information and communication technology (ict) supply ... · what is ict supply chain risk...
TRANSCRIPT
© 2012 Utilities Telecom Council
Information and Communication
Technology (ICT) Supply Chain Security
– Emerging Solutions Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist
© 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Existing and Emerging Practices
• Ten Key Questions
• Summary and Questions
2
© 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Existing and Emerging Practices
• Ten Key Questions
• Summary and Questions
3
© 2012 Utilities Telecom Council
What is ICT Supply Chain Risk Management?
• Information and Communication Technology (ICT) products are
assembled, built, and transported by geographically extensive supply
chains of multiple suppliers
• Acquirer does not always know how that happens, even with the
primary supplier
• Not all suppliers are ready to articulate their cybersecurity and cyber
supply chain practices
• Abundant opportunities exist for malicious actors to tamper with and
sabotage products, ultimately compromising system integrity,
reliability, and safety
Acquirers need to be able
to understand and manage associated risks
4
Problem Definition
Source: Nadya Bartol, ACSAC Case Study, December 2010
© 2012 Utilities Telecom Council
How does this look?
“Scope of Supplier Expansion and Foreign
Involvement” graphic in DACS
www.softwaretechnews.com Secure Software
Engineering, July 2005 article “Software
Development Security: A Risk Management
Perspective” synopsis of May 2004 GAO-04-678
report “Defense Acquisition: Knowledge of Software
Suppliers Needed to Manage Risks”
Problem Definition
5
© 2012 Utilities Telecom Council
From The World Is Flat by Thomas Friedman Dell Inspiron 600m Notebook: Key Components and Suppliers
Problem Definition
6
Source: Booz Allen Hamilton and DoD
© 2012 Utilities Telecom Council
What are the risks?
• Intentional insertion of malicious functionality
• Counterfeit electronics
• Poor practices upstream
7
Problem Definition
© 2012 Utilities Telecom Council
Intentional insertion of malicious functionality
8
Problem Definition
Provider/
Integrator
Supplier
Supplier
Supplier Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Backdoor
Virus
Extra
Features
Supplier
Supplier
© 2012 Utilities Telecom Council
Counterfeit Electronics
9
Problem Definition
Provider/
Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Counterfeit
Component
Counterfeit
Component
Extra
Features
Poor
Performance
Supplier
Supplier
Supplier
Supplier
Supplier
© 2012 Utilities Telecom Council
Poor practices upstream
10
Problem Definition
Provider/
Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier Poor
quality
Poor
coding
practices
Poor
Performance
Supplier
Supplier
Supplier
© 2012 Utilities Telecom Council
This may impact reliability and safety for years
11
Problem Definition
Provider/
Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier Poor
quality
Poor
coding
practices
Poor
Performance Counterfeit
Component
Counterfeit
Component
Extra
Features
Backdoor
Virus
Supplier
Supplier
Supplier
© 2012 Utilities Telecom Council
Some History
12
US government reports
on globalization,
supplier risk, offshoring,
foreign influence in
software, and
microelectronics
1999-2006 2007-2009 2008
US Comprehensive
National
Cybersecurity
Initiative Stood Up
2010
Stuxnet
Oct 2011
ODNI report
on foreign
industrial
espionage
Sept-Oct 2012
Telvent hacked
US House
Intelligence
Committee Huawei
and ZTE report
released
European reports on
robustness of
communications
infrastructures and IT
supply chain risks
Problem Definition
2013
NDAA 2013
Cyber EO
PPD 21
Mandiant Report ENISA study
on supply
chain integrity
© 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Existing and Emerging Practices
• Ten Key Questions
• Summary and Questions
13
© 2012 Utilities Telecom Council
Existing and Emerging Practices
14
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
Go
ve
rnm
en
t In
du
str
y
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
Reference GAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
Energy
Delivery
Systems
Procurement
Language
© 2012 Utilities Telecom Council
Existing and Emerging Practices
15
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
Go
ve
rnm
en
t In
du
str
y
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
Reference GAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
Energy
Delivery
Systems
Procurement
Language
© 2012 Utilities Telecom Council
Existing and Emerging Practices
16
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
Go
ve
rnm
en
t In
du
str
y
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
Reference GAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
Energy
Delivery
Systems
Procurement
Language
© 2012 Utilities Telecom Council
Existing and Emerging Practices
17
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
Go
ve
rnm
en
t In
du
str
y
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
Reference GAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
Energy
Delivery
Systems
Procurement
Language
© 2012 Utilities Telecom Council
Existing and Emerging Practices
18
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
Go
ve
rnm
en
t In
du
str
y
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
Reference GAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
Energy
Delivery
Systems
Procurement
Language
© 2012 Utilities Telecom Council
How do these standards help?
By answering the following key question:
• How should an organization manage security risks
associated with acquiring ICT products and services?
AND
By providing a rich menu of items to chose from to
• Define your own processes for supplier management
• Ask your suppliers about their processes
19
Existing and Emerging Practices
© 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Existing and Emerging Practices
• Ten Key Questions
• Summary and Questions
20
© 2012 Utilities Telecom Council
(1) What ICT assets and processes are critical to your
business?
21
Ten Key Questions
Assets and Processes ICT Products
and Services ICT Suppliers
Network gear 90%
10%
Control systems 50%
50%
Servers 50%
25%
25%
Database software 100%
Laptops 100%
© 2012 Utilities Telecom Council
(2) Have you defined what security you want?
22
Ten Key Questions
Network
gear
90%
10%
Control
systems
50%
50%
Servers 50%
25%
25%
Database
software
100%
Laptops 100%
Critical Assets Security Requirements
•Confidentiality
• Integrity
•Availability
Validated Against
Standards
and Best Practices
…and can you use these requirements to negotiate security with your suppliers?
© 2012 Utilities Telecom Council
(3) How will you know that the supplier is doing what
they said they will do?
23
Ten Key Questions
Supplier Self
Assessment
Acquirer
Assessment
Independent
Third Party
Certification
Supplier
Attestation
Assessment
Results
Certification
© 2012 Utilities Telecom Council
(4) Has the supplier implemented a secure lifecycle?
24
Ten Key Questions
Secure
Lifecycle
Certification
• Security reviews are
conducted throughout the
lifecycle
• Developers are trained in
secure coding practices
• Secure code repositories are
used
• Supplier knows the origins of
critical components
• Lifecycle stops until critical
weaknesses are fixed
• Supplier heard of best
practices (e.g., OWASP or
Microsoft SDL)
OR
© 2012 Utilities Telecom Council
(5) How will your data be protected when it is exchanged
with the supplier? With the acquirer?
25
Ten Key Questions
Sensitive
Confidential
Personally Identifiable
Information
Intellectual Property
Publicly Releasable
Acquirer Supplier
© 2012 Utilities Telecom Council
(6) How will you and the supplier communicate
vulnerabilities? You and the acquirer?
26
Ten Key Questions
New
Vulnerability
Disclose or
not disclose?
How to
disclose?
Who will fix?
If cannot fix,
who will
remediate?
© 2012 Utilities Telecom Council
(7) How will you and the supplier communicate about
incidents? You and the acquirer?
27
Ten Key Questions
Incident or
Breach
Disclose or
not disclose?
How and what
to disclose?
Sensitive
Confidential
Personally Identifiable
Information
Intellectual Property
Publicly Releasable
How to
minimize the
impact to
both?
© 2012 Utilities Telecom Council
(8) How will you (acquirer and supplier) protect yourself
for the entire life span of the system?
28
Ten Key Questions
Development/
Engineering
Operations/
Maintenance
Retirement/
Termination
Supplier out of business
Parts no longer available
Support discontinued
© 2012 Utilities Telecom Council
(8) How will you (acquirer and supplier) protect yourself
for the entire life span of the system?
29
Ten Key Questions
Development/
Engineering
Operations/
Maintenance
Retirement/
Termination
Supplier out of business
Parts no longer available
Support discontinued
Component disposal
© 2012 Utilities Telecom Council
(8) How will you (acquirer and supplier) protect yourself
for the entire life span of the system?
30
Ten Key Questions
Development/
Engineering
Operations/
Maintenance
Retirement/
Termination
Supplier out of business
Parts no longer available
Support discontinued
Component disposal
• Provisions for hardware and software to be available in the
future for maintenance and sustainment
• Software escrow
• Buy parts for the future
• Approved resellers and disposers
© 2012 Utilities Telecom Council
(9) How will this relationship be terminated securely?
31
Ten Key Questions
Development/
Engineering
Operations/
Maintenance
Retirement/
Termination
Sensitive
Confidential
Personally Identifiable
Information
Intellectual Property
Publicly Releasable
© 2012 Utilities Telecom Council
(10) How will the people know what to do?
32
Ten Key Questions
Supplier 1
Supplier 2
Supplier 3
…..
Supplier X
Points of Contact Awareness for All Involved
• Acquisition/procurement
• Legal
• Developer/engineer
• Delivery/shipping/receiving
• Executives
• Others?
© 2012 Utilities Telecom Council
(10) How will the people know what to do?
33
Ten Key Questions
Supplier 1
Supplier 2
Supplier 3
…..
Supplier X
Points of Contact Awareness for All Involved
• Acquisition/procurement
• Legal
• Developer/engineer
• Delivery, shipping, receiving
• Executives
• Others?
© 2012 Utilities Telecom Council
(10) How will the people know what to do?
34
Ten Key Questions
Supplier 1 Frodo Baggins
Supplier 2 Harry Potter
Supplier 3 Peter Pan
…..
Supplier X Cinderella
Points of Contact Awareness for All Involved
• Acquisition/procurement
• Legal
• Developer/engineer
• Delivery, shipping, receiving
• Executives
• Others?
What about your suppliers?
© 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Examples
• Existing and Emerging Practices
• Ten Key Questions
• Summary and Questions
35
© 2012 Utilities Telecom Council
In Summary
• ICT supply chain concerns are at the heart of today’s technology
acquisition
• Acquirer practices and supplier practices are equally critical
• You may already have these practices somewhere in your
organization
• Use ten basic questions together with existing standards and
practices to get started
36
Summary and Questions
© 2012 Utilities Telecom Council
Questions
37