© 2012 Utilities Telecom Council

Information and Communication

Technology (ICT) Supply Chain Security

– Emerging Solutions Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist

© 2012 Utilities Telecom Council

Agenda

• Problem Definition

• Existing and Emerging Practices

• Ten Key Questions

• Summary and Questions

2

© 2012 Utilities Telecom Council

Agenda

• Problem Definition

• Existing and Emerging Practices

• Ten Key Questions

• Summary and Questions

3

© 2012 Utilities Telecom Council

What is ICT Supply Chain Risk Management?

• Information and Communication Technology (ICT) products are

assembled, built, and transported by geographically extensive supply

chains of multiple suppliers

• Acquirer does not always know how that happens, even with the

primary supplier

• Not all suppliers are ready to articulate their cybersecurity and cyber

supply chain practices

• Abundant opportunities exist for malicious actors to tamper with and

sabotage products, ultimately compromising system integrity,

reliability, and safety

Acquirers need to be able

to understand and manage associated risks

4

Problem Definition

Source: Nadya Bartol, ACSAC Case Study, December 2010

© 2012 Utilities Telecom Council

How does this look?

“Scope of Supplier Expansion and Foreign

Involvement” graphic in DACS

www.softwaretechnews.com Secure Software

Engineering, July 2005 article “Software

Development Security: A Risk Management

Perspective” synopsis of May 2004 GAO-04-678

report “Defense Acquisition: Knowledge of Software

Suppliers Needed to Manage Risks”

Problem Definition

5

© 2012 Utilities Telecom Council

From The World Is Flat by Thomas Friedman Dell Inspiron 600m Notebook: Key Components and Suppliers

Problem Definition

6

Source: Booz Allen Hamilton and DoD

© 2012 Utilities Telecom Council

What are the risks?

• Intentional insertion of malicious functionality

• Counterfeit electronics

• Poor practices upstream

7

Problem Definition

© 2012 Utilities Telecom Council

Intentional insertion of malicious functionality

8

Problem Definition

Provider/

Integrator

Supplier

Supplier

Supplier Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Backdoor

Virus

Extra

Features

Supplier

Supplier

© 2012 Utilities Telecom Council

Counterfeit Electronics

9

Problem Definition

Provider/

Integrator

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Counterfeit

Component

Counterfeit

Component

Extra

Features

Poor

Performance

Supplier

Supplier

Supplier

Supplier

Supplier

© 2012 Utilities Telecom Council

Poor practices upstream

10

Problem Definition

Provider/

Integrator

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier Poor

quality

Poor

coding

practices

Poor

Performance

Supplier

Supplier

Supplier

© 2012 Utilities Telecom Council

This may impact reliability and safety for years

11

Problem Definition

Provider/

Integrator

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier

Supplier Poor

quality

Poor

coding

practices

Poor

Performance Counterfeit

Component

Counterfeit

Component

Extra

Features

Backdoor

Virus

Supplier

Supplier

Supplier

© 2012 Utilities Telecom Council

Some History

12

US government reports

on globalization,

supplier risk, offshoring,

foreign influence in

software, and

microelectronics

1999-2006 2007-2009 2008

US Comprehensive

National

Cybersecurity

Initiative Stood Up

2010

Stuxnet

Oct 2011

ODNI report

on foreign

industrial

espionage

Sept-Oct 2012

Telvent hacked

US House

Intelligence

Committee Huawei

and ZTE report

released

European reports on

robustness of

communications

infrastructures and IT

supply chain risks

Problem Definition

2013

NDAA 2013

Cyber EO

PPD 21

Mandiant Report ENISA study

on supply

chain integrity

© 2012 Utilities Telecom Council

Agenda

• Problem Definition

• Existing and Emerging Practices

• Ten Key Questions

• Summary and Questions

13

© 2012 Utilities Telecom Council

Existing and Emerging Practices

14

2008

Comprehensive National

Cybersecurity Initiative

Stood Up

Go

ve

rnm

en

t In

du

str

y

DoD ICT SCRM Key

Practices Document

2009 2010 2011 2012 2013

NIST IR 7622, Notional Supply

Chain Risk Management Practices

for Federal Information Systems

SAFECode

Software Supply

Chain Integrity

papers

Open Trusted Technology

Framework

Common Criteria Technical

Document

ISF Supplier Assurance

Framework

IEC 62443-2-4 – Industrial-

process measurement, control

and automation

ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships

SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)

Existing and Emerging Practices

DHS Vendor

Procurement

Language

NIST SP 800-161

PMOs developed

in DOJ and DOE

DHS ICT Supply Chain

Exploits Frame of

Reference GAO Report

Cyberspace Policy Review

The

President’s

International

Strategy for

Cyberspace

Energy

Delivery

Systems

Procurement

Language

© 2012 Utilities Telecom Council

Existing and Emerging Practices

15

2008

Comprehensive National

Cybersecurity Initiative

Stood Up

Go

ve

rnm

en

t In

du

str

y

DoD ICT SCRM Key

Practices Document

2009 2010 2011 2012 2013

NIST IR 7622, Notional Supply

Chain Risk Management Practices

for Federal Information Systems

SAFECode

Software Supply

Chain Integrity

papers

Open Trusted Technology

Framework

Common Criteria Technical

Document

ISF Supplier Assurance

Framework

IEC 62443-2-4 – Industrial-

process measurement, control

and automation

ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships

SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)

Existing and Emerging Practices

DHS Vendor

Procurement

Language

NIST SP 800-161

PMOs developed

in DOJ and DOE

DHS ICT Supply Chain

Exploits Frame of

Reference GAO Report

Cyberspace Policy Review

The

President’s

International

Strategy for

Cyberspace

Energy

Delivery

Systems

Procurement

Language

© 2012 Utilities Telecom Council

Existing and Emerging Practices

16

2008

Comprehensive National

Cybersecurity Initiative

Stood Up

Go

ve

rnm

en

t In

du

str

y

DoD ICT SCRM Key

Practices Document

2009 2010 2011 2012 2013

NIST IR 7622, Notional Supply

Chain Risk Management Practices

for Federal Information Systems

SAFECode

Software Supply

Chain Integrity

papers

Open Trusted Technology

Framework

Common Criteria Technical

Document

ISF Supplier Assurance

Framework

IEC 62443-2-4 – Industrial-

process measurement, control

and automation

ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships

SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)

Existing and Emerging Practices

DHS Vendor

Procurement

Language

NIST SP 800-161

PMOs developed

in DOJ and DOE

DHS ICT Supply Chain

Exploits Frame of

Reference GAO Report

Cyberspace Policy Review

The

President’s

International

Strategy for

Cyberspace

Energy

Delivery

Systems

Procurement

Language

© 2012 Utilities Telecom Council

Existing and Emerging Practices

17

2008

Comprehensive National

Cybersecurity Initiative

Stood Up

Go

ve

rnm

en

t In

du

str

y

DoD ICT SCRM Key

Practices Document

2009 2010 2011 2012 2013

NIST IR 7622, Notional Supply

Chain Risk Management Practices

for Federal Information Systems

SAFECode

Software Supply

Chain Integrity

papers

Open Trusted Technology

Framework

Common Criteria Technical

Document

ISF Supplier Assurance

Framework

IEC 62443-2-4 – Industrial-

process measurement, control

and automation

ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships

SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)

Existing and Emerging Practices

DHS Vendor

Procurement

Language

NIST SP 800-161

PMOs developed

in DOJ and DOE

DHS ICT Supply Chain

Exploits Frame of

Reference GAO Report

Cyberspace Policy Review

The

President’s

International

Strategy for

Cyberspace

Energy

Delivery

Systems

Procurement

Language

© 2012 Utilities Telecom Council

Existing and Emerging Practices

18

2008

Comprehensive National

Cybersecurity Initiative

Stood Up

Go

ve

rnm

en

t In

du

str

y

DoD ICT SCRM Key

Practices Document

2009 2010 2011 2012 2013

NIST IR 7622, Notional Supply

Chain Risk Management Practices

for Federal Information Systems

SAFECode

Software Supply

Chain Integrity

papers

Open Trusted Technology

Framework

Common Criteria Technical

Document

ISF Supplier Assurance

Framework

IEC 62443-2-4 – Industrial-

process measurement, control

and automation

ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships

SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)

Existing and Emerging Practices

DHS Vendor

Procurement

Language

NIST SP 800-161

PMOs developed

in DOJ and DOE

DHS ICT Supply Chain

Exploits Frame of

Reference GAO Report

Cyberspace Policy Review

The

President’s

International

Strategy for

Cyberspace

Energy

Delivery

Systems

Procurement

Language

© 2012 Utilities Telecom Council

How do these standards help?

By answering the following key question:

• How should an organization manage security risks

associated with acquiring ICT products and services?

AND

By providing a rich menu of items to chose from to

• Define your own processes for supplier management

• Ask your suppliers about their processes

19

Existing and Emerging Practices

© 2012 Utilities Telecom Council

Agenda

• Problem Definition

• Existing and Emerging Practices

• Ten Key Questions

• Summary and Questions

20

© 2012 Utilities Telecom Council

(1) What ICT assets and processes are critical to your

business?

21

Ten Key Questions

Assets and Processes ICT Products

and Services ICT Suppliers

Network gear 90%

10%

Control systems 50%

50%

Servers 50%

25%

25%

Database software 100%

Laptops 100%

© 2012 Utilities Telecom Council

(2) Have you defined what security you want?

22

Ten Key Questions

Network

gear

90%

10%

Control

systems

50%

50%

Servers 50%

25%

25%

Database

software

100%

Laptops 100%

Critical Assets Security Requirements

•Confidentiality

• Integrity

•Availability

Validated Against

Standards

and Best Practices

…and can you use these requirements to negotiate security with your suppliers?

© 2012 Utilities Telecom Council

(3) How will you know that the supplier is doing what

they said they will do?

23

Ten Key Questions

Supplier Self

Assessment

Acquirer

Assessment

Independent

Third Party

Certification

Supplier

Attestation

Assessment

Results

Certification

© 2012 Utilities Telecom Council

(4) Has the supplier implemented a secure lifecycle?

24

Ten Key Questions

Secure

Lifecycle

Certification

• Security reviews are

conducted throughout the

lifecycle

• Developers are trained in

secure coding practices

• Secure code repositories are

used

• Supplier knows the origins of

critical components

• Lifecycle stops until critical

weaknesses are fixed

• Supplier heard of best

practices (e.g., OWASP or

Microsoft SDL)

OR

© 2012 Utilities Telecom Council

(5) How will your data be protected when it is exchanged

with the supplier? With the acquirer?

25

Ten Key Questions

Sensitive

Confidential

Personally Identifiable

Information

Intellectual Property

Publicly Releasable

Acquirer Supplier

© 2012 Utilities Telecom Council

(6) How will you and the supplier communicate

vulnerabilities? You and the acquirer?

26

Ten Key Questions

New

Vulnerability

Disclose or

not disclose?

How to

disclose?

Who will fix?

If cannot fix,

who will

remediate?

© 2012 Utilities Telecom Council

(7) How will you and the supplier communicate about

incidents? You and the acquirer?

27

Ten Key Questions

Incident or

Breach

Disclose or

not disclose?

How and what

to disclose?

Sensitive

Confidential

Personally Identifiable

Information

Intellectual Property

Publicly Releasable

How to

minimize the

impact to

both?

© 2012 Utilities Telecom Council

(8) How will you (acquirer and supplier) protect yourself

for the entire life span of the system?

28

Ten Key Questions

Development/

Engineering

Operations/

Maintenance

Retirement/

Termination

Supplier out of business

Parts no longer available

Support discontinued

© 2012 Utilities Telecom Council

(8) How will you (acquirer and supplier) protect yourself

for the entire life span of the system?

29

Ten Key Questions

Development/

Engineering

Operations/

Maintenance

Retirement/

Termination

Supplier out of business

Parts no longer available

Support discontinued

Component disposal

© 2012 Utilities Telecom Council

(8) How will you (acquirer and supplier) protect yourself

for the entire life span of the system?

30

Ten Key Questions

Development/

Engineering

Operations/

Maintenance

Retirement/

Termination

Supplier out of business

Parts no longer available

Support discontinued

Component disposal

• Provisions for hardware and software to be available in the

future for maintenance and sustainment

• Software escrow

• Buy parts for the future

• Approved resellers and disposers

© 2012 Utilities Telecom Council

(9) How will this relationship be terminated securely?

31

Ten Key Questions

Development/

Engineering

Operations/

Maintenance

Retirement/

Termination

Sensitive

Confidential

Personally Identifiable

Information

Intellectual Property

Publicly Releasable

© 2012 Utilities Telecom Council

(10) How will the people know what to do?

32

Ten Key Questions

Supplier 1

Supplier 2

Supplier 3

…..

Supplier X

Points of Contact Awareness for All Involved

• Acquisition/procurement

• Legal

• Developer/engineer

• Delivery/shipping/receiving

• Executives

• Others?

© 2012 Utilities Telecom Council

(10) How will the people know what to do?

33

Ten Key Questions

Supplier 1

Supplier 2

Supplier 3

…..

Supplier X

Points of Contact Awareness for All Involved

• Acquisition/procurement

• Legal

• Developer/engineer

• Delivery, shipping, receiving

• Executives

• Others?

© 2012 Utilities Telecom Council

(10) How will the people know what to do?

34

Ten Key Questions

Supplier 1 Frodo Baggins

Supplier 2 Harry Potter

Supplier 3 Peter Pan

…..

Supplier X Cinderella

Points of Contact Awareness for All Involved

• Acquisition/procurement

• Legal

• Developer/engineer

• Delivery, shipping, receiving

• Executives

• Others?

What about your suppliers?

© 2012 Utilities Telecom Council

Agenda

• Problem Definition

• Examples

• Existing and Emerging Practices

• Ten Key Questions

• Summary and Questions

35

© 2012 Utilities Telecom Council

In Summary

• ICT supply chain concerns are at the heart of today’s technology

acquisition

• Acquirer practices and supplier practices are equally critical

• You may already have these practices somewhere in your

organization

• Use ten basic questions together with existing standards and

practices to get started

36

Summary and Questions

© 2012 Utilities Telecom Council

Questions

37

© 2012 Utilities Telecom Council

Contact Information

• Nadya Bartol

nadya.bartol@utc.org

3/17/2014 38