Más contenido relacionado La actualidad más candente (20) Similar a ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors (20) ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors1. © 2012 Utilities Telecom Council
Information and Communication
Technology (ICT) Supply Chain
Security – Learning from Recent
Incidents and Other Sectors
Nadya Bartol, CISSP, CGEIT
UTC Senior Cybersecurity Strategist
2. © 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Existing and Emerging Practices
• Summary and Questions
2
3. © 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Existing and Emerging Practices
• Summary and Questions
3
4. © 2012 Utilities Telecom Council
What is ICT Supply Chain Risk Management?
• Information and Communication Technology (ICT) products are
assembled, built, and transported by geographically extensive supply
chains of multiple suppliers
• Acquirer does not always know how that happens, even with the
primary supplier
• Not all suppliers are ready to articulate their cybersecurity and cyber
supply chain practices
• Abundant opportunities exist for malicious actors to tamper with and
sabotage products, ultimately compromising system integrity,
reliability, and safety
Acquirers need to be able
to understand and manage associated risks
4
Problem Definition
Source: Nadya Bartol, ACSAC Case Study, December 2010
5. © 2012 Utilities Telecom Council
How does this look?
“Scope of Supplier Expansion and Foreign
Involvement” graphic in DACS
www.softwaretechnews.com Secure Software
Engineering, July 2005 article “Software
Development Security: A Risk Management
Perspective” synopsis of May 2004 GAO-04-678
report “Defense Acquisition: Knowledge of Software
Suppliers Needed to Manage Risks”
Problem Definition
5
6. © 2012 Utilities Telecom Council
From The World Is Flat by Thomas Friedman
Dell Inspiron 600m Notebook: Key Components and Suppliers
Problem Definition
6
Source: Booz Allen Hamilton and DoD
7. © 2012 Utilities Telecom Council
What does this have to do with utilities?
• Utilities networks consist of ICT products
• These products are purchased by acquirers from suppliers
• These suppliers have supply chains of their own
7
Utilities need to ask their vendors
questions about security and other
practices exercised by the vendors’
upstream suppliers
8. © 2012 Utilities Telecom Council
How is ICT SCRM Different from Traditional Supply
Chain Risk Management
Traditional Supply Chain Risk
Management
ICT SCRM
Will my physical product get to me
on time?
Will my product (physical or logical)
or get to me as it was shipped and
as I ordered?
Is my supply chain resilient and will it
continue delivering what I need in
case of disaster?
Is my supply chain infiltrated by
someone who is inserting extra
features into my hardware and
software to exploit my systems and
get to my information now or later?
What is the risk TO my supply chain
that delivers critical products and
services that I need to mitigate?
What is the risk TO AND THROUGH
my supply chain to my business and
mission that I need to mitigate?
Problem Definition
8
9. © 2012 Utilities Telecom Council
What are the risks?
• Intentional insertion of malicious functionality
• Counterfeit electronics
• Poor practices upstream
9
Problem Definition
10. © 2012 Utilities Telecom Council
Intentional insertion of malicious functionality
10
Problem Definition
Provider/
Integrator
Supplier
Supplier
SupplierSupplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Backdoor
Virus
Extra
Features
Supplier
Supplier
11. © 2012 Utilities Telecom Council
Counterfeit Electronics
11
Problem Definition
Provider/
Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Counterfeit
Component
Counterfeit
Component
Extra
Features
Poor
Performance
Supplier
Supplier
Supplier
Supplier
Supplier
12. © 2012 Utilities Telecom Council
Poor practices upstream
12
Problem Definition
Provider/
Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Poor
quality
Poor
coding
practices
Poor
Performance
Supplier
Supplier
Supplier
13. © 2012 Utilities Telecom Council
This may impact reliability and safety for years
13
Problem Definition
Provider/
Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Poor
quality
Poor
coding
practices
Poor
Performance
Counterfeit
Component
Counterfeit
Component
Extra
Features
Backdoor
Virus
Supplier
Supplier
Supplier
14. © 2012 Utilities Telecom Council
From acknowledgement to reality
14
US government reports
on globalization,
supplier risk, offshoring,
foreign influence in
software, and
microelectronics
1999-2006 2007-2009 2008
US Comprehensive
National
Cybersecurity
Initiative Stood Up
2010
Stuxnet
Oct 2011
ODNI report
on foreign
industrial
espionage
Sept-Oct 2012
Telvent hacked
US House
Intelligence
Committee Huawei
and ZTE report
released
European reports on
robustness of
communications
infrastructures and IT
supply chain risks
Problem Definition
2013
NDAA 2013
Cyber EO
PPD 21
Mandiant Report
ENISA study
on supply
chain integrity
15. © 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Existing and Emerging Practices
• Summary and Questions
15
16. © 2012 Utilities Telecom Council
Existing and Emerging Practices
16
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
17. © 2012 Utilities Telecom Council
Existing and Emerging Practices
17
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
18. © 2012 Utilities Telecom Council
Existing and Emerging Practices
18
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
19. © 2012 Utilities Telecom Council
Existing and Emerging Practices
19
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
20. © 2012 Utilities Telecom Council
Existing and Emerging Practices
20
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
21. © 2012 Utilities Telecom Council
Existing and Emerging Practices
21
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
22. © 2012 Utilities Telecom Council
Existing and Emerging Practices
22
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
23. © 2012 Utilities Telecom Council
Existing and Emerging Practices
23
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
24. © 2012 Utilities Telecom Council
Existing and Emerging Practices
24
2008
Comprehensive National
Cybersecurity Initiative
Stood Up
GovernmentIndustry
DoD ICT SCRM Key
Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply
Chain Risk Management Practices
for Federal Information Systems
SAFECode
Software Supply
Chain Integrity
papers
Open Trusted Technology
Framework
Common Criteria Technical
Document
ISF Supplier Assurance
Framework
IEC 62443-2-4 – Industrial-
process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor
Procurement
Language
NIST SP 800-161
PMOs developed
in DOJ and DOE
DHS ICT Supply Chain
Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The
President’s
International
Strategy for
Cyberspace
DHS
Procurement
Language
Revision
25. © 2012 Utilities Telecom Council
Solutions Are Multidisciplinary
25
Source: NISTIR 7622
Existing and Emerging Practices
26. © 2012 Utilities Telecom Council
Who Is the Audience?
26
Acquirer
Stakeholder that procures
a product or service from
another party [adapted
from ISO/IEC 15288]
Supplier
Organization or an
individual that enters into
agreement with the
acquirer for the supply of
a product or service
[ISO/IEC 15288]
Existing and Emerging Practices
27. © 2012 Utilities Telecom Council
Who Is the Audience – ISO/IEC 27036
27
Acquirer
Stakeholder that procures
a product or service from
another party [adapted
from ISO/IEC 15288]
Supplier
Organization or an
individual that enters into
agreement with the
acquirer for the supply of
a product or service
[ISO/IEC 15288]
Existing and Emerging Practices
28. © 2012 Utilities Telecom Council
Who Is the Audience – NIST SP 800-161
28
Acquirer
Stakeholder that
procures a
product or service
from another
party [adapted
from ISO/IEC
15288]
Supplier
Organization or an individual that enters into agreement
with the acquirer for the supply of a product or service
[ISO/IEC 15288]
System Integrator
An organization that customizes (e.g., combines, adds,
optimizes) components, systems, and corresponding
processes. The integrator function can also be performed
by acquirer. [NISTIR 7628]
External Service Provider
A provider of external information system services to an
organization through a variety of consumer-producer
relationships including but not limited to: joint ventures;
business partnerships; outsourcing arrangements (i.e.,
through contracts, interagency agreements, lines of
business arrangements); licensing agreements; and/or
supply chain exchanges. [NIST SP 800-53 Rev4]
Existing and Emerging Practices
29. © 2012 Utilities Telecom Council
Who Is the Audience – OTTF
29
Acquirer
One who procures
hardware and
software products
and services to
create
solutions that meet
their customers’
requirements.
Supplier
An upstream vendor who develops hardware or software
components for providers.
Integrator
A third-party organization that specializes in combining
products from several suppliers to produce systems for a
customer.
Provider
A midstream vendor developing products and
managing the supply chain to provide acquirers and
integrators with trustworthy products.
Component Supplier
Entity that supplies components, typically as business
partners to providers.
Existing and Emerging Practices
30. © 2012 Utilities Telecom Council
When Should These Standards Be Used?
Standard Supplier Relationship
Scope
Audience Context of Use
ISO/IEC 27036‐1 Any Acquirers and
Suppliers
Describes the problem in general and how
to use 27306
ISO/IEC 27036‐2 Any Acquirers and
Suppliers
Security in supplier relationships for any
products and services
ISO/IEC 27036‐3 ICT products and
services
Acquirers and
Suppliers
Security in supplier relationships for ICT
products and services
ISO/IEC 27036‐4 Cloud services Acquirers and
Suppliers
Security aspects of cloud services
acquisition
IEC 62443‐2‐4 ICS services Acquirers and
Suppliers
Requirements for ICS service providers
IEC 62443‐3‐3 ICS products Acquirers Requirements for ICS products
NIST SP 800‐161 US Fed Agency ICT
products and services
Acquirers US Federal agency ICT product and service
acquisition
The Open Group TTPF Commercial‐off‐the‐
shelf products
ICT Providers COTS products development and
component acquisition
DHS Procurement
Language Update
ICS products ICS Acquirers ICS product acquisition
Common Criteria ICT products ICT Acquirers,
Providers, Evaluators,
Certifiers, and Users
When putting together evidence for
Common Criteria evaluation
SAFECode ICT products ICT Providers To enhance software development
processes
30
Existing and Emerging Practices
31. © 2012 Utilities Telecom Council
How do these standards help?
By answering the following key question:
• How should an organization manage security risks
associated with acquiring ICT products and services?
AND
By providing a rich menu of items to chose from to
• Define your own processes for supplier management
• Ask your suppliers about their processes
31
Existing and Emerging Practices
32. © 2012 Utilities Telecom Council
Agenda
• Problem Definition
• Existing and Emerging Practices
• Summary and Questions
32
33. © 2012 Utilities Telecom Council
Summary
• The problem is real
• Practices are available to make things better
• Solutions come from multiple disciplines
• This is complex – start somewhere and improve
33
Summary and Questions
34. © 2012 Utilities Telecom Council
Contact Information
• Nadya Bartol
nadya.bartol@utc.org
9/9/2013 34