national defense university the icollege
TRANSCRIPT
National Defense UniversityThe iCollege
National Defense UniversityThe iCollege
“The global hub for educating, informing, and connecting Information Age leaders.”
The Cyber Supply Chain:
Strategies for Managing the Risks and Challenges
IEEE STC ConferenceProfessor Russ Mattern
Professor Mike Donohoe
October 13, 2015“The views expressed in this presentation/article are those of the author and do not reflect the official policy or
position of the National Defense University, the Department of Defense, or the U.S. Government.”
1
2
2“The global hub for educating, informing, and connecting Information Age leaders.”
Agenda
� What’s the extent of the problem?
� Example of counterfeits in the military supply chain
� An interesting GAO Study
� The Smart Grid as an example of a critical US infrastructure inroads made into a one of the major US infrastructures
� How will Supply Chain Risk Management affect the Cost, Schedule & Performance of your Programs/Projects
� How can a Criticality Analysis focus your Risk effort more effectively
� How the NIST Risk Management Framework (RMF) can help
� Where can I finds a major resource to help detect & correct software vulnerabilities and common attack patterns--it’s free!
� “Which of my systems are more vulnerable, new or legacy?”
� Where do we go from here?
� A real life case study
10/12/2015 2
3
3“The global hub for educating, informing, and connecting Information Age leaders.”
The Extent of the Counterfeit Problem
• Short video clip: first 1 minute and 30 seconds
–http://www.smtcorp.com/#
10/12/2015 3
4
4“The global hub for educating, informing, and connecting Information Age leaders.”
Extent of the Problem
10/12/2015 4
Aerospace Industries Association
5
5“The global hub for educating, informing, and connecting Information Age leaders.”
Extent of the Problem
10/12/2015 5
6
6“The global hub for educating, informing, and connecting Information Age leaders.”
The Comprehensive National Cybersecurity Initiative
10/12/2015 6
7
7“The global hub for educating, informing, and connecting Information Age leaders.”
Intelligence Community Directive 731 7 Dec 2013
• Purpose:
–This Directive establishes Intelligence Community (IC)
policy to protect the supply chain as it relates to the life-
cycle of mission-critical products, materials, and services
used by the IC through the identification, assessment, and
mitigation of threats.
–Section D: Policy• Supply chain risk management is the management of risk to the integrity,
trustworthiness, and authenticity of products and services within the
supply chain. It addresses the activities for foreign intelligence entities (as
defined in ICD 750, Counterintelligence Programs) and any other
adversarial attempts aimed at compromising the IC supply chain, which
may include the introduction of counterfeit or malicious items into the IC
supply chain.
10/12/2015 7
8
8“The global hub for educating, informing, and connecting Information Age leaders.”
Counterfeits in the US Military ICT Supply Chain
10/12/2015 8
November 8, 2011
9
9“The global hub for educating, informing, and connecting Information Age leaders.”
US Senate Report on Counterfeits
10/12/2015 9
10
10“The global hub for educating, informing, and connecting Information Age leaders.”
US Senate Report on Counterfeits
• “…two year period, 2009-2011, the investigation uncovered
approximately 1,800 cases of suspected counterfeit electronic parts.”
• Of 100 tracked suspect parts, 70% were traced to China
• 3 cases investigated by the Senate Committee
– US Navy SH-60B helicopter Electronic Interference Filters integrated into
Forward Looking InfraRed (FLIR) System
– USAF C-130J & C27J Display units
– US Navy P-8A (modified Boeing 737) Ice Detection module
10/12/2015 10
11
11“The global hub for educating, informing, and connecting Information Age leaders.”
A Government Accountability Office (GAO) Study
10/12/2015 11
GAO-12-375
12
12“The global hub for educating, informing, and connecting Information Age leaders.”
GAO Report Cont’d• “The GAO created a fictitious company and gained
membership in two Internet platforms providing access to
vendors selling military-grade electronic parts”
• “GAO requested quotes from numerous vendors for a total of
16 parts from 3 categories.”
– CAT 1: “Authentic part numbers for obsolete and rare parts”
– CAT 2: “Authentic part numbers with postproduction date codes.”
– CAT 3: “Bogus, or fictitious, part numbers that are not associated with
any authentic part.”
– “…GAO received responses from 396 vendors, of which 334 were
located in China; 25 from the United States; and 37 in other countries,
including the United Kingdom and Japan.”
• “…vendors usually responded in a day. GAO selected the first
of any vendor among those offering the lowest prices…”
10/12/2015 12
13
13“The global hub for educating, informing, and connecting Information Age leaders.”
Results Cat 1 (authentic, obsolete, rare) Analysis
10/12/2015 13
14
14“The global hub for educating, informing, and connecting Information Age leaders.”
GAO Report: Summary
• All 7 parts in Category 1 (authentic, obsolete, rare) were
“Suspect Counterfeit” (the highest risk of being counterfeit)
• All 5 parts in Category 2 (authentic part number, but
postproduction dates) were “Suspect Counterfeit”
• All 4 parts in Category 3 (bogus part numbers) were “Bogus”
– 40 vendors offered to supply these parts
–Demonstrates the will and the ability to deliver parts that
technically don’ even exist.
10/12/2015 14
15
15“The global hub for educating, informing, and connecting Information Age leaders.”
Critical Infrastructure: Smart Grid
� Current state of the US grid
� Advanced Metering Infrastructure (AMI)
� Challenges/vulnerabilities:
� SCADA Systems
� Software and hardware vulnerabilities
� Intelligence activities/Malware
10/12/2015 15
16
16“The global hub for educating, informing, and connecting Information Age leaders.”
Current State of the US Power Grid• The US Power Grid is actually made up of 3 smaller grids: Eastern,
Western, & Texas comprising:
– 7,000 generating plants
– 2,000 distribution utilities
– 450,000 miles, high-voltage transmission lines
• 70 % of transmission lines > 25 years old
• 70 % of power transformers > 25 years old
• 60 % of circuit breakers > 30 years old
• The system is brittle: Red = my emphasis
– “But as the nearly 100 year old power grid has aged, facing a growing population
and higher load demands for power, the industry has simultaneously become
more and more deregulated by mandate. And deregulation has led to less and less
necessary preventative maintenance, upgrades in technology as well as necessary
investment in research and development. And the poorly maintained grid in many
of the areas of the country, predominantly the mid-Atlantic and northeast states,
has but put even more stress upon its transmission lines.”• Grassi, D. (March 24, 2009). US energy policy: Electrical grid in critical condition
10/12/2015 16
17
17“The global hub for educating, informing, and connecting Information Age leaders.”
What is the Smart Grid?
• The Smart Grid is a network system that will allow the electric
companies, electricity generators (coal plants, wind turbine
plants, solar plants, etc.), businesses, houses, etc. be able to
communicate back and forth in order to meet the necessary
supply and demands of electricity. This system will help avoid
blackouts, reduce our carbon footprint, and save people &
businesses money by being able to adjust the amount of
electricity they use throughout the day. This network is made
up of hardware, software (data management and storage),
and a communication system that ties it all together.Solutions for the future, McKibbin, W. & McClurg, J.
10/12/2015 17
18
18“The global hub for educating, informing, and connecting Information Age leaders.”
Smart Meters
10/12/2015 18
19
19“The global hub for educating, informing, and connecting Information Age leaders.”
SCADA Systems
• Supervisory Control And Data Acquisition (SCADA) systems
are not only used in power generation and distribution, they
are also used to control:
– Natural gas, water, power generation/distribution, nuclear power
– Water & waste treatment facilities
– Manufacturing, food processing, pharmaceuticals, security systems,
and nuclear power plants
• Examples:
– SCADA vulnerabilities prompt US Government warning. – Kirk, J. (2011, March 23) Computerworld
http://www.computerworld.com/s/article/9214990/SCADA_vulnerabilities_prompt_U.S
._government_warning
• US Cert—Problems with Siemens, Iconics, 7-Technologies and Datac
systems-vulnerable to attack via internet
10/12/2015 19
20
20“The global hub for educating, informing, and connecting Information Age leaders.”
SCADA systems cont‘d
• Hoping to teach a lesson, researchers release exploits for
critical infrastructure software– Zetter, K. (2012, January 1) Wired. http://www.wired.com/threatlevel/2012/01/scada-
exploits/
– Problems with programmable logic controllers
• Used in “water, power and chemical plants; gas pipelines and
nuclear facilities; as well as in manufacturing facilities such as food
processing plants and automobile and aircraft assembly lines.”
• “Peterson, speaking Thursday at the annual S4 conference that he
runs, said he hoped the presentation would serve as a “Firesheep
moment” for the SCADA community. Firesheep refers to a Wi-Fi
hacking tool that was released by a security researcher last year to
call attention to how easy it is to hijack accounts on social
networking sites like Facebook and Twitter and web e-mail services.
The release of Firesheep forced some companies to begin encrypting
customer sessions by default so that attackers on a Wi-Fi network
couldn’t sniff their credentials and hijack their accounts.
10/12/2015 20
21
21“The global hub for educating, informing, and connecting Information Age leaders.”
Company ratings
10/12/2015 21
Chart listing the vulnerability
types found in PLCs the
researchers examined. A red
"x" indicates the vulnerability
is present in the system and is
easily exploited; a yellow
exclamation point indicates
the vulnerability exists but is
difficult to exploit; the green
checkmark indicates the
system lacks this vulnerability.
--Zetter. Hoping to teach a lesson,
researchers release exploits for critical
infrastructure software.
22
22“The global hub for educating, informing, and connecting Information Age leaders.”
Logic ladder exploit
• Ladder logic is a programming language that represents a program by a
graphical diagram based on the circuit diagrams of relay logic hardware. It
is primarily used to develop software for programmable logic controllers
(PLCs) used in industrial control applications. The name is based on the
observation that programs in this language resemble ladders, with two
vertical rails and a series of horizontal rungs between them. -wikipedia
10/12/2015 22
Attacker downloads the logic ladder in the PLC,
modifies it and uploads back into the PLC.
23
23“The global hub for educating, informing, and connecting Information Age leaders.”
Software and hardware vulnerabilities• There are many software and hardware vulnerabilities that
can directly affect the Smart Grid
–The fact that companies are relying on the internet to run their operations and control functions opens them up to all exploits we see daily in the news
–Billions will be spent on the build out of the Smart Grid
–Many software/hardware companies are getting into the game with the hope of garnering a piece of the Smart Grid pie
–Here a few names of some players you will recognize:• SAP, HP, Google, Microsoft, Cisco, Dell
–Here are more names, some of which are start-ups:• Tendril Networks, EnergyHub, Energrate, Control4, Greenbox
Technology, AlertMe, OpenPark, CurrentCost, Sequentric, 4Home, Agilewave BPL Global, Ecologic Analytics,Gridpoint, Silver Spring
Networks, SmartSynch, Tropos Networks source:
Greentechmedia.com
10/12/2015 23
24
24“The global hub for educating, informing, and connecting Information Age leaders.”
Intelligence activities/Malware
• Report: Spies hacked into U.S. electricity grid– LaMonica, M. (2009, April 8). Cnet. http://news.cnet.com/8301-11128_3-
10214898-54.html
• “A Wall Street Journal report, quoting national security officials, says spies have infiltrated the power grid in an apparent attempt to map the utility infrastructure.”
• “The intruders don't appear to have done any damage to date but did leave behind software that could disrupt the system.”
• "The Chinese have attempted to map our infrastructure, such as the electrical grid," a senior intelligence official told the Journal. "So have the Russians."
• A report by security firm IOActive last month warned that people with $500 worth of equipment and the right training could manipulate smart meters with embedded communications in people's homes to potentially disrupt operation of the grid.
10/12/2015 24
25
25“The global hub for educating, informing, and connecting Information Age leaders.”
How Cyber SCRM Affects Cost, Schedule & Performance
• Cost, Schedule & Performance
10/12/2015 25
Cost
Schedule
Performance
C-o-s-t Performance
S-c-h-e-d-u-l-e
26
26“The global hub for educating, informing, and connecting Information Age leaders.”
Rethinking your Organization’s Projects & Programs
• Implementing a Supply Chain Risk Management (SCRM)
plan in your organization will require adjustment
– Validating the provenance/pedigree of critical electronic
components and software will likely require more time and
expense
–You may have to move to different and likely, more expensive
suppliers
• And, you may have to seek out secondary suppliers, just in case…
–Program schedules will stretch, causing lengthened
delivery times to customers & increased costs
10/12/2015 26
27
27“The global hub for educating, informing, and connecting Information Age leaders.”
Rethinking your Organization’s Projects & Programs
–The organization’s governance board will have to
take a strategic look at the number of programs it
undertakes
• They will also have to look at the TYPES of programs they
chose:
• Some may present more risk than others when it comes
to assuring the quality and provenance of components
and software
• Programs/Projects with more Supply Chain risk may have
to be placed on hold until the organization can validate
the upstream supply chain
• Worse, some programs/projects may have to be
abandoned altogether due to high risk in the supply chain
10/12/2015 27
28
28“The global hub for educating, informing, and connecting Information Age leaders.”
How can a Criticality Analysis Focus your Risk Effort
• It is cost prohibitive to ensure every last
component and line of software is without
defect, intentional or not
• The focus must be on what is considered to the
“Crown Jewels” of the system
• This may mean, it’s not the most expensive chip
or software algorithm
• It will likely come down to what the main
purpose of the program?
10/12/2015 28
29
29“The global hub for educating, informing, and connecting Information Age leaders.”
How can a Criticality Analysis Focus your Risk Effort
• In DoD speak, this would be the “mission” of the
system
• Steps you can take to conduct your Criticality
Analysis:
– Identifying and prioritizing system mission threads;
–Decomposing the mission threads into their mission-critical
functions; and
– Identifying the system components (hardware, software, and
firmware) that implement those functions; i.e., components
that are critical to the mission effectiveness of the system or
an interfaced network. Source: Interos Jan 2015
10/12/2015 29
30
30“The global hub for educating, informing, and connecting Information Age leaders.”
How can a Criticality Analysis Focus your Risk Effort
• A few hints to help your Criticality Analysis (CA)
–Focus on the entire life-cycle of your project or program
• Limiting your efforts in just the development phase may leave a gaping hole
after the system is deployed
–The “crown jewels” of your system may not be the most expensive
–The CA should begin with the system engineering and design
process—in other words, as early in the program life-cycle as
possible
–The CA is not a static, one-time event:
• Revisit the CA often as changes in the mission or program focus often
–The goal is to keep adversaries out and to protect your system
while not bankrupting it Source: Interos Jan 2015
10/12/2015 30
31
31“The global hub for educating, informing, and connecting Information Age leaders.”
Criticality Analysis Exercise
10/12/2015 31
32
32“The global hub for educating, informing, and connecting Information Age leaders.”
NIST Risk Management Framework (RMF)
10/12/2015 32
33
33“The global hub for educating, informing, and connecting Information Age leaders.”
NIST Risk Management Framework (RMF)
• NIST Special Publication 800-53 revision 4
–Security and Privacy Controls for Federal Information
Systems and Organizations (April 2013)
• NIST Special Publication 800-60
–Volume 1: Guide for Mapping Types of Information and
Information Systems to Security Categories (Aug 2008)
• NIST Special Publication 800-70 revision 3
–National Checklist Program for IT Products-Guidelines for
Checklist Users and Developers
• NIST Special Publication 800-37
–Guide for Applying the Risk Management Framework to
Federal Information Systems
10/12/2015 33
34
34“The global hub for educating, informing, and connecting Information Age leaders.”
NIST Risk Management Framework (RMF)
• Applying the Risk Management Framework to
Federal Information Systems
• Instructional Video:
–http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-
Framework/rmf-training/index.html
10/12/2015 34
35
35“The global hub for educating, informing, and connecting Information Age leaders.”
Common Weakness Enumeration (CWE)
10/12/2015 35
36
36“The global hub for educating, informing, and connecting Information Age leaders.”
Common Vulnerability Enumeration (CVE)
10/12/2015 36
37
37“The global hub for educating, informing, and connecting Information Age leaders.”
Common Attack Pattern Enumeration & Classification
10/12/2015 37
38
38“The global hub for educating, informing, and connecting Information Age leaders.”
Structured Threat Information Expression (STIX)
• The Structured Threat Information Expression (STIX) is a language
for describing cyber threat information in standardized and
structured manner. STIX characterizes and extensive set of cyber
threat information, to include indicators of adversary activity (e.g. IP
addresses and file hashes) as well as additional contextual
information regarding threats (e.g. adversary Tactics, Techniques
and Procedures (TTPs); exploitation targets; Campaigns; and
Courses of Action (COA)) that together more completely
characterize the cyber adversary’s motivations, capabilities, and
activities, and thus, how to best defend against them. It is intended
to support both more effective analysis and exchange of cyber
threat information.
10/12/2015 38
39
39“The global hub for educating, informing, and connecting Information Age leaders.”
Trusted Automated Exchange of Indicator Information
• TAXII
– Trusted Automated Exchange of Indicator Information
standardizes the trusted, automated exchange of cyber threat
information. TAXII defines a set of services and message
exchanges that, when implemented, enable sharing of
actionable cyber threat information across organization and
product/service boundaries for the detection, prevention, and
mitigation of cyber threats. TAXII is not a specific information
sharing initiative, and it does not define trust agreements,
governance, or non-technical aspects of cyber threat
information sharing. Instead, TAXII empowers organizations to
achieve improved situational awareness about emerging
threats, and enables organizations to achieve improved to easily
share the information they choose with partners they chose,
while leveraging existing relationships and systems.
10/12/2015 39
40
40“The global hub for educating, informing, and connecting Information Age leaders.”
Which of my Systems are more Vulnerable?
• Those under development or legacy?
• My guess is legacy
• Why?
–When the space shuttle was still flying, they were looking
for 8088 chips to replace failed chips
–The B-52 is based on 1950s technology and expected to
have a service life till 2040
–The Defense Logistics agency is tasked with supporting
systems that have been deployed for decades with
decades old technologies
–How do you find trusted suppliers for systems that are no
longer manufactured?
10/12/2015 40
41
41“The global hub for educating, informing, and connecting Information Age leaders.”
Where do we go from here?
• Trusted foundries
• Use Original Component Manufacturers (OCMs)
• Use Original Equipment Manufacturers (OEMs) or their authorized resellers
• Blind buys
• Should we hold Integration Contractors responsible for all the components that go into a system?
–We do in the auto industry
• DNA marking of chips to increase confidence they are what they say they are
10/12/2015 41
42
42“The global hub for educating, informing, and connecting Information Age leaders.”
Where do we go from here?
10/12/2015 42
43
43“The global hub for educating, informing, and connecting Information Age leaders.”
Case Study: Production of a Medical Device
• CPAP production in China
• Dr. Mike Donohoe, Professor at University of
Pittsburg at the Katz School of Business
• Role as a VP in Information Systems in Medical
Device OEM.
10/12/2015 43
44
44“The global hub for educating, informing, and connecting Information Age leaders.”
Questions?
–Dr. Russ Mattern
–Dr. Mike Donohoe
10/12/2015 44