Supply Chain (In)Security
Supply Chain (In)Security
IEEE Cybersecurity Speaker
Chris WebbPartner, Security PracticeOrange County, California
• 20+ years of experience developing, securing, and managing enterprise systems. Specializes in application and network security; software defined networking; and medical device cybersecurity.
• Fractional Chief Information Security Officer
Part 1 - Risk Examples● Your supply chain is used to attack you● Your own supply is attacked
Part 2 - Frameworks to Reduce Risk● BITS Shared Assessments → Shared Assessments
● NIST FIPS 800-161, Supply Chain Risk
Management Practices for Federal Information
Systems and Organizations (April 2015)
Your questions are encouraged!
What do these companies have in common?
Foolad Technic Beh Pajooh
Neda Industrial Group Control Gostar Jahed
Iranian nuclear site: Natanz Uranium Enrichment Facility
Stuxnet
Who is this company?
Remember this breach?
November - December 201340 million credit & debit cards compromised
RSA tokens → Lockheed Martin
• In March 2011, RSA, the Security Division of EMC (who?), was hacked
• In May 2011, Lockheed Martin was attacked through its use of (surprise!) RSA SecurID tokens
• “Data Breach at Security Firm Linked to Attack on Lockheed” in The New York Times
Your own supply chain is attacked
In 1982 (yes, 35 years ago), six adults and one 12-year-old girl died of cyanide poisoning in Chicago after taking capsules of Extra Strength Tylenol
Pharma has a huge problem
Semi-conductor companies have a significant problem
“Recycled” chips in Shenzhen, China
A specific example: DoD’s MDASenate Armed Services Committee
(Dec 2010 to Nov 2011, electronic parts only)Sens. Levin and McCain staff
Largest DoD Contractors and Test Labs
(last two years’ data on suspect counterfeit)
Government Accountability Office
(16 obsolete or non-existent parts numbers)
• 1,800 suspect counterfeit part issues.
• Over 1 million affected parts.
Installed in three aircraft.• Targeting• Display• Ice Detection
7 obsolete (valid)5 obsolete (invalid)4 non-existentAll found, all counterfeit
Investigation
Findings(11/8/11)Hearing)
Contacted
At least 70% were from China!
Fastest, cheapest – all came from China!Sold by US companies,
originally from China!14
Software - rampant piracy
Legacy / shrinkwrap: activation keys
DVDs: holograms
Downloads: obfuscation (e.g., Arxan), DRM
Mobile apps: API keys
High-end consumer products
What about compromised items?
Your questions about the risks?
Part 1 - Risk Examples (Tim)● Your supply chain is used to attack you● Your own supply is attacked
Part 2 - Frameworks to Reduce Risk (Chris)● BITS Shared Assessments → Shared Assessments
● NIST FIPS 800-161, Supply Chain Risk
Management Practices for Federal Information
Systems and Organizations (April 2015)
Multiple Standards for Program Risks
• BITS
• Open Assessment
• Self Assessment• NIST 800-161• Cyber Security Regulations, Policies, Guidance• DFARS sub part 204.73 and EO part 11
• Supply Chain Risk Management Practices for Federal
Information Systems and Organizations
BITSBITS is the technology policy division of the Financial Services
Roundtable (FSR)
• Strengthen cybersecurity and reduce fraud
• Navigate the regulatory and risk environment
• Impact current and emerging policy issues
• Improve efficiency and effectiveness of technology programs
• Leverage emerging technologies
NIST SP 800-161
• Provides guidance to federal agencies on selecting and
implementing mitigating processes and controls at all levels in their
organizations to help manage risks to or through ICT supply chains
for systems categorized as HIGH according to Federal Information
Processing Standard (FIPS) 199, Standards for Security 367
Categorization of Federal Information and Information Systems
• Applies the multi-tiered risk management approach of NIST SP
800-39, 355 Managing Information Security Risk: Organization,
Mission, and Information System View
• Refines and expands NIST SP 800-53 Rev4 controls, adds new
controls that specifically address ICT SCRM, and offers
SCRM-specific supplemental guidance where appropriate
NIST 800-171 Security Control Families
• Access Control
• Awareness & Training
• Audit & Accountability
• Configuration Management
• Identification & Authentication
• Incident Response
• Maintenance (Patching)
• Media Protection
• Personnel Security
NIST 800-171 Controls (cont’d)
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Information Integrity
Executive Orders 12866 and 13563 (DFARS Initiative #11)
• Develop a multi-pronged approach for global supply chain risk
management.
• Globalization of the commercial information and communications
technology
• Risks stemming from both the domestic and globalized supply chain
must be managed in a strategic and comprehensive way over the entire
lifecycle of products, systems and services.
• Managing this risk will require a greater awareness of the threats,
vulnerabilities, and consequences associated with acquisition
• Robust toolset to better manage and mitigate supply chain risk at levels
commensurate with the criticality of, and risks to, their systems and
networks.
NIST and Supply Chain Hardening
• Tiered Risk Management
• Engage the supplier
Make your suppliers demand the same of their suppliers
• Secure the enterprise
Identity and human behavior monitoring are a must to combat
today’s threats
• Protect the customer
• People, processes and technology
Secure the Enterprise
• Limit Vendor Access
• Try to avoid direct access to your enterprise Perform deep
(content) application inspection on “trusted connections”
• inverse Digital Loss Protection (DLP)
• Do not directly share critical information - read only and encrypt
• Contain delivered goods and services
• Zone software, products and services
• Appliances should not have access to the internet unless for
updates…• Monitor installed products, endpoints and connections
Engage the Supplier
• Create Contractual Obligations
• Require breach notification with a timeline and parameters
• Establish data handling requirements
• Require product integrity
• Ensure language mandates communication back to the supplier are
only for updates (not data collection)
• Security Assessments
• Source code and binary validation (quality, vulnerability, and FOSS)
• Evaluation of technology and capabilities
Supply Chain Partnership
• Partnership with your traditional supply chain
(how you make goods/services)
• Work in partnership with security vendors to
harden our security
• Advanced analytics and behavior modeling
Going Deeper: ISO/IEC 27034 - Application Security
• Application security life cycle
• Incorporating security activities and controls
• Covering applications developed through internal development,
external acquisition, outsourcing/offshoring
PART 1 – Overview and concepts
PART 2 – Organization normative framework
PART 3 – Application security management process
PART 4 – Application security validation
PART 5 – Protocols and application security control data structure
PART 6 – Security guidance for specific applications
PART 7 - Application Security Control Predictability
Going Deeper:Essential Security and Foundational Practices• Management Systems: ISO 9001 - Quality, ISO 27001 –
Information Security, ISO 20000 – IT Service Management, ISO 28000 – Supply Chain Resiliency
• Security Controls: ISO/IEC 27002, NIST 800-53
• Lifecycle Processes: ISO/IEEE 15288 - Systems, ISO/IEEE 12207 – Software
• Risk Management: ISO 31000 - overall, ISO/IEC 27005 - security, and ISO/IEC 16085 - systems
• Industry Best Practices: CMMI, Assurance Process Reference Model, Resiliency Management Model (RMM), COBIT, ITIL, PMBOK
Going Deeper: ISO/IEC 27002 ISMS controls
• 6.1.5- Information security in project management
• 14.2.1- Secure development policy
• 14.2.5- Secure system engineering principles
• 14.2.6- Secure development environment
• 14.2.8- System security testing
• 15.1.1- Information security policy for supplier relationships
• 15.1.2- Addressing security within supplier agreements
• 15.1.3- Information and communication technology supply chain
• 16.1.4- Assessment of and decision on information security events
• 16.1.5- Response to information security incidents
• 17.1.1- Planning information security continuity
• 17.1.2- Implementing information security continuity
Your questions?