cyber security supply chain risk analysis€¦ · cyber security supply chain risk analysis 2015...

Cyber security supply chain risk analysis2015

3

Cyber security supply chain risk analysis 2015

ContentsManagement summary 4

1 Foreword 5

2 Introduction 72.1 Background 72.2 Purpose of the document 72.3 Document structure 8

3 Overview of cyber security supply chain risk assessment methodology 93.1 General 93.2 Implementing the risk assessment methodology 103.3 Example supply chain 11

4 Step 1: Define the scope 124.1 Introduction 124.2 Preparations 124.3 Activities to be undertaken 124.4 Results to be achieved 14

5 Step 2: Describe the supply chain 155.1 Introduction 155.2 Preparations 155.3 Activities to be undertaken 155.4 Results to be achieved 19

6 Step 3: Determine the impact of a disruption on the supply chain 206.1 Introduction 206.2 Preparations 206.3 Activities to be undertaken 206.4 Results to be achieved 21

7 Step 4: Establish extent of cyber threats and risks 227.1 Introduction 227.2 Preparations 227.3 Activities to be undertaken 227.4 Results to be obtained 24

8 Step 5: Define controls and prepare action plans 258.1 Introduction 258.2 Preparation 258.3 Activities to be undertaken 258.4 Results to be achieved 26

9 Annexes 279.1 Annex 1: Definitions 279.2 Annex 2: Analysis process diagram 289.3 Annex 3: Initiation document template 299.4 Annex 4: Checklist for defining the scope 309.5 Annex 5: Example CIA classification 319.6 Annex 6: Matrix for recording the results of the risk assessment 329.7 Annex 7: Template for recording the consequences of emergencies 339.8 Annex 8: Template action plan 349.9 Annex 9: Example supply chain matrix 35

4


Management summaryCyber security is a prime area where cooperation between both public and private organizations and between private organizations themselves is essential to face the increase in cyber threats.

Shell and TenneT believe that in view of defining the interdependence and interconnectedness organizations in a supply chain together are in the best position to define and deploy appropriate controls and initiatives to reduce any cyber security risks themselves.Providing insight into the cyber security risk within a supply chain requires a level of commitment of all organizations involved. It is paramount that in addition to the availability of adequate resources sufficient trust exists between organizations to share sensitive information among each other.

In the methodology developed and described in this paper, a layering is applied to provide insight into the risks that arise from the information processing systems and that could potentially pose a risk to the business. Risks in business processes can ultimately disrupt the continuity of the entire supply chain.

To reduce the risks to the supply chain remediations may be required to the (individual) organizations that make up the supply chain. These remediations may have to be realized within the business processes or within the IT systems of these organizations.

5


1 ForewordThis document contains a risk assessment methodology developed within the framework of a study into cyber security threats in the energy supply chain `from gas to electricity .́

This study was initiated by Shell en TenneT, based on a discussion in the Cyber Security Council and in line with a recommendation in the National Cyber Security Strategy 2. The study was carried out in 2014 by Shell, Gasunie, Nuon, TenneT and Alliander, with logistic support being provided by the National Cyber Security Centre. Each of these five organisations has a role in the energy supply chain in the Netherlands.

The aim of the study is twofold:• To analyse the joint cyber security outside the limits of the individual organisations and in that way

identify the risks of cyber-related threats for the entire supply chain.• To make a cyber security risk assessment methodology available for supply chains, based on

experience gained during the study, so that this can be used in other sectors.

The participants wish to use the results of this cross-sector study to contribute towards the security of the Netherlands.

Wam Voster Paul Bloemen Martin Beumer Henrie Mathijssen Aad Dekker

Shell Gasunie Nuon TenneT Alliander

6


7


2 IntroductionThis document describes a flexible-deployment risk assessment methodology for investigating and making transparent the cyber security related risks within a (vital) supply chain. The methodology described in this document has been developed from a Proof of Concept that has been undertaken by Shell, TenneT and a number of other organisations in the energy sector in order to analyse the entire supply chain from gas extraction up to the ultimate point of use. The central question that forms the basis of the Proof of Concept is: where are the greatest cyber risks for this supply chain?

2.1 BackgroundThe second National Cyber Security Strategy1 pays special attention to the vital infrastructure of the Netherlands. Shell and TenneT have joined forces to work together with other organisations from the Dutch energy sector on a “Proof of Concept (PoC)” which closely examines the protection of vital services. This is not just undertaken within one organisation but throughout the entire supply chain. This PoC focuses on one of the supply chains that is responsible for the supply of electricity in the Netherlands and covers the following process steps:

• gas transport and gas distribution, • electricity production, • electricity transport,• electricity distribution.

Whilst analysing critical processes and objects and the conducting of emergency exercises can rely on previous experiences in both the Netherlands and in the rest of the world, it is less clear how to arrive at a realistic cyber security risk assessment for critical processes in supply chains. How do we arrive at cross-company, effective improvement programmes for cyber security resilience? What is an effective role of the government in this?

Larger organisations within critical sectors already have experience with risk management and improvement programmes within their own businesses, and these also offer points of reference in the area of increasing resilience with regard to cyber security risks. It is evident from these experiences that setting clear priorities and focussing on areas where the risks are the greatest (a “risk based approach”) and the implementation of effective “assurance” are fundamental for a successful policy.

Broad, non-risk-driven measures do not always appear to be the best way of spending limited means and resources; certification and regulations do not always specifically result in reducing the risks and would in that way create a feeling of false security. For supply chains that are part of critical national processes there are also new aspects that have to be addressed, such as the role of the government and the need to regulate roles and responsibilities between different organisations and bodies. It is therefore important that the private sector develops and applies best practices in order to adequately protect these supply chains against the increased cyber security threats.

2.2 Purpose of the documentThe organisations involved - Shell, Gasunie, Nuon, TenneT and Alliander – have already been actively seeking an effective methodology for analysing critical IT systems and cyber-related risks within a supply chain. The five organisations wish to share the methodology followed with other organisations in the energy sector. Furthermore, other (vital) sectors and other ‘supply chains’ can also use this methodology in order to analyse the risks in their supply chains. This creates a common and clear picture of the cyber security risks for supply chains in (critical) sectors. This document describes the methodology that has been developed and provides points of reference about how to conduct the cyber security risk assessment in an effective and efficient manner.

1 Nationale Cyber Security Strategie 2

https://www.rijksoverheid.nl/documenten/rapporten/2013/10/28/nationale-cyber-security-strategie-2

8


2.3 Document structureSection three provides an overview of the entire methodology, together with a description of a fictive supply chain which serves to illustrate certain steps in the methodology. Sections four up to and including eight then provide details of the five steps of the methodology, whereby assistance is provided for the performance of each step.

9


3 Overview of cyber security supply chain risk assessment methodology

In order to identify cyber security risks within a supply chain a 5-step methodology has been developed. This section first provides a general explanation about the way in which risks in information processing systems can result in risks in the supply chain. A brief description is then provided for each step in the risk assessment methodology. Finally, a brief description is provided of a fictitious supply chain that is used to illustrate certain steps.

3.1 GeneralTo identify the actual cyber security supply chain risks it is necessary to identify risks from the information processing systems (hereinafter referred to as: systems) and those from the business processes. In the figure below the information processing systems are shown at the very bottom for each of the organisations that form part of the supply chain to be analysed. A distinction is made in these between ‘critical’ and ‘non-critical’ systems for each of the organisations that form part of the supply chain. Critical systems mean systems that are required for the execution of the business processes required for delivering the end product from the supply chain. The same ‘critical’ and ‘non-critical’ subdivisions have also been made for the business processes.

A layering has been applied to the model. The idea behind this is that system risks form a threat to the business processes. The system risks can be addressed by implementing risk-mitigating measures on the actual systems or by mitigating the risks by implementing controls in the business processes. The remaining risks from the different business processes that are involved in the supply chain ultimate result in threats for the supply chain process. If these supply chain risks are not adequately addressed

Figure 1: Visualisation of the risk model

Organisation NOrganisation BOrganisation A

Information risk Information risk Information riskInformation risk

Criticalbusiness processes

A

Process risk

Residualrisk

Process risk Process risk Process risk Process risk

Supply chain

Supply chain risk

Residual risk

Supply chain aim

Information risk Information risk

Process risk

Residualrisk

Residualrisk

Residualrisk

Residualrisk

Residualrisk

Residualrisk

Residualrisk

Residualrisk

Residualrisk

Residualrisk

Residualrisk

Non-criticalbusiness processes

A

Criticalsystems

A

Non-criticalsystems

A

Criticalsystems

N

Non-criticalsystems

N

Criticalsystems

B

Non-criticalsystems

B


B


B


N


N

10


this can ultimately result in the inability to supply the end product and the supply chain objective can potentially not be achieved. Depending on the chosen supply chain objective (for example the supply of electricity in the Netherlands) the inability to supply an end product from the supply chain does not necessarily result directly in an inability to achieve the supply chain objective. However, this is the case if the supply chain objective is ‘the supply of electricity from gas’.

In order to reduce supply chain risks measures are required by the individual organisations that form part of the supply chain. These measures can be implemented within the business processes and within the systems. By addressing the risks within each organisation the supply chain risks can also be ultimately reduced.

3.2 Implementing the risk assessment methodologyThe methodology focuses on cyber security risks in a supply chain whereby the systems (including interfaces and shared IT products and services) and business processes forming part of the supply chain are investigated. The methodology consists of five steps:1. Define the scope2. Describe the supply chain 3. Determine the impact of the interruption on the supply chain4. Establish the extent of the cyber threats and risks 5. Define controls and prepare an action plan

Figure 2 shows these five steps schematically, whereby for each step the required input, the activities to be executed and the ultimate result to be achieved are shown. The various steps do not all have to be run through in chronological order. If required, steps 3 and 4 can be executed in parallel.

11


Figure 2: Methodology steps

Step 1 focuses on creating working agreements and defining the supply chain to be investigated.

Step 2 focuses on preparing a detailed description of all critical business processes, IT systems, interfaces between the IT systems, shared IT products and shared services for the delivery of the end product in the supply chain.

Step 3 focuses on the consequences for the supply chain if one of the organisations experiences an interruption as a result of which it is unable to provide its necessary contribution within the supply chain. This provides an impact assessment that is added to the risk assessment matrix.

Step 4 focuses on assessing the likelihood of exposure to specific cyber threats. A risk assessment for the specific systems, interfaces and services is then made on the basis of these threats. The result of this step is an overview of the risks that are faced in the supply chain.

Step 5 focuses on the preparation of action plans by the various organisations in the supply chain if the identified risks are unacceptable. It is also jointly determined when an updated risk assessment will be required.

3.3 Example supply chainIn order to explain certain steps a fictitious “From tree to paper” supply chain is used. This concerns a simple supply chain which involves four different organisations for the production of paper.

For each organisation in the supply chain the table below shows the critical processes that they undertake for the supply chain.

Supply chain: From tree to paper

Organisation Critical processes for the supply chain Supply chain process

A (Forester) - Tree felling Supply of raw materials

B (Paper production plant) - Pulping- Paper pressing

Paper production

C (Transport company) - Route planning Paper transport

D (Wholesale) - Stock control Paper distribution

Annex 9 contains the completed matrix used for establishing the results from the example supply chain analysis.

12


4 Step 1: Define the scope

Input Process Result

Supply chains Define scope Defined terms of reference

4.1 IntroductionThe first step focuses on defining the supply chain to be investigated and consist of two activities. The first activity in this step is to create working agreements between the various participating organisations. After this a start can be made on the second activity, which is defining the scope of the investigation. For each activity the actions to be undertaken are described and reference points are given for the choices to be made.

Input Supply Chains

Process step Define the Scope

Result • Overview of the supply chain to be investigated, including the organisations to be involved• Overview of the systems to be involved• Agreement regarding the applicable preconditions• Harmonised working agreements between the participating organisations• Initiation document for conducting the analysis

4.2 Preparations

A number of preparations is required before starting with the first activity: • Understand the supply chain in which the organisation operates. By conducting a stakeholders’

analysis understanding is gained about the organisations that participate in the supply chain. • Establish why the need has arisen to analyse the cyber security risks in the chain.

It is also important to establish that the following preconditions have been met:• Competition must not play a role; the legal departments of all organisations can be consulted with

regard to this. • It must be possible to share information within the team. Agreements are therefore required about

the way in which confidential information is to be handled.• Understanding the cyber security risks within a supply chain requires specific commitment by all

organisations with regard to costs and capacity. It is important that the initiator(s) has/have sufficient resources available from within their own organisation(s) in order to be able to undertake the analysis.

• Willingness to consider all ‘what if’ scenarios openly, including those for which the likelihood is regarded as being very small. At certain moments during the process, representatives from the participating organisations must be willing to bring up for discussion the extent to which they are actually in control.

4.3 Activities to be undertaken

4.3.1 Activity 1: Creating working agreementsThis activity starts with an initiator or several initiators who make(s) a proposal for analysing the risks in a specific supply chain. For the analysis to be carried out properly it is important there is trust between the participating organisations. Confidential information about vulnerabilities for example will be reviewed during the entire analysis. It is therefore important that from the outset attention is paid to data classification and protocols that allow confidential data to be exchanged with the other organisations in the correct manner. The recording of these agreements contributes towards a successful collaboration between the various organisations during the analysis.

13


Agreements are also made with regard to the preconditions that are to be implemented. When doing this, take into account any conditions that certain participating organisations set and the requirements relating to the content and form of the end result.

Minutes of all agreements made are to be taken and sent for approval to all participating organisations.

4.3.2 Activity 2: Defining the scopeA start can be made on defining the scope once clear working agreements have been made. The initial questions that have to be asked in order to define the scope of the analysis are:• Which supply chain is to be investigated? The supply chain to be investigated is looked at in this

scope-defining activity. Several supply chains can co-exist in one sector. One organisation can play a (critical) role in several supply chains. Generally, the initiator or the initiators come from this sector and the organisations involved have sufficient understanding in order to be able to select the supply chain which, if interrupted, would have the greatest impact.

• Which organisations form part of this supply chain? On the basis of the supply chain it is possible to determine which organisations play a critical role in that supply chain. It is conceivable that several organisations have the same role within the supply chain process. In that case, it is possible to involve one, a few or all organisations in the analysis.

The initiator then involves the relevant organisations in the preparation for the analysis. An initiation document is also drawn up, which can be used for obtaining the required commitment from the management of the organisations. The initiation document also serves as the starting point for the next step. A template for an initiation document is contained in Annex 3.

After involving the relevant organisations the exact scope is determined. During a risk analysis kick-off meeting the organisations jointly determine the depth to which the critical product or service2 is to be investigated. Is only the Business-to-Business aspect of the supply chain to be investigated or does the scope also contain the Business-to-Consumer aspect of the supply chain? Another scope aspect that arises here is when there are critical systems for the supply chain. The outcomes of this meeting are recorded and result in a defined scope for the investigation.

TIPS:• When deciding on which organisations to involve, a balance must be found between representatives

of all organisations in the same layer of the supply chain on the one hand and keeping the size of the team manageable on the other hand. If one organisation is selected per layer the number of participants remains more limited, as a result of which the analysis can be carried out quicker and more efficiently. If more organisations are selected per layer extra effort will be demanded when describing the supply chain. It also introduces potential extra complications with regard to competition between organisations in the same layer of the supply chain.

• The representatives are to have, in any event, oversight of and influence on the security process of their organisation. This allows the representatives to make an assessment of the vulnerabilities in the critical systems of the supply chain.

• The representatives are to have a certain degree of technical understanding.• Use the checklist in Annex 4 to check that the scope determination is complete.

Which object must be included in the scope as a minimum? The systems that are necessary for delivering the end product must be included in the scope as a minimum. These are generally the systems that are assigned a high CIA classification. The other systems, such as financial systems, can remain excluded from the scope or assessed in a separate project.

2 This methodology can be used on both products and services. Therefore, when reference is made to a ‘product’ this can also be read as ‘service’.

14


4.4 Results to be achievedThe following results are achieved after completing the Step 1 activities: q Harmonised working agreements between the participating organisations.q Agreement regarding the applicable preconditions.q Understanding of the supply chain to be investigated, including the organisations to be involved.q Understanding of the systems to be involved.q Initiation document for undertaking the analysis.

15


5 Step 2: Describe the supply chain


Processes, information systems, interfaces and classifications

Describe supply chain

Detailed supply chain topology

5.1 IntroductionIn this step of the analysis a detailed topology (overview) is created of the entire IT landscape in the supply chain and the CIA classification to be used is established. The scope established in Step 1 is used as the starting point principle for preparing the topology.

Input Processes, information systems, interfaces and classifications

Process step Describing the supply chain

Result • Detailed supply chain topology.• Established CIA classification for the supply chain.

5.2 Preparations

The following preparations are necessary before starting to describe the supply chain topology: • The CIA classification used for each organisation is available• The critical business processes for the supply chain are mapped for each organisation• The systems that facilitate/support these critical business processes are known for each organisation

5.3 Activities to be undertakenIn order to describe the supply chain, the (critical) processes and systems involved are to be established. In addition, the interfaces between systems of the supply chain organisations are to be identified and the shared IT products and services used in the supply chain are to be identified.

The figure below provides a visualisation of a supply chain.

In order to describe the supply chain the business processes that are critical for the supply chain are established for each organisation. Critical means those processes that are necessary for the actual delivery of the end product. Once the critical processes have been identified, the systems that support those business processes are included in the overview.

Four different categories are used when listing the systems:

Category System

1 Company-specific systems

2 Interfaces

3 Shared ICT products

4 Shared services

Each of the organisations involved is responsible for Category 1, the company-specific systems in the overview. So-called challenge sessions can potentially be used, whereby other organisations in the supply chain keep asking whether certain systems are actually critical or, on the other hand, whether all critical systems are actually included in the overview.

Interfaces between systems are divided into two categories: the interfaces between one or more internal systems and interfaces between different organisations within the supply chain. Critical

16


interfaces WITHIN a single organisation are included in the overview under the company-specific systems (Category 1), while interfaces BETWEEN different organisations in the supply chain are recorded under interfaces (Category 2).

In order to make shared dependencies sufficiently clear the cross-business IT products and services are examined – Categories 3 and 4 in the overview above. For shared IT products and services this may include sector-specific and/or industrial automation products. The services category covers shared data centres or (IT) service providers for example.

By listing the various systems (Categories 1 to 4) it is possible to understand the vulnerabilities in the supply chain process.

A CIA classification is used to assign a certain value to the degree of importance of specific systems in the supply chain process. This is a commonly used method and easy way of forming a clear picture of the importance of the systems via a harmonised CIA classification. The establishment of a harmonised CIA classification and describing the supply chain is outlined below for each activity.

5.3.1 Activity 1: Establish harmonised CIA classificationOrganisations generally don’t use the same methodology for classifying systems and information. This methodology uses a CIA3 classification. This classification indicates the importance of guaranteeing the Confidentiality, Integrity and Availability of the information. The higher a system classification the greater the impact for the organisation if one or more of these three aspects is compromised. Not every

3 Confidentiality, Integrity and Availability

Business Process IT SystemNon-Critical

Non-Critical

Non-Critical

Non-Critical

Non-Critical

Critical

Critical

Non-Critical

Critical

Non-Critical

Critical

Non-Critical

Critical

Non-Critical

Non-Critical

Consume

Process Step 1

Process Step 2

Process Step 3

Process Step 4

Process Step n

Company A

Company B

Company C

Company D

Company N

Supply chainCritical

Critical

Non-Critical

Critical

Critical

Non-Critical

Critical

Critical

Non-Critical

Critical

Critical

Non-Critical

Critical

Critical

Non-Critical

Interface

Interface

Figure 3: Visualisation supply chain

17


organisation uses the same CIA classification. In order to prepare a CIA classification for the supply chain it is necessary that the CIA classifications of the participating organisations are harmonised.

To obtain a harmonised CIA classification it is possible, for example, to choose a 5-point scale, whereby for each organisation it is examined how the organisation-specific CIA classification fits best into this.

The chosen CIA classification uses the following scale:1: Very Low2: Low3: Medium4: High5: Very High

For each category a description has to be provided for the category. An example of this is included in Annex 5.

Which scale to use? When preparing this methodology it was decided to use a 5-point scale for classification and the assessment of risks, opportunities and impacts. A 5-point scale is not necessary for using this methodology, however, the benefit of a 5-point scale compared to a 3-point scale is the possibility of distinguishing more nuances in the analysis.

TIP:• To determine the CIA classification of a system the highest value is always taken of the individual C,

I and A values of the system. Example: if the Availability of a system is 1 in the event of one-week downtime and 4 for one-day downtime, value 4 is used for the Availability classification. The ultimate highest C, I and A value of the system is used for the system impact score. So, if a CIA classification is C(4), I(2), A(3) the 4 is used as the impact score.

5.3.2 Activity 2: Describe the company-specific processes and systemsThe second activity for making cyber security risks transparent within a supply chain is to establish for each organisation which critical processes and systems are required for delivering the product. Each individual organisation describes, for itself, which processes are involved in the supply chain. For all critical processes, too, a list is made of which systems are involved in this. This only concerns the critical systems. A system is critical if it is necessary for the operation of the supply chain. This allows each organisation to understand critical systems that are required for the operation of the supply chain.

After each organisation has carried out this assessment a meeting is held during which each organisation presents the results. The purpose of this meeting is to obtain a joint overview of each other’s critical processes and systems and of the total critical processes in the supply chain. This allows a picture to be created of the structure of the entire supply chain and the company-specific systems that are involved in this.

The ultimate results are recorded in a matrix containing the critical systems in the supply chain process for each organisation. The associated harmonised CIA classification is also shown for each system.

An example of the matrix is included in Annex 6.

18


5.3.3 Activity 3: Describe the interfacesIn the third activity a list is made of the interfaces that are present between the various organisations in the supply chain. This does not concern interfaces between systems within an organisation but this is about the interfaces that link systems between two or more different organisations.

To produce the list it is advisable to have two organisations that follow each other in the supply chain work together to produce the list of interfaces between the two organisations. The scope covers systems that are interconnected by means of the Internet or via a dedicated connection (private network).

The list records whether the interface is used for unilateral4 or bilateral5 exchange. In addition, the interfaces are classified on the basis of the shared CIA classification. This shows any discrepancies in the level of classification of the systems. If organisation A assigns a very high classification while organisation B allocates a much lower classification there is a discrepancy in the perception of the risk.

These results are recorded in the matrix contained in Annex 6.

5.3.4 Activity 4: Describe common IT productsAfter listing the critical processes, systems and interfaces within the entire supply chain, the fourth activity involves establishing the common IT products that are used. The use of identical, supply-chain-specific hardware and software can introduce an additional risk into the supply chain. That is the reason why this step lists the underlying hardware and software that is used for the critical systems. These common IT products are also used for determining the cyber security threats and risks in Step 4.

TIPS:• Pay extra attention to this activity if SCADA6 systems are used extensively in the supply chain.

If almost all organisations in the supply chain use the same SCADA system for their supply-chain-specific systems a vulnerability in the SCADA system can have far-reaching consequences for the entire supply chain.

• Depending on the previously agreed scope it can be decided to exclude software such as the Microsoft Windows operating system or the TCP/IP protocol. The reason for this is to keep the scope manageable and to maintain focus on the specific risks within the supply chain.

5.3.5 Activity 5: Describe the shared servicesFinally, a list is prepared of the shared IT services or service providers that are used for providing and supporting the systems and processes identified in Steps 2 to 4. The participants therefore provide insight into the individual services that are used in their section of the entire supply chain. Examples of these types of services are Internet Service Providers (ISPs), external data centres and telecom providers.

Once all of the organisations in the supply chain have provided a list of the services and service providers that facilitate the critical processes for the supply chain it can be assessed whether certain services are used by more than one organisation. The use of a single service or single service provider by several organisations in the supply chain can introduce a Single Point of Failure in the supply chain. An outage at such a third party can potentially be accommodated by one organisation but when this affects several organisations in the supply chain this could lead to additional risks. These shared services are therefore included when assessing the cyber security threats and risks in Step 4.

4 This is used by a Category 1 system of organisation A to send information/data to organisation B.5 This is used to by a Category 1 system of organisation A to send information./date to organisation B, and vice versa6 Supervisory Control and Data Aqcuisition

19


5.4 Results to be achievedThe following results are achieved after completing the activities in the 2nd step: q An established and harmonised CIA classification that can be used for classifying the systems used in the supply chain.q A detailed topology of the supply chain, containing:

- The critical company-specific processes and systems. - The system interfaces between the different organisations. - The common IT products. - The shared IT services or service providers.

q The systems in the supply chain have been assigned a CIA classification.

20


6 Step 3: Determine the impact of a disruption on the supply chain


Detailed supply chain topology Determine impact of disruption on supply chain

Process risks

6.1 IntroductionOn the basis of various scenarios, this step investigates the impact on the supply chain if a single organisation is no longer able to provide its contribution to the supply chain.

Input Detailed supply chain topology.

Process step Determine the impact of a disruption on the supply chain.

Result Undertaking this step will give the following results:• An overview of potential emergency scenarios in the supply chain.• An overview of the impact on the supply chain for all identified emergency scenarios.

6.2 PreparationsThe following preparations are required before starting to determine the impact:• Evaluate the extent to which sufficient knowledge is present within the analysis team in order to

be able to properly assess the impact of a disruption at one of the supply chain organisations. If necessary, involve additional (business) expertise from the participating organisations for this step.

• Prepare a template for recording the impact of each disruption scenario at the various supply chain organisations. An example is provided in Annex 7.

6.3 Activities to be undertakenIn order to undertake the impact assessment a scenario analysis of the potential disruptions that can occur in the supply chain is carried out in a workshop. For this purpose, for each organisation the impact on the entre supply chain is determined in the event that the organisation is unable to fully or partially provide its contribution to the supply chain. The impact for each organisation in the supply chain is always recorded for this.

The result of the workshop is a list of potential emergency scenarios and a qualitative description of the impact on the supply chain.

6.3.1 Activity 1: Determine the impact for each scenarioTo determine the impact, the following question is asked with regard to each organisation: “What is the impact on the entire supply chain if my organisation is unable to provide the required contribution to the supply chain as a result of an emergency?”

In order to determine this impact for the supply chain we start with the first organisation at the beginning of the supply chain. The impact on the next organisation or organisations in the supply chain is then analysed. The process to be run through is shown in the circle diagram below.

21


In this example we start with organisation A, whereby we then analyse the impact on organisation B if organisation A is unable to provide its required contribution to the supply chain. This is then repeated for the next organisations in the chain: C and D. It is also analysed whether the emergency that started with organisation A can become worse due to potential consequential emergencies further along the supply chain. For example, this can be the case if organisation A has to stop production because organisation B is no longer able to process any raw materials.

Ultimately a qualitative description of the impact on each of the organisations is produced for each scenario.

Once this assessment has been completed for organisation A it is continued for organisation B, whereby the entire supply chain is once again run through until we end up back at organisation B.

Once this has been undertaken for each organisation within the supply chain we have several emergency scenarios. These scenarios are best shown in an overview and provided with a brief descriptive scenario name as shown in the table below.

Organisation 1 Organisation 2 Organisation 3 Organisation n

Scenario 1.1

Scenario 2.1

Scenario 2.2

Scenario 3.2

Scenario 3.1Scenario n.1

Figure: Graphic representation of scenarios

Scenario no. Scenario name Impact description

1.1 Forest fire If new raw materials cannot be supplied to organisation A within 48 hours then production stops at organisation B.

2.1 ... ...

2.2

Etc.

6.4 Results to be achievedThe following results will be achieved after completing the activities in the 3rd step: q An overview of potential emergency scenarios in the supply chainq An overview of the impact on the supply chain for all identified emergency scenarios.

1. Consequences of

disruption at A on B4.

Con

sequ

ence

s of

disru

ption

at

B,C,D

on A

2. C

onse

quen

ces o

f

disru

ption

at

A on

C

3. Consequences of

disruption at

A on D

22


7 Step 4: Establish extent of cyber threats and risks


Cyber threats, security controls and supply chain topology

Establish extent of cyber threats and risks

Overview of relevant threats and supply chain risks

7.1 IntroductionThis step establishes the extent to which cyber threats result in risks for the supply chain. The results obtained in the previous steps are used for this.

Input Cyber threats, security controls, supply chain topology

Process step Establishing the extent of the cyber threats and risks

Result Undertaking this step gives the following results:• An overview of the cyber threats to be investigated• An assessment of the likelihood that the IT systems in the supply chain will be affected by

the cyber threats• An assessment of the impact of the cyber risks on the supply chain

7.2 PreparationsThe following preparations are necessary before starting this step:• Adopted list of cyber threats to be investigated

In order to establish the cyber threats to be investigated it is advisable to start with a standard list of threats7. A selection of the most relevant threats can then be made from this standard list. Threats that are not cyber specific, such as flooding or fire, are excluded from the scope.

The further analysis can be undertaken after it is clear which cyber threats are to be investigated.

7.3 Activities to be undertakenTo establish the extent of the cyber threats an assessment is initially made of the likelihood that the selected cyber threats will actually result in disruption to the CIA of the Category 1 to 4 systems. The ‘net risk’ that is faced is examined for this, in other words, the controls already implemented are taken into account when analysing the likelihood that a cyber-threat manifests on one of the systems.

After the threat level has been established a risk assessment is carried out for the various systems. This analysis is undertaken by confronting the threat levels with the harmonised CIA values of the systems in the supply chain. The outcome is an overview of risks per system. For high risks, a further assessment is made of the impact these can have on the supply chain, for which the results obtained in Step 3 are used.

Each supply chain organisation undertakes this analysis for its own critical systems (Category 1). Supply chain organisations that share an interface (Category 2) jointly undertake this analysis for the relevant interface. Common IT products and services (Categories 3 and 4) that are used by the majority of the organisations should be included in the joint analysis. The individual analyses undertaken by each supply chain organisation are discussed in a group session with the other supply chain organisations.

All results are ultimately processed into an overview of the risks faced within the supply chain. To obtain a visual representation of the supply chain risks it can be decided to prepare a risk heat map.

The establishment of the extent of the cyber threats and the risks that arise from this for the supply chain is described in more details below.

7 To obtain a list of the most relevant cyber threats the ENISA threat landscape 2014 report can be used for example (https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014)

https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014

https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014

23


7.3.1 Activity 1: Estimate the extent of cyber threatsFor each cyber threat to be investigated (see the preparation for this step) a 5-point scale (for example Very Low (VL) to Very High (VH)) is used to indicate the level at which the threat is estimated for each IT system. This estimate takes into account the security controls already in place for the relevant system. If, for example, the likelihood of a DDoS (Distributed Denial of Service) is estimated this should take into account the controls already implemented to combat a DDoS attack. The residual likelihood of a successful DDoS attack is then ultimately entered.

Impact (1-5) Threat scenarios (1=Low, 5=Very High)

Own CIA rating

Combined CIA rating Virus Hacking (D)DoS Threat n

Category 1 (within one organisation)

Organisation A (Forester)

365FarmNet 4 4 4 2 5

SAP 4 4 3 2 3

Organisation B (Paper production plant)

Simatic WinCC 4 5 4 5 4

SAP - HANA 3 4 2 3 3

Figure 4 Cyber threats in ‘From tree to paper’ supply chain

The assessment of the cyber threats is undertaken individually by each supply chain organisation for the Category 1 IT systems. The Category 2 IT systems are analysed jointly by the supply chain companies involved in the interface. Category 3 and Category 4 IT systems are prepared individually by each supply chain organisation and ultimately estimated jointly in a group meeting.

Each supply chain organisation can enter their results in the matrix as shown in Annex 6.

7.3.2 Activity 2: Estimate the extent of the supply chain risksAfter establishing the degree to which the IT systems are vulnerable to the cyber threats an assessment is made of the risk faced. For this purpose, the highest cyber threat score (likelihood) for each IT system is confronted with the CIA value (impact) for the relevant system. The table below provides an example of how a risk estimate can be arrived at on the basis of likelihood and impact. In this example, only a very high likelihood and very high impact result in a very high risk. This can be detailed differently depending on the risk appetite of the organisations involved.

Likelihood/Impact

VL(1) L M H VH (5)

VL(1) 1 2 3 4 5

L 2 4 6 8 10

M 3 6 9 12 15

H 4 8 12 16 20

VH (5) 5 10 15 20 25

24


This in turn can be used for producing a risk assessment for each system with regard to the selected cyber threats established previously. All high risks are then addressed in a group session in order to assess the supply chain risks that these can result in. To do this, the supply chain risks that are identified in Step 3 are related as much as possible to the IT systems. This link defines which IT systems can cause risks for the supply chain.

Figure 5: ‘From tree to paper’ supply chain risks

A risk heat map can be produced in order to ensure that the risks for the entire supply chain can be seen clearly at a glance. A graph is used for this, in which the likelihood of risks is plotted on the horizontal axis and the impact of those risks is plotted on the vertical axis. The identified risks can then be plotted on the graph. It may be decided to show all risks in this way or a subset, for example the Top 10 or the most unexpected risks.

Impa

ct VH

H

M

L

VL

VL L M H VH

Likelihood

Figure 6: Risk heat map

7.4 Results to be obtainedThe following results are achieved after undertaking the activities in the 4th step: q An overview of the cyber threats to be investigated.q An assessment of the likelihood that the systems in the supply chain will be affected by the q cyber threatsq An assessment of the impact of the cyber risks on the supply chain.q Optional: A visualisation of the supply chain cyber risks.

Impact (1-5) Threat scenarios (1=Low, 5=Very High)

Own CIA rating

Combined CIA rating Virus Hacking (D)DoS Threat n Risk

Link to Consequence

Category 1 (within one organisation)

Organisation A (Forester)

365FarmNet 4 4 4 2 5 20 Scenario 1.1

SAP 4 4 3 2 3 12

25


8 Step 5: Define controls and prepare action plans


Supply chain risks Determine controls and prepare Action Plans

Overview of acceptable risks and Action Plans

8.1 IntroductionThis last step focuses on defining the measures to be taken and the preparation of action plans. The controls are only determined and recorded in an action plan for identified risks that are outside of the risk tolerances of a supply chain organisation. To conclude the risk assessment a new date is jointly set for the risk assessment to be updated. The most important outcomes from the assessment are also documented and shared with the participating organisations.

Input Supply chain risks

Process step Define controls and prepare action plans

Result Undertaking this step gives the following results:• An overview of potential emergency scenarios in the supply chain• An overview of the impact (both downstream and upstream in the supply chain) if a

disruption occurs at one or more of the organisations in the supply chain.

8.2 Preparation The following preparations are necessary before starting this step:• It is clear for each organisation what risks are outside of the risk tolerance.

On the basis of the identified risks each organisation must determine independently to what extent these risks can be accepted. This can depend on several factors and should be considered individually by each organisation. As a guide, high risks are normally outside of the risk tolerance.

A start can be made on defining the controls once it is clear what risks are acceptable and what risks are not acceptable.

8.3 Activities to be undertakenFor the unacceptable risks that are faced with regard to the Category 1 systems (business-specific systems) each supply chain organisation independently determines what controls can best be implemented in order to reduce the risk. For the Category 2 systems (interfaces) the relevant supply chain organisations work together on the relevant system. If risks arise from the Category 3 and 4 systems (shared IT products/services) the action plan is prepared jointly by all of the relevant organisations.

After the action plans have been prepared a new date is set for updating the risk assessment. One of the participating organisations also produces a summary of the most important outcomes from the assessment and this is shared with all participants.

The activities in this step are described in more detail below.

8.3.1 Activity 1: Define controls For all unacceptable risks it is first analysed what controls can be deployed to reduce the risk for each IT system. These can be controls that are technical as well as organisational. For each potential control an estimate is made of the effort required for implementing the control and its expected effectiveness. Several controls can be implemented for each risk. After the controls have been listed a decision is made on what controls can be implemented.

26


The best way of selecting the controls to be implemented is to select those controls, based on the relationship between the result and the effort for a specific control, that can potentially reduce the risks to an acceptable risk level in the most effective and efficient way possible.

Depending on the IT system category to which the risk relates, one or more of the supply chain organisations should work together on defining the controls.

8.3.2 Activity 2: Prepare action planEach organisation prepares an action plan after each organisation has established what controls are required for reducing the unacceptable risks. For each control, this action plan states who is responsible for implementing it, what actions are required and the time frame within which the control is to be implemented. The action plan thus provides an overview of all actions required for reducing the risks to within the organisation’s risk tolerance.

Annex 8 contains a template for preparing an action plan.

8.3.3 Activity 3: Complete risk assessmentTo complete the cyber security supply chain risk assessment a new date is set for updating the assessment. This ensures that the supply chain organisations continue to work together on managing the risks in the supply chain. Any improvements that are implemented, for example as a result of the action plans, can be included during the re-evaluation. It is recommended that a re-evaluation is carried out at least once every two years.

Finally, the most important results from the supply chain risk assessment are adopted in a group session, for which it is recommended that one of the supply chain organisations takes the lead for reporting the adopted results.

8.4 Results to be achievedThe following results are achieved after undertaking the 5th step:q An overview of the acceptable and unacceptable risks for each organisation.q If applicable: an action plan for each organisation.q A date on which the supply chain risk assessment will be updated.q A report (for example a presentation) of the most important results from the supply chain risk q assessment.

27


9 Annexes9.1 Annex 1 Definitions

(Information) system: An information system is a coherent data processing functionality for managing or supporting one or more business processes. Explanation: Amongst other things, an information system consists of hardware, basic software, communication facilities, applications, databases, technical facilities, procedures and people

Confidentiality: The degree to which the access to and use of the data is restricted to the correct persons. Confidentiality has the following characteristics: • Exclusivity: can be information be protected against unauthorised access? • Privacy: is personal data being handled correctly?

Integrity: The degree to which the data reflects reality. Integrity has the following characteristics: • Correctness: is the information correct and is it displayed correctly? • Completeness: is the information complete? • Validity: is the information valid? • Authenticity: is the source of the information received correct? • Indisputability: did the sender of the information actually send the information? • Accuracy: the degree of detail and completion of the information. • Verifiability: to what extent can the information be verified?

Availability: The degree to which information is available at the correct moment for the users. Availability has the following characteristics: • Timeliness: can the information be supplied at the moment it is required? • Continuity: can the information also be supplied in the future?• Robustness: is the information able to withstand disruptions.

Supply chain: Logistic chain from raw material extraction to delivery of end product to the end consumer.

28


9.2 Annex 2. Analysis process diagram

Cyber security supply chain risk analysis


Supply chains Define scope Defined terms of reference


Processes, information systems, interfaces and classifications

Describe supply chain Detailed supply chain topology


Detailed supply chain process topology

Determine impact of disruption on supply chain

Process risks


Cyber threats, security controls and supply chain topology

Establish extent of cyber threats and risks

Overview of relevant threats and supply chain risks


Supply chain risks Determine controls and prepare Action Plans

Overview of acceptable risks and Action Plans

29


9.3 Annex 3: Initiation document template

Project Initiation DocumentIntroduction

<describe in general terms why this project is being undertaken>

Purpose of this documentThe purpose of this document is to identify and describe the most important elements of the project. This is with the aim of understanding, recording and agreeing the expectations of all organisations and any other stakeholders involved in the project before the project starts.

Background<Describe in more detail the background as to why this project is being undertaken. What has been done in advance? Avoid using jargon and ensure that this background is also clear for organisations that are not involved directly in (the execution) of the project.>

Aims and required outcome<Describe the expected end result. What is described here is important for external stakeholders so don’t use any jargon or technical details. Agree these aims with all (external) stakeholders before starting the project.>

Preconditions & Assumptions<What conditions have to be met for the project to be a success? When must it be completed? What effort is expected from the participants? If certain aspects are not yet 100% clear then describe the assumptions that are the basis for still proceeding with this project.>

Scope & Deliverables<Describe in detail what aspects will be delivered at the end of the project. What level of detailing? What types of file formats? The project boundaries are also to be described here: What is to be investigated? What not?>

Approach<Describe HOW the end result is to be arrived at. For example, a full day meeting every month? Is an existing methodology to be followed? Is work to be subcontracted?>

Organisation<Describe WHO will be working on the project and their specific roles in the project.>Project plan and costs<Describe the project milestones and when certain deliverables have to be delivered.>

Stakeholders<Describe who (apart from the project team as already described under “Organisation”) is to be involved in the project and how they will be involved.>

Project risks and dependencies<Describe the risks that can hinder the successful delivery of the required end result (see “Aims and required outcome” and “Scope and Deliverables”). For each risk state an action that can be taken in the event that the risk actually manifests.>

30


9.4 Annex 4: Checklist for defining the scope

q The scope of the risk assessment is clearly defined whereby it is clear: - Which supply chain is to be analysed - Which organisations should be involved in the analysis - Which objects are to be included in the analysis:

i) The IT systems and interfaces directly involved in delivering the product / serviceii) The critical IT systems that support the product / the service and the underpinning

(production) processiii) The business processes that are closely associated with the selected processiv) The Shared IT systemsv) The Shared services

- Whether the financial handling of the product to be investigated is to be involved in the analysisq What outcome(s) is/are intended:

i) Clearly identified risksii) Taking jointly coordinated follow-up actions, for example improvement points or agreeing an action planiii) Changes/improvements in the process followed

q Met welke geografische afbakening rekening wordt gehouden?i) Localii) Regionaliii) Nationaliv) International

q What standards are to be used within the relevant sectors? (i.e. ISO 27000)q What previous studies will provide relevant information for the current risk assessment?q What specific legislation is applicable to the supply chain to be investigated?q Working agreements are recorded in an initiation document and approved by all organisations involved

31


9.5 Annex 5: Example CIA classification

Example CIA classification table

Very low An information security incident causing loss of confidentiality, integrity, availability or traceability of the information in the information asset could not cause any or negligible damage to the organisation.

Low An information security incident causing loss of confidentiality, integrity, availability or traceability of the information in the information asset could not cause any significant damage to the organisation.

Medium Information security incidents with the information asset could cause damage to the organisation, but within the limits of normal business risk. The negative impact can be managed within normal operating budget using standard procedures and capacity.

High The negative effect of an information security incident could cause significant damage to the organisation. The potential damage would exceed normal business risk and normal operating budget. Specific incident or crisis management would be needed to manage an incident.

Very High The potential damage of an information security incident with the information in the information asset could seriously threaten business continuity. The damage would have a significant negative impact on financial results on corporate level or the position of (board) executives could be at stake.

32


9.6 Annex 6: Matrix for recording the results of the risk assessment

Impa

ct (1

-5)

Thre

at s

cena

rios

(1=

Low

, 5

=Ver

y H

igh)

Ow

n CIA

ra

ting

Com

bine

d CIA

rat

ing

Viru

sH

acki

ng(D

)DoS

Thre

at n

Ris

kLi

nk t

o C

onse

quen

ce

Cat

egor

y 1

(w

ithi

n on

e or

gani

sation

)

AA1

A2

A3

A4

BB

1

B2

B3

B4

CC1 C

2

C3

C4

Cat

egor

y 2

(Sy

stem

inte

rfac

e)

From

To

A -

BA1

B1

A -

BA

2B

1

A -

CA1

C1

B -

CB

3C

4

B -

DB

2D

3

n -

mN

nM

m

Cat

egor

y 3

(sh

ared

pro

duct

s fo

r th

is in

dust

ry)

See

Com

pone

nts,

ser

vice

s ta

b

Cat

egor

y 4

(sh

ared

ser

vice

s)

See

Com

pone

nts,

ser

vice

s ta

b

33


9.7 Annex 7: Template for recording the consequences of emergencies

Scenario 1.1 <<description>>

1 Emergency description

2 Description of consequence on organisation B of emergency at organisation A

3 Description of consequence on organisation C of emergency at organisation A

4 Description of consequence on organisation D of emergency at organisation A

5 Description of consequence on organisation A of emergency at organisations B, C and D

34


9.8 Annex 8: Template action plan

Action plan: Organisation A

No Risk Controls Priority Action owner Timeframe

System 1

1 <<Risk description>>

<<Control description>> <<H,M,L>> <<Name >>

2

System 2

4

5

35


9.9 Annex 9: Example supply chain matrixIm

pact

(1-5

)Th

reat

sce

narios

(1=

Low

, 5

=Ver

y H

igh)

Ow

n CIA

ra

ting

Com

bine

d CIA

rat

ing

Viru

sH

acki

ng(D

)DoS

Thre

at n

Ris

kLi

nk t

o C

onse

quen

ce

Cat

egor

y 1

(w

ithi

n on

e or

gani

sation

)

Org

anis

atio

n A

(F

ores

ter)

36

5Fa

rmN

et4

44

25

20

Sce

nario

1.1

SA

P4

43

23

12

Org

anis

atio

n B

(P

aper

pro

duct

ion

plan

t)Sim

atic

Win

CC

45

45

425

Sce

nario

2.1

SA

P -

HA

NA

34

23

312

Org

anis

atio

n C

(T

rans

port

com

pany

)S

CE

xper

t4

42

22

8

JDA

Tra

nspo

rtat

ion

Man

ager

55

22

210

Org

anis

atio

n D

(W

hole

sale

r)JD

A r

etai

l pla

nnin

g4

41

41

16S

cena

rio

4.2

Byp

os P

oint

of

sale

(P

OS)

sys

tem

44

11

14

Cat

egor

y 2

(Sy

stem

inte

rfac

e)

From

To

A -

BS

AP

SA

P -

HA

NA

42

22

8

A -

B3

65Fa

rmne

tS

AP

- H

AN

A5

22

210

B -

CS

AP

- H

AN

AS

CE

xper

t3

22

26

B -

DS

AP

- H

AN

AJD

A r

etai

l pla

nnin

g3

22

39

C -

DS

CE

xper

tJD

A r

etai

l pla

nnin

g4

22

416

Sce

nario

4.1

n -

mN

nM

m

Cat

egor

y 3

(sh

ared

pro

duct

s fo

r th

is in

dust

ry)

See

Com

pone

nts,

ser

vice

s ta

bfo

r fu

rthe

r de

tails

CIS

CO

AS

A 5

50

0-X

41

14

16S

cena

rio

1.1

Cat

egor

y 4

(sh

ared

ser

vice

s)

See

Com

pone

nts,

ser

vice

s ta

bfo

r fu

rthe

r de

tails

Tele

com

pro

vide

r Vo

dafo

ne4

22

28

36


Colophon

Editors-in-chiefWam Voster (Royal Dutch Shell), Jeffrey de Bruijn (Power or 4)

Research fromRoyal Dutch Shell, Nederlandse Gasunie, Nuon, TenneT, Alliander

With support ofDutch National Cyber Security Centre

DisclaimerYou are free to share, reproduce, distribute and forward this research via any medium or format, edit, change and adopt contents of the work for research purposes

First press, January 2016.

cyber security supply chain risk analysis€¦ · cyber security supply chain risk analysis 2015...

Documents