Understanding Supply Chain Risks

Transcription

1 Understanding Supply Chain Risks Brent Wildasin August 2016 HCHB IT Security Day

2 Supply Chain Risk Management 2 What is information and communications technology supply chain risk management (ICT SCRM)? ICT SCRM encompasses activities in the system development life cycle, including research and development (R&D), design, manufacturing, acquisition, delivery, integration, operations, and disposal/retirement of an organization s ICT products (i.e., hardware and software) and services. (NIST SP ) Security: Confidentiality, integrity and availability of information. Integrity: ICT Products or services are genuine, unaltered and perform to acquirer specifications. Resilience: ICT supply chain will provide required ICT Products and services under stress or failure. Quality: Reducing vulnerabilities that may limit product intended function, product failure, or provide opportunities for exploitation.

3 The ICT Supply Chain What is an ICT Supply Chain? ICT relies on a complex, globally distributed, and interconnected supply chain ecosystem that is long, has geographically diverse routes, and consists of multiple tiers of outsourcing. This ecosystem is composed of public and private sector entities (e.g., acquirers, system integrators, suppliers, and external service providers) and technology, law, policy, procedures, and practices that interact to design, manufacture, distribute, deploy, and use ICT products and services. (NIST SP ) How is an ICT Supply Chain Comprised? An occurrence within the ICT supply chain whereby an adversary jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits. An ICT supply chain compromise can occur anywhere within the system development life cycle of the product or service. (NIST SP ) Counterfeits Suspicious Network Activity Foreign Ownership 3

4 Global ICT Threat Environment Why does a Supply Chain Compromise Occur? Globalization of the ICT sector is creating vulnerabilities that adversaries are exploiting to sabotage, or otherwise subvert the design, integrity, or operation of critical systems. Motivation Military Financial Political Capability Nation State Organization Individual Risk Vulnerability Weakness Flaw Level_of Control The combination of capability, motivation, and vulnerability create risk! How do I Protect my Supply Chain?.Supply Chain Risk Management (SCRM) ICT SCRM is an holistic approach to reducing ICT supply chain vulnerabilities by identifying and analyzing risks within a supply chain. 4

5 Who Practices ICT SCRM? ICT SCRM is an organization wide / shared activity Senior Executives: Create the right professional and cultural conditions necessary to implement effective SCRM policy. Senior Executives Program Manager IT Practitioner Program Manager: Develop actionable SCRM policies and procedures, guidance and operational constraints. IT Practitioner: Define system level ICT SCRM Requirements. 5

6 . Federal SCRM Policy Drivers Overview An Enterprise SCRM Program and Focal Point will satisfy CNSSD 505 requirements and support the Key Policy drivers listed below. Key Policy Drivers CNCI 11 GAO Audit CNSSD 505 ICD 731 EO NIST Section 515 (a) (b) Circular No. A 130 Revision 6

7 Understanding the Risks: Cyber Breach As the number of highly publicized cyber attacks has increased in recent years, the focus on cybersecurity and new risk management techniques have escalated rapidly. Many factors feed this growing demand, including: Intensified pressure on boards to demonstrate their fiduciary duty to assess cyber risk. Increased regulatory oversight and scrutiny of global data privacy practices. As more companies grow their operations, an expanded need for information sharing amongst colleagues and partners. 7

8 Understanding the Risks: Cyber Breach Case Study Example: BMC Software and HVAC Company Connected to Target Cyber Data Breach Attackers used third party vendor to discover Target s remote access credentials. From within the system, attackers used BMC s Performance Assurance IT Suite domain name, Best1_user, to insert malware. In addition, attackers installed another malware component that appeared to be the legitimate BMC Software Bladelogic. BMC Statement: There is no evidence to suggest that BMC Bladelogic or BMC Performance Assurance has a security flaw or was comprised as part of this attack. 8

9 Understanding the Risks: Counterfeit Parts Aerospace Industries Association (AIA) "a product produced or altered to resemble a product without authority or right to do so, with the intent to mislead or defraud by presenting the imitation as original or genuine" 9

10 Understanding the Risks: Counterfeit Parts What is the impact? Over a million suspect counterfeit electronic components were used in 1,800 cases affecting US military hardware, affecting military aircraft, missile, and electronic warfare systems. Large numbers of counterfeit parts mainly from China were making their way into critical defense systems, including the US Air Force s largest cargo plane and in assemblies for Special Operations helicopters and US Navy surveillance planes. Where do the counterfeit parts come from? China (and Taiwan) is responsible for more than 70% of the suspect components, followed by the United Kingdom and Canada; the committee identified instances were both countries were reselling counterfeit electronic components that originated in China. How do counterfeit parts enter the supply chain? The use of unvetted distributors to supply electronic parts meant that the DOD and defense contractors are frequently unaware of the ultimate source of parts used in defense systems. Findings from Inquiry into Counterfeit Electronic Parts in the Department of Defense Supply Chain Report, Senate Armed Services Committee, May 12,

11 Combating Risks: Open Source Intelligence Analysis Financial & Business Intelligence Supply Chain Illumination Entity Link Analysis Counterfeit Identification Manufacturing Locations 11

12 SCRM Program to NIST Cybersecurity Framework 12 SCRM Capability NIST Category NIST Control Identify Assessment Management Protect Maintenance Metrics & KPIs Identify Governance Business Environment Risk Management Strategy Program Administration Identify Business Environment Governance Risk Management Strategy Protect Information Protection Processes and Procedures Identify Risk Assessment SCRM Assessments Protect Protective Technology Information Protection Processes and Procedures Detect Security Continuous Monitoring SCRM Policy Identify Governance Protect Information Protection Processes and Procedures Identify Risk Assessment SCRM SME Protect Awareness and Training Respond Incident Management TOA Protect Awareness and Training Identify & Protect supports up front SCRM Assessments, being involved in Acquisition, C&A, Market Research

13 13 Questions?

14 Administrative and Contact Information For more information OSY SCRM SCRM Program: pply chain risk management 14