Download - Supply Chain Threats to the US Energy Sector
SUPPLY CHAIN CYBERTHREATS TO THE US ENERGY SECTOR
Cynthia James, CISSPGlobal Director Business Development Technical Alliances
2
AGENDA
SUPPLY CHAIN MAPPING…AND RECONNAISSANCE
SUPPLIERS: LACK OF LEVERAGE & COMMUNICATION CHALLENGES
GOVERNMENT GUIDANCE, POLICY, LAW ENERGY VS ELECTRIC VS NUCLEAR
DEVELOPING THE IDEAL CYBERSECURITY POSTURE
FINAL RECOMMENDATIONS
ORGANIZATIONAL CHANGES
TO ALL FACEBOOK USERS: STAY SAFE!
OUR NEW SLED TEAM
LEGAL PRODUCT EXPERTISE TO HELP WITH PROJECT EFFORTS
14
27
22
17
THE SUPPLY CHAIN MAP
PAGE 3 |
|
Equipment
Reseller
Critical Provider
Secure Energy facility
boards
apps
landscaping
Paper supplie
r
SW consultan
t
Malicious insider
(consultant)
1 degree
3 degrees
2 degrees
Phishing attacks
Customers Who do we Supply?
branch
Is there bi-directionality? If so, what data or access?
4
RECONNAISSANCE: SUPPLY CHAIN MAPPING • RFQs…press releases or any public notification• Conferences & Working Groups
• Speakers make technology references & recommendations • Vendor criteria
• Jobs available • Profiles of employees
• Experience, background
• Blogs about company policies, etc. • Information shared by others about you• What is your supply chain saying?
• “XYZ Energy is a customer” or “we now adhere to these specs”
• Filling in the gaps • An opportunistic infection
5
LOWER YOUR RECONNAISSANCE PROFILE
Raise awareness, reduce specifics Management oversight of profiles, request that certain details are omitted Set up google search alerts for key phrases Boost awareness of the issue in the company - start at stakeholder level?
Create a recon profile and circulate it
Note: going “stealth mode” with on-line resumes helps the organization but not the individual (legally employers can’t interfere with your job search)
SUPPLIERS HAVE SUPPLIERS WHO HAVE SUPPLIERS WHO…
7
SUPPLY CHAIN ATTACK EXAMPLES
HAVEX – infecting software updates (ICS) IceFog –
v1: hitting Western companies through entry points in Asia – mostly defensev2: oil & gas in the US (using java)Most likely cyber mercenaries
“Watering Hole attack” ICS-CERT & NCCIC Monitor: 79% of all 2014 attacks were on Energy; infection vector for the majority was unknown
8
LEVERAGE AND COST: DIRECTLY ASSOCIATED
How much leverage do you have now with suppliers?
Do you need it? (Are they already compliant?) Can you require compliance or request it? Can you conduct reviews remotely? Site review:
What they say they doProbability of them doing it To what degree? Risk represented by them not doing it
Where customizations of practice are required, compliance and cost may be affected: added testing, collection, analysis, data protectionBut…it doesn’t cost to ask (and it’s always better to know)
OUR COMMUNICATION CHALLENGE
PAGE 9 |
Few groups talking to each other
Government agencies (1999)Cybersecurity industry
2015
Infosec journalists
NuclearSCADA
IT
2006Chemical Defense etc
2010
Mainstream journalistsTotal lexicon in existence describing all things cybersecurity related
Just for “supply chain”: ICT, SCRM, ICT SCRM (NIST favors), cyber supply chain, cyber supply chain security, supply chain risk management, EDM (DoE/DHS favors)*
* paper in 2014, Nadya Bartol, Utilities Telecom Council
So…when NIST says
“ICT SCRM” it’s the same
as when DHS/DoE say:
“EDM”
10
WORD GAMES…
2009 – the word cybersecurity starts being used* 2009 – NERC first uses the term “Critical Cyber Assets” Current terms used for “supply chain”: *
Information and Communication Technology (ICT) Supply Chain Risk Management (SCRM) Information and Communication Technology (ICT) supply chain securitySupply Chain Risk Management Cyber supply chainCyber supply chain security Cyber supply chain risk management
Finally in 2014 “External Dependencies Management” EDM (Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2-M2) by DoE/DHS) Although NIST SP800-161, the mother of all such docs (282 pages, dedicated to supply chain, 2015) currently calls it ICT SCRM
*paper in 2014, Nadya Bartol, Utilities Telecom Council
11
THE PROBLEM WITH NEW LANGUAGES…
• Agreeing on terms and usage • Collaborating across sectors and supply chain
organizations • Sharing cyber incident information • Defining best practices which underlie multiple
sectors • Educating across sectors Recommendation: be sure to reference the document with the definitions you are applying
12
GOVERNMENT REGULATION AND “GUIDANCE”
Electric utilities and Nuclear – the only CI “mandatory” cybersecurity standards enforceable through FERC & NRC US NRC – US Nuclear Regulatory Committee
NEI – Nuclear’s “policy organization”
FERC (Fed Eng Reg Commission) NERC –North American Electric Reliability
Corporation – FERC policy org; rules became effective 2014, compliance by 2016 and 2017
13
SUMMARY OF GOVERNING RULES
• NERC Reliability Standards are mandatory within the US• These include CIP (Critical Infrastructure Protection)
rules which address the security of cyber assets “essential to the reliable operation of the electric grid”
• CIP first released in 2008, the latest ones were approved by FERC in 2013 (v5) – enforceable by April 2016, some in 2017
• Code of Federal Regulations (law) which is applicable to all Energy is Title 10 CFR (“Energy”). But no laws about cybersecurity except for Chapter 1.
• Chapter 1 of that are rules set forth by the Nuclear Regulatory Commission. Section 73 covers “physical protection of plant and resources”; 73.54 covers the information systems part of that https://www.law.cornell.edu/cfr/text/10/73.54 -
• Nuclear Energy Institute 08-09, April 2010 Cyber Security Plan for Nuclear Power Reactors with heavy reference to 10 CFR 73.54
14
NEW GUIDELINES TO FOLLOW – ENERGY
• “The Energy Department released guidance to help the energy sector establish cybersecurity risk management programs” (energy.gov)
• This was: • The Electricity Subsector Cybersecurity Capability Maturity
Model (ES-C2M2) of February 2014. “Developed by the Department of Energy and contributors…and other government agencies” (jointly published with DHS) “to help critical infrastructure organizations evaluate and potentially improve their cybersecurity practices. As this section demonstrates, using the C2M2 also provides a means for any energy sector organization to implement the NIST Cybersecurity Framework.”
• Nuclear: • Follow NEI 08-09
15
DEPARTMENT OF ENERGY “ES-C2M2”
Provides: “an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.”
• One component = “Supply Chain or External Dependencies Management” (EDM) covers:
• Asset Management (catalogue, prioritize) • Business Environment (roles defined and ranked) • Dependencies and critical functions for delivery of critical
services and product are established
Now you have a list of External Dependencies…
16
ES-C2M2
External dependencies must be managed contractually:
a.) vendor responsibilities (reference specific standards: RM-1c) b.) auditing rights and monitoring; c.) sharing of cybersecurity “threat information”; d.) reporting of cyber incidents; e.) must adhere to a defined risk assessment process
17
ES-C2M2 DESCRIPTION OF RISK
• Security of products varies widely
• How was SW developed? What code input?
• Counterfeit HW or malware injection • RFPs don’t specify detailed security or
QA• Utility branches granted leeway in
procurement
Not to forget: security capabilities of organizations varies widely
18
NEI -8-09 CYBERSECURITY PLAN FOR NUCLEAR
11.2 SUPPLY CHAIN PROTECTION“This security control protects against supply chain threats by employing the following measures…to maintain the integrity of the CDAs that are acquired: 1. Establishment of trusted distribution paths,2. Validation of vendors, and3. Requirement of tamper proof products or
tamper evident seals on acquired products.”(NEI April 2010)
19
CYBERSECURITY PLAN BASED ON NEI 08-09: GOALS
Procure CDA products and software from vendors who practice good cyber security and are capable of implementing NEI 08-09, Rev. 6 controls
Negotiate with vendors to ensure their environment and products are secure
Develop a program to ensure that products received are secure *
* Author: Barbara WeberSheffield Scientific, LLCSenior Cyber Security [email protected]
20
EXPECTATIONS OF CDA SUPPLIERS
Should be operating at the same level of security as the plant itself: • Establish a secure developing and operating
environment • Verify staff is trustworthy• Verify they are managing their suppliers• They are obligated to patch vulnerabilities in
products or services provided • All received products are hardened• Access Control is managedNote: 10 CFR 74.53 comparable to NQA-1
Author: Barbara WeberSheffield Scientific, LLCSenior Cyber Security [email protected]
21
TO BEGIN THE PROCESS…
• Perform an evaluation (mini-risk assessment/risk analysis) on top priority suppliers
• Identify security gaps • Evaluate partnership versus their security
weaknesses: What upgrades possible? What auditing rights? What level of priority? What cost?
• Periodically audit and reevaluate
22
SUPPLY CHAIN SHOULD COMPLY TO WHAT LEVEL?
• Many aspects of supply chain management are their own mature specialties with expertise, tools, processes – ie, software assurance or the receiving/testing of goods. These need to be integrated at the level which makes sense
• Is it better to use a supplier who already have adequate security in place?
• Cybersecurity challenges grow so much faster than guideline adoption by regulatory agencies (so far)
23
THE “IDEAL” SUPPLY CHAIN SECURITY POSTURE
Locating the best information depends upon goals
Are organization goals to find: • Easiest to implement? Fastest? Cheapest? Best? • Easiest to get stakeholders to agree to?
Do we search: • Compliance• Guiding principles (not compliance yet) • Search by terms• Search by agency
Most important: complianceNext level: best security practices
24
FINAL RECOMMENDATIONS
Ensure that “supply chain risk” (all external dependencies) are identified and included in your organization’s risk assessmentsDetermine the needs/desires of stakeholders in your organization regarding supply chain risk• Choose between NEI compliance or ES-C2-
E2• Identify the best source documents • Identify supporting documents (like NIST
SP 800-161) Follow the process Repeat! (all suppliers, annually)
25
KASPERSKY LAB PROVIDES BEST IN THE INDUSTRY PROTECTION*
20 40 60 80 1000%
20%
40%
60%
80%
100%
N of independent tests/reviews
Scor
e of
TO
P 3
plac
esKaspersky Lab
Bitdefender
Sophos
G DATA
Symantec
F-Secure Intel Security (McAfee)
Trend Micro
Avira
Avast
BullGuard
AVG
ESET
AhnLabMicrosoft
Panda Security
In 2014 Kaspersky Lab products participated in 93 independent tests and reviews. Our products were awarded 51 firsts and received 66 top-three finishes.
* Notes:• According to summary results of
independent tests in 2014 for corporate, consumer and mobile products.
• Summary includes tests conducted by the following independent test labs and magazines: Test labs: AV-Comparatives, AV-Test, Dennis Technology Labs, MRG Effitas, NSS Labs, PC Security Labs, VirusBulletin
• The size of the bubble reflects the number of 1st places achieved.ThreatTrack (VIPRE)
Qihoo 360
Kingsoft
Tencent
1st places – 51Participation in 93
tests/reviewsTOP 3 = 71%
THANK YOU! QUESTIONS?Cynthia James – [email protected] Kaspersky Lab Technology Alliances & Business Development