Gerald Fralick, CSO − October 16, 2014

How Secure is Our Nation’s

Infrastructure: A Year in

Review and What Lies Ahead

2

PRESIDENTIAL POLICY DIRECTIVE/PPD-21 The Nation's critical infrastructure provides the essential services that underpin American society. The PPD-

21 Directive establishes national policy on critical infrastructure security and resilience, and is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure.

The PPD-21 Directive refines / clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, and enhances overall coordination and collaboration.

Enable effective information exchange

Refine and clarify

Functional relationships

across Federal Government

Implement an integration and

analysis function

Strategic Imperatives to Strengthen Critical Infrastructure

3

Critical Infrastructure

What Is Critical Infrastructure?

Critical infrastructure is comprised of 16 major sectors, and is the backbone of our nation's economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.

Critical infrastructure is the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

4

Critical Infrastructure Sectors – Overview Chemical Sector: Composed of 5 main segments Basic Chemicals * Specialty Chemicals * Agricultural Chemicals * Pharmaceuticals * Consumer Products

Commercial Facilities: Composed of 8 Subsectors Public Assembly * Sports Leagues * Gaming * Lodging * Outdoor Events * Entertainment / Media * Real Estate * Retails

Critical Manufacturing: Comprised of 4 core manufacturing industries Machinery * Primary Metal * Electrical Equipment / Appliance / Component * Transportation Equipment

Dams

Defense Industrial Base: Components are: Companies – Domestic Entities * Companies – Foreign Entities * Production Assets in Various Countries

Emergency Services: Nation’s first line of defense Natural Threats * Cyber Related Threats * Workforce Threats * Manmade Threats

Energy Sector: Uniquely critical by providing an enabling function across all critical infrastructure sectorsNatural Gas * Petroleum * Electricity

Financial Services: Because cyber threats are a significant concern to this sector, the Treasury Department works closely with the US-CERT to indentify the latest threats to cyber infrastructure and disseminates threat information within the sector.

5

Critical Infrastructure Sectors – Overview Food and Agriculture: Critical dependencies with many sectors, but particularly with: Water / Wastewater Systems * Transportation Systems * Energy * Pharmaceuticals * Financial Services, Chemical, and Dam

Government Facilities: Includes buildings located in the US and overseas owned / leased by federal, state, local and tribal governments. Buildings * Education Facilities * National Monuments

Healthcare / Public Health : Protects all sectors of the economy from hazards such as terrorism, infectious diseases, etc. Symbiotic sectors: Communications * Emergency * Energy * Food / Ag * Info Technology * Transportation * Water / Wastewater

Information Technology: The heart of the nation’s security, economy, public health and safety sectors

Nuclear Reactors, Materials and Waste: Components are: Nuclear Fuel Cycle Facilities * Nuclear Power Plants * Radioactive Materials

* Non-Power Reactors * Decommissioned Nuclear Power Reactors * Manufacturers of Nuclear Reactors / Components * Transportation, Storage, and Disposal of Nuclear / Radioactive Waste Transportation System: Seven key subsectors: Aviation * Highway Infrastructure * Motor Carrier * Maritime * Mass Transit * Passenger Rail * Pipeline Systems * Freight Rail * Postal / Shipping

Water / Wastewater: Vulnerabilities are contamination with deadly agents and physical attacks (cyber / chemical)

Communications: Underlying to all operations of all businesses, public safety organizations, and government.

6

Critical Infrastructure - Summary

All 16 Sectors are dependent and interconnected, tied together.

A successful threat and attack to any one of them would be severely detrimental to the well being and fabric of the United States.

In the world of Information Technology, where are the holes, the vulnerabilities?

How do we as CISOs, CSO’s and IT Security specialists, detect, prevent security compromises and prove that our networks, end point products, and infrastructure are really secure?

The Year In Review:

What Has Changed

8

Trusted Sources – how do we decide who / what is a trusted source? How do we quantify / qualify “trusted”?

Supply Chain Security – closer scrutiny components and how / where our products are developed and manufactured.

Public perception and awareness of vulnerabilities and demand for reassurance that products / services / online websites are safe and secured.

Cost of Doing Business has increased:

- The CIO and Compliance Offices: No longer a luxury, but the cost of doing business in a global economy. * Key Skills: SIRT, Auditor, Software Security Architects, Ethical Hacker * Small Businesses not able to fund such an office can outsource to 3 rd parties

- Cybersecurity Programs are critical

- Cost of businesses who have been compromised to fix the infrastructure issues and lost revenue from reduced consumer spend from breeches. These costs are eventually passed to consumers.

Border Security in the US is highly vulnerable to infiltration, and breeches are at an all time high which, in turn, places our critical infrastructures at increased risk for terrorist and cyber attacks. One attack can cripple our entire nation and it’s economy with a domino effect.

Health and medical records are the new “hot commodity” of cyber attacks, even more valuable than credit card information. Once the health care information is stolen, this information is used to obtain pharmaceuticals, commit Medicare fraud and other crimes.

Increased use of ‘cloud’ services for business and personal use, which are very vulnerable to cyber crimes. Businesses often focus on the convenience and low cost of cloud services, but not enough focus on the potential for compromise to security and data breeches.

What Has ChangedThe risk of cyber and terrorist attacks against our critical infrastructures has never been higher.

9

Security Landscape (Customer Concerns):

PAST: 12 MONTHS AGO FUTURE: 12 – 18 MONTHS OUT

Malware Back Doors Spyware Holes in BIOS

Trust Worthy Personnel Screening Critical Infrastructure Cyber Security Framework

PRESENT: 2014

Supply Chain (Touch Points) Manufacturing / Assembly / Delivery Product Security (SIRT) Security Incident Response Team Software Development – Where? Design / Dev / Test / Authenticate & Validate Internet of Things

10

Liability Shift

  Merchants that accept credit cards for payment, but do not have Chip and PIN available to consumers by October 2015 will be

held completely liable for breaches. Reference: http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/  On June 10th, 2014 the Security and Exchange Commissioner noted that a "…cyber attack may not have a direct material

adverse impact on the company itself, but that a loss of customers" , and to consider updating the SEC Cyber Security Guidance for breach disclosure and fines to businesses that suffer breaches.  He strongly encouraged companies board of director's to take active roles in their risk management programs and apply frameworks like NIST Cyber Security Framework.

Reference: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946 Reference: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm  James Comey, Director of the Federal Bureau of Investigation (FBI), said last November that “resources devoted to cyber-based

threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.” Reference: http://www.hsgac.senate.gov/hearings/threats-to-the-homeland  

The current cybersecurity attacks and breaches have highlighted the need for corporate responsibilities for compliance and security within their cybersecurity networks and IT infrastructures. The legal books are being “rewritten” with new laws and new cases resulting from these attacks.

Failure for CISO, CIO and CEO’s to address these pressing cyber security issues, will result in the liability falling back to them as corporate executives.

11

Not if, but WHEN….

Target BreachMalicious software in point of sale systemsCost = 148 million

Home DepotMalicious software in point of sale systems

Cost = Unknown

South CarolinaDepartment of

RevenueCost = ~36.6 million

The U.S. per record cost for a data breach averages $194

Target Data Breach

> 40 million credit cards stolen

State of South Carolina

16 million records stolen

Home Depot Breach

5 months & > 60 million credit cards

stolen

Fidelity Investments Attacked by the same group as JP Morgan Chase, but hackers were unable to penetrate any

of the security on their network systems

JP Morgan Chase76 million

households and 7 million business

affected

JP Morgan ChaseBreach penetrated

internal working systems in the bank

Cost = Unknown

Business and banks are not the only targets of cyber crime. Health care records are are rapidly becoming the new “hot commodity” and target of hackers. Between April – June 2014, hackers penetrated Community Health Systems resulting in 4.5 million health care records stolen.

12

Over the course of the year Network Infrastructure and Security has become even more important as cyber criminals become more aggressive and specific in their targets and attacks. Hardening network infrastructure is key to building immunity and resistance to the attacks

Weakness in network infrastructure results in high risk of cyber exploitation. Our nation’s critical infrastructures depend on the ‘wellness’ of their associated IT networks.

Perception was that any cyber attacks were / would be from external sources breaking through firewalls, etc.. , The Target security breach outlined that focus must also be on hardening network infrastructure internally to avoid compromise from within.

- Device Integrity

- Secure Management

- Secure Protocol Standards / Strong Cryptography

- Secure Logging

- Stringent regulations on BYOD programs (and use of thumb drives)

Network Infrastructure and Security

13

Mobility

Business Enablement

Compliance

Data Theft

Spear Phishing

Advanced Malware

Hactivist

Cloud (Vendor Management)

Threat Intelligence / Vetting

Insider Threat

Targeted Attackers / APT

Attack Preparation and Response (Incident Response Plans)

What’s on the CIO’s (CISO) Mind

With all the lapses in people, process, and technology; how do I not become the next victim or the next headline!

14

Secure Supply Chain Management: Key Questions for IT Industry Vendors:

Do you have a secure supply chain management program? (e.g. What is it based on?)

Does your program address hardware, firmware, and software that is packaged on the system?

What embedded software do you have on your devices?

How do you ensure that the firmware and software on your device had not been altered?

Does your code get reviewed externally for security vulnerabilities?

How do you ensure that unauthorized code is not inserted?

How do you ensure that counterfeit parts are not in your products?

Supply Chain Management

Hardware

• Baseboard• CPU• Memory• Hard Drive• HSM• Storage

Firmware

• BIOS• UEFI• BMC• TMM• Drivers (e.g. Audio,

Video)

Bundled Software

• Operating System (e.g. Windows 7, Windows 8)

• Internally Developed Software

• 3rd Party

System(s)Root of

Trust

15

“Bad BIOS” and “Bad USB” highly publicized issues in firmware allowing a malicious attacker to gain low level access to systems.

July 7th, 2014 – ZombieZero hit hardware scanners of large shipping and logistics companies. Suspected hardware supply chain management was the avenue of attack.

July 22nd, 2010 - Dell PowerEdge Motherboards Ship with Malware (Spybot Worm)

Source: http://www.zdnet.com/dell-poweredge-motherboards-ship-with-malware-3040089615/

June 16th, 2014 – Android smartphone shipped with spyware

Source: https://blog.gdatasoftware.com/blog/article/android-smartphone-shipped-with-spyware.html

A U.S. power plant was taken off line for three weeks when a computer virus attacked a turbine control system. The virus was introduced when a technician unknowingly inserted an infected USB computer drive into the network.

Source: http://www.theage.com.au/it-pro/government-it/malicious-virus-shuttered-power-plant-us-government-20130116-2cuox.html

Attacks Targeting Supply Chain

16

Analysis of End Point – Laptop Component Sourcing

Component Lenovo TP T440 HP E840 Dell Latitude 7440

CPU / Chipset / vPro Intel Intel IntelLCD Multiple; Asia LG; China LG; China

FPR Sensor Validity; China Validity; China Broadcom / ChinaSmart Card Reader Alcor; China Alcor; China O2Micro; China

Touchpad Synapatics; China Synaptics; China Alps; ChinaMemory Multiple; Asia Ramaxel; China Micron; Korea

HDD Multiple; Asia Hitachi; Thailand Seagate; KoreaWLAN Card Intel; China Intel; China Altheros; China

Ethernet Intel; China Intel; China Intel; ChinaTPM ST Micro; China Infineon; Asia Atmel; Asia

Super I/O Toshiba; China SMSC; Taiwan SMSC; TaiwanEmbedded Controller Microchip; Taiwan N/A SMSC; Taiwan

Assumption: HP and Dell, like Lenovo, have multiple sources

17

What Lies Ahead: A Call to Action

Assess and communicate security risks – adopt a uniform framework such as the NIST standards, and perform regular compliance assessments.

Better articulate risks and audit findings with business stakeholders – Perform routine reporting of cybersecurity threats to build support for security initiatives.

Explore creative paths to improve cybersecurity effectiveness within your organizations using the current federated governance models – create cybersecurity competency centers or pursue a shared services model.

Focus on audit and continuous monitoring of third party compliance – Focus on communicating cybersecurity policies and practices to partners.

More thorough vetting and screening process for vendors and employees who have access to sensitive information or technology. Closer scrutiny on internal “IT hygiene” practices.

Validation for supply chain “touchpoints”

Location of software code development

- Independent validation and verification of software code development / root of trust

18

Presidential Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity”

- Calls for development of a voluntary cybersecurity Framework that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.

- Developed in collaboration with industry

- Provides guidance to an organization on managing cybersecurity risk.

Framework Introduction

2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.

19

Framework is a risk-based approach to managing cybersecurity risk

Composed of three parts:

- Framework Core: A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure

- Framework Implementation Tiers: Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.

- Framework Profile: Represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.

Framework Overview

2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.

20

Functions – to organize basic cybersecurity activities at their highest level1. Identify – Develop organizational understanding to manage cybersecurity risk to systems, assets, data and

capabilities.

2. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

3. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

4. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

5. Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Categories – subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.

Subcategories – further divide a Category into specific outcomes of technical and/or management activities

Informative References – specific sections of standards, guidelines and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory.

Framework Core – Four Elements

2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.

What Lies Ahead:

A Call to Action

22

Critical Infrastructure – Time to Comply

Supply Chain: How secure is your end product from point A (origination) to the point of delivery (Z)?

Unified Capabilities: Approved Products List (UC APL) - Unified Capabilities Approved Products List (UC APL) is a consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification, which is used by the US military, and managed by the Defense Information Systems Agency. 

NIST - FIPS 140 – 2 (Cryptology): Federal Information Processing Standards (FIPS) 140-2 the standard for equipment used in US government IT applications & environments. This is a US standard, but for civilian agencies.

Common Criteria: Common Criteria are the civilian focused international standards that have been adopted by 26 member countries for security requirements for information technology products in both government and private sector use. This is a globally applicable standard.

Use of Government approved NIST & NSA test labs, 7 outside Ft. Meade, MD & NSA.

23

Critical Infrastructure – Proof of Security

Products

Networks

Infrastructure

Cloud

Data

Use of external cybersecurity standards, regulations, frameworks, and guidance.

24

Questions?

Jerry Fralick – Chief Security Officer

Think Business Group

Lenovo USA

1009 Think Place

Morrisville, NC 27560

919-257-6172

gfralick@lenovo.com