMorgan Chase, Visa, Marriott
International, Kraft, Tivo and others).

Your supplier gets compromised; is your data
“China-based hackers looking to derail the $40 billion acquisition of the
taken?
world’s largest potash producer by an Australian mining giant zeroed in on
offices on Toronto’s Bay Street, home of the Canadian law firms handling the
deal.” - Bloomberg

11

More examples - consumer & non-targeted

*Sample entries taken from the US Resilience Project

12

Two recent examples of attacks on supply chains

• NY Times website (end of August 2013)
• Attack left website unavailable for close to a day

• How performed*
• Attacker targets reseller of domain names
(personnel divulge their company email addresses and passwords)
• Attacker logs into email accounts
(identify details of customers, including username & passwords)
• Attacker changes domain registry to personal cause
(legitimate website unavailable)
• Attack via an Indian ISP, against a US reseller of Australian company
(that provides domain name services) and disrupts a global company!

*The Australian, 29/08/2013

13

Two recent examples of attacks on supply chains

• RSA beach (mid- 2011)
• Resulted in the theft of SecurID seed data

• How performed*
• April 2011 – targeted email to EMC employees.
• Excel attachment, embedded Flash (zero-day), drops ‘Poison Ivy’
backdoor.
• Remote access to workstation and network shares.
• Obtained SecurID seed data.
• Then (purportedly) used to attack Defence contractors.
• Prior to this event, how many people would have risks to the seed data
for their RSA tokens used for remote access on their corporate register?
*F-Secure, 26/08/2011

14

The ‘advanced threat’

• For the past few years, the phrase ‘advanced persistent
threat’ (or APT) has been with us
• Typically associated with gaining and maintaining access to
high profile / value targets, often over many years
• Well resourced, highly skilled entities (search APT1, Hidden
Lynx for examples)
• Difficult to protect against due to the targeted nature of
attacks and often superior sophistication
• Relevant to the Defence space due to the appeal of the
target to nation states or supported entities
• Represents a clear targeted attack
• New vector for traditional espionage activities?

15

Responses (Macro level) – WEF Report on SCRM
• Primarily about physical supply
chains… but the issues
identified, and the implications,
are equally as applicable to
cyber security.


16

WEF Report on SCRM
• “Trends such as globalization, lean processes and the
geographical concentration of production have made supply
chain networks more efficient, but have also changed their risk
profile. “
• “Recent high-profile events have highlighted how risks outside
the control of individual organizations can have cascading and
unintended consequences that cannot be mitigated by one
organization alone.”


17

WEF Report on SCRM


18

US SCRM Focus

• 2012 US Defense Budget contains
~$1.2BN for Cyber Security,
focusing on:
• Increase funding for the training of
cyber analysts.
• Improving Global Information Gridwide situational awareness.
• Developing pilot programs for supply
chain risk management.
• Improving intrusion detection and
analysis.


19

US SCRM Focus

• Office of the Secretary for Defense 2012 Budget Estimates

• US Department of Homeland Security


20

Aus SCRM Focus

• Cyber security and SCRM are generally not linked in any
public directives
• 2013 Defence whitepaper:
• Building and maintaining pre/operational supply chains
• Promoting Aus entities to be part of international supply chains
• “Innovation in Australian industry must be focused on products that
have a clearly defined path into defence capability.”

• Separate points around cyber security, specifically:
• “Australia, the United States and the United Kingdom have committed
to developing a comprehensive cyber partnership to address mutual
threats and challenges emerging in and from cyberspace.”


21

Aus SCRM Focus
• Australian Govt Cyber Security Strategy (2009)
• “Promote a secure, resilient and trusted global electronic
operating environment that supports Australia’s national
interests”
• “Australia is vulnerable to the loss of economic
competitiveness through the continued exploitation of ICT
networks and the compromise of intellectual property and
other sensitive commercial data.”
• Australian businesses operate secure and resilient
information and communications technologies to protect the
integrity of their own operations and the identity and privacy
of their customers”

22

Responses (Organisational level) – Board Ownership

• A cyber security breach is no longer an IT problem. It may:
•
•
•
•
•
•

Create significant reputational damage
Impact on share price
Compromise strategic negotiations or transactions
Provide an opportunity for a class action
Result in market disclosures and compliance breaches
Diminish competitive advantage


23

Supply chain risk management practices - NIST
• Uniquely identify supply chain elements, processes and actors
• Limit access and exposure within the supply chain
• Establish and maintain the provenance of elements, processes, tools,
and data
• Share information within strict limits
• Perform SCRM awareness and training
• Use defensive design for systems, elements, and processes
• Perform continuous integrator review
• Strengthen delivery mechanisms
• Assure sustainment activities and processes
• Manage disposal and final disposition activities throughout the life cycle
*NIST IR 7622

24

WEF Report Recommendations


25

WEF Report Recommendations


26

Responses (Individuals)

• Role to influence cyber SCRM will obviously vary
• Consider the value of the product/service to you
• Consider the value to other competitors (to you or your
customer if a supplier)
• Look at your work habits, the weaknesses/strengths
associated
• Work to identify the weaknesses in your supply chain for
your ‘most critical’ product/data/function
• Work backwards from there

• We need to work to prevent compromise from occurring, but
more importantly, to detect and recover from it.

27

Additional resources

• Cyber Supply Chain Risk Management: Toward a Global
Vision of Transparency and Trust, Microsoft, July 2011
• NIST IR 7622 - Notional Supply Chain Risk Management
Practices for Federal Information Systems, NIST, October
2012
• World Economic Forum
• New Models for Addressing Supply Chain and Transport Risk,
2012
• Building Resilience in Supply Chains, January 2013

• Cyber Supply Chain Risks, Strategies and Best Practices,
Chapter 4, US Resilience Project, 2011.

28

Contact details
BAE Systems Detica
Suite 1, 50 Geils Court
Deakin ACT 2600
Australia
Tel: +61 1300 027 001
Fax: +61 2 6260 8828
Email: australia@baesystemsdetica.com
Web: www.baesystemsdetica.com.au

Aaron Doggett
0404 07 431
aaron.doggett@baesystemsdetica.com

Copyright
© Stratsec.net Pty Ltd (2012). All Rights reserved.
BAE Systems and DETICA are trade marks of BAE Systems plc.
Other company names, trade marks or products referenced herein are the
property of their respective owners and are used only to describe such
companies, trade marks or products.
Stratsec.net Pty Limited, trading as ‘BAE Systems Detica’, is registered in
Australia under ACN 111 187 270 and has its registered office at 50 Geils
Court, Deakin ACT 2600.


29

Cyber supply chain risk management ASDE

More Related Content

What's hot

Viewers also liked

Similar to Cyber supply chain risk management ASDE

More from Engineers Australia

Recently uploaded

Cyber supply chain risk management ASDE