ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
34
© 2012 Utilities Telecom Council Information and Communication Technology (ICT) Supply Chain Security – Learning from Recent Incidents and Other Sectors Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist
-
Upload
energysec -
Category
Technology
-
view
145 -
download
1
description
Presented by: Nadya Bartol, Utility Telecom Council Abstract: A variety of recent breaches and vulnerabilities demonstrate that software and hardware supply chain is a serious concern in the ICS space. Asset owners/operators and suppliers are in a symbiotic relationship – acquirers cannot conduct business without the supplier products and services. Where do the subcomponents come from and what do we know about their contents? Which code libraries were used by the sub-supplier? Why do we need to know? Several solution sets have emerged over the last 6 years, developed in IT/communications, defense, and ICS space. These include soon-to-be-published ISO and IEC standards, NIST documents, certification framework, Common Criteria extensions, and efforts by software industry consortium. The presentation will survey ICT supply chain security problem space, provide an overview of available solutions developed to date, and recommend how to use these solutions in the ICS context
Transcript of ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
© 2012 Utilities Telecom Council
Information and Communication Technology (ICT) Supply Chain Security – Learning from Recent Incidents and Other Sectors
Nadya Bartol, CISSP, CGEITUTC Senior Cybersecurity Strategist
© 2012 Utilities Telecom Council
Agenda
• Problem Definition• Existing and Emerging Practices• Summary and Questions
2
© 2012 Utilities Telecom Council
Agenda
• Problem Definition• Existing and Emerging Practices• Summary and Questions
3
© 2012 Utilities Telecom Council
What is ICT Supply Chain Risk Management?
• Information and Communication Technology (ICT) products are assembled, built, and transported by geographically extensive supply chains of multiple suppliers
• Acquirer does not always know how that happens, even with the primary supplier
• Not all suppliers are ready to articulate their cybersecurity and cyber supply chain practices
• Abundant opportunities exist for malicious actors to tamper with and sabotage products, ultimately compromising system integrity, reliability, and safety
Acquirers need to be able to understand and manage associated risks
4
Problem Definition
Source: Nadya Bartol, ACSAC Case Study, December 2010
© 2012 Utilities Telecom Council
How does this look?
“Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
Problem Definition
5
© 2012 Utilities Telecom Council
From The World Is Flat by Thomas FriedmanDell Inspiron 600m Notebook: Key Components and Suppliers
Problem Definition
6Source: Booz Allen Hamilton and DoD
© 2012 Utilities Telecom Council
What does this have to do with utilities?
• Utilities networks consist of ICT products• These products are purchased by acquirers from suppliers• These suppliers have supply chains of their own
7
Utilities need to ask their vendors questions about security and other practices exercised by the vendors’
upstream suppliers
© 2012 Utilities Telecom Council
How is ICT SCRM Different from Traditional Supply Chain Risk Management
Traditional Supply Chain Risk Management
ICT SCRM
Will my physical product get to me on time?
Will my product (physical or logical) or get to me as it was shipped and as I ordered?
Is my supply chain resilient and will it continue delivering what I need in case of disaster?
Is my supply chain infiltrated by someone who is inserting extra features into my hardware and software to exploit my systems and get to my information now or later?
What is the risk TO my supply chainthat delivers critical products and services that I need to mitigate?
What is the risk TO AND THROUGHmy supply chain to my business and mission that I need to mitigate?
Problem Definition
8
© 2012 Utilities Telecom Council
What are the risks?
• Intentional insertion of malicious functionality• Counterfeit electronics• Poor practices upstream
9
Problem Definition
© 2012 Utilities Telecom Council
Intentional insertion of malicious functionality
10
Problem Definition
Provider/Integrator
Supplier
Supplier
SupplierSupplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Backdoor
VirusExtra
FeaturesSupplier
Supplier
© 2012 Utilities Telecom Council
Counterfeit Electronics
11
Problem Definition
Provider/Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Counterfeit Component
Counterfeit Component
Extra Features
Poor Performance
Supplier
SupplierSupplier
Supplier
Supplier
© 2012 Utilities Telecom Council
Poor practices upstream
12
Problem Definition
Provider/Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
SupplierPoor
quality
Poor coding
practices
Poor Performance
Supplier
Supplier
Supplier
© 2012 Utilities Telecom Council
This may impact reliability and safety for years
13
Problem Definition
Provider/Integrator
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
SupplierPoor
quality
Poor coding
practices
Poor Performance
Counterfeit Component
Counterfeit Component
Extra Features
Backdoor
VirusSupplier
Supplier
Supplier
© 2012 Utilities Telecom Council
From acknowledgement to reality
14
US government reports on globalization,
supplier risk, offshoring, foreign influence in
software, and microelectronics
1999-2006 2007-2009 2008
US Comprehensive National
Cybersecurity Initiative Stood Up
2010
Stuxnet
Oct 2011
ODNI report on foreign industrial
espionage
Sept-Oct 2012
Telvent hackedUS House
Intelligence Committee Huawei
and ZTE report released
European reports on robustness of
communications infrastructures and IT
supply chain risks
Problem Definition
2013
NDAA 2013Cyber EOPPD 21
Mandiant ReportENISA study on supply
chain integrity
© 2012 Utilities Telecom Council
Agenda
• Problem Definition• Existing and Emerging Practices• Summary and Questions
15
© 2012 Utilities Telecom Council
Existing and Emerging Practices
16
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Existing and Emerging Practices
17
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Existing and Emerging Practices
18
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Existing and Emerging Practices
19
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Existing and Emerging Practices
20
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Existing and Emerging Practices
21
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Existing and Emerging Practices
22
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Existing and Emerging Practices
23
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Existing and Emerging Practices
24
2008
Comprehensive National Cybersecurity Initiative
Stood Up
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices Document
2009 2010 2011 2012 2013
NIST IR 7622, Notional Supply Chain Risk Management Practices
for Federal Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
Open Trusted Technology Framework
Common Criteria Technical Document
ISF Supplier Assurance Framework
IEC 62443-2-4 – Industrial-process measurement, control
and automation
ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
Existing and Emerging Practices
DHS Vendor Procurement
Language
NIST SP 800-161
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of
ReferenceGAO Report
Cyberspace Policy Review
The President’s
International Strategy for Cyberspace
DHS Procurement
Language Revision
© 2012 Utilities Telecom Council
Solutions Are Multidisciplinary
25Source: NISTIR 7622
Existing and Emerging Practices
© 2012 Utilities Telecom Council
Who Is the Audience?
26
Acquirer
Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288]
Supplier
Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288]
Existing and Emerging Practices
© 2012 Utilities Telecom Council
Who Is the Audience – ISO/IEC 27036
27
Acquirer
Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288]
Supplier
Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288]
Existing and Emerging Practices
© 2012 Utilities Telecom Council
Who Is the Audience – NIST SP 800-161
28
Acquirer
Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288]
SupplierOrganization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288]
System IntegratorAn organization that customizes (e.g., combines, adds, optimizes) components, systems, and corresponding processes. The integrator function can also be performed by acquirer. [NISTIR 7628]
External Service ProviderA provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. [NIST SP 800-53 Rev4]
Existing and Emerging Practices
© 2012 Utilities Telecom Council
Who Is the Audience – OTTF
29
Acquirer
One who procures hardware and software products and services to createsolutions that meet their customers’ requirements.
SupplierAn upstream vendor who develops hardware or software components for providers.
IntegratorA third-party organization that specializes in combining products from several suppliers to produce systems for a customer.
ProviderA midstream vendor developing products andmanaging the supply chain to provide acquirers and integrators with trustworthy products.
Component SupplierEntity that supplies components, typically as business partners to providers.
Existing and Emerging Practices
© 2012 Utilities Telecom Council
When Should These Standards Be Used?Standard Supplier Relationship
ScopeAudience Context of Use
ISO/IEC 27036‐1 Any Acquirers and Suppliers
Describes the problem in general and how to use 27306
ISO/IEC 27036‐2 Any Acquirers and Suppliers
Security in supplier relationships for any products and services
ISO/IEC 27036‐3 ICT products and services
Acquirers and Suppliers
Security in supplier relationships for ICT products and services
ISO/IEC 27036‐4 Cloud services Acquirers and Suppliers
Security aspects of cloud services acquisition
IEC 62443‐2‐4 ICS services Acquirers and Suppliers
Requirements for ICS service providers
IEC 62443‐3‐3 ICS products Acquirers Requirements for ICS products
NIST SP 800‐161 US Fed Agency ICTproducts and services
Acquirers US Federal agency ICT product and service acquisition
The Open Group TTPF Commercial‐off‐the‐shelf products
ICT Providers COTS products development and component acquisition
DHS Procurement Language Update
ICS products ICS Acquirers ICS product acquisition
Common Criteria ICT products ICT Acquirers, Providers, Evaluators, Certifiers, and Users
When putting together evidence for Common Criteria evaluation
SAFECode ICT products ICT Providers To enhance software development processes
30
Existing and Emerging Practices
© 2012 Utilities Telecom Council
How do these standards help?
By answering the following key question:• How should an organization manage security risks
associated with acquiring ICT products and services?
AND
By providing a rich menu of items to chose from to • Define your own processes for supplier management• Ask your suppliers about their processes
31
Existing and Emerging Practices
© 2012 Utilities Telecom Council
Agenda
• Problem Definition• Existing and Emerging Practices• Summary and Questions
32
© 2012 Utilities Telecom Council
Summary
• The problem is real
• Practices are available to make things better
• Solutions come from multiple disciplines
• This is complex – start somewhere and improve
33
Summary and Questions
