reducing cybersecurity risks in the supply chain · 2018. 6. 20. · top 9 emerging risks for...

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Jeff FawcettAdvanced Services DirectorJeff’s Opinion (Not Cisco’s) Regarding Other Nation States

Reducing Cybersecurity Risks in The Supply Chain


Introductions…

Supply Chain Security:

Supply chain security management is the application of policies, procedures, and technology

to protect supply chain assets (product, facilities, equipment, information and personnel) from

theft, damage, or terrorism, and to prevent the introduction of unauthorized contraband,

people to commit fraud, theft, or any illegal activities.

It is not an IT problem, but a sourcing, vendor mgt, supply chain continuity, and security

challenge

3© 2012 Cisco Systems, Inc. All rights reserved. Cisco Confidential Cisco Confidential 3© 2012 Cisco and its affiliates. All rights reserved.

AgendaPrograms and Mitigation to Achieve Your Objectives

What are the Challenges of Mitigating Them

Practical Examples Like Programs, Segmentation, Authentication, and Monitoring

What are the Most Common and Dangerous Risk


What Are The Most Common and Dangerous Risks For Your Own Vendors, Suppliers, and Contractors

There Are 4 Key Areas of Impact to Assuring our Commercial Off the Shelf (COTS) Supply Chain:

1. Malicious Modification/Substitution of Technology2. Counterfeit Products (free, left on your shipping dock)

3. Security in Times of Supply Chain Disruption4. Misuse of Intellectual Property (Chinese Switches and Routers)

Examples:1. Fake Drugs (80% plus on Internet)

2. Social Engineering to write checks to criminals3. Getting inside your CritSit environments like water and power. (Russian, Iranian)

4. Audience, more examples? Digital Signage, Dams, Roads

Understand who and what provides value to you and what is made in China or Russia. DHS wants to include security in supply chain….


Top 9 Emerging Risks For Supply Chain Risk Management (SCRM)

1. Politics (just Jeff’s view – Iran in Utilities; Russia in Election Servers; China in Space).2. Cyber (who is mad at us this week)3. National Disaster (where do we get large generators from? 12 month waiting list)4. Infrastructure (Water, Power, Roads, Airports, Hospitals)5. Workforce (Insider vs hacker owning insider’s machine)6. Environment (Dams, Refineries, etc)6. Regulatory Compliance7. Suppliers8. 3rd Party Vendors9. DHS Regulatory Requirements - They want to integrate cyber vetting in to Supply Chain checks. Feb 2018


AgendaMitigation to Achieve Your Objectives





Major Security Challenges:

1. Supply Chain involves many players

2. Multiple modes of transport

3. Various types of intermediaries

4. Several government agencies

5. Complexity of the system leads to challenges

6. Compliance Procedures

7. The Human element……. Maybe even Politics..


Increasing:

• Complexity of the network

• Privacy protected content

• Risk of a compromised network

• Network attack sophistication

• Focus on Supply Chain

Emerging Security Challenges:What Supply Chains Must Address

End-point security is not enough


AgendaPrograms and Mitigation to Achieve Your Objectives



Three Cisco Things You Can Do (ISE, Umbrella, Segmentation)



12 Elements of Supply Chain Security Guidelines:

1. Physical Security

2. Risk Analysis

3. Access Control

4. Communicative Ecosystem that is integrated

5. Business Partner Security

6. Incident Management / Investigations

7. Crisis Management and Disaster Recovery

8. Education and Training Awareness

9. Documentation Processing Security

10. Information Security

11. Personnel Security

12. Procedural Security

NIST Best Practices In Cyber Supply Chain Risk Management White Paper….

Cisco Confidential 11© 2016 Cisco and/or its affiliates. All rights reserved.

Third Party Risk

of organizations have

experienced a data

breach as a result of

negligent or malicious

employees

of organizations say

third party mishaps

were the root cause

of incidents in the last

1-2 years

32% 78%


Interconnected business

relationships increase

the impact of risks and need

to be actively managed

Third Party Risk Management


Programmatic Approach to Managing Third-Party Risk

Why Create a Program?• Interconnected business relationships increase the impact of risks and need to be managed

• Regulator scrutiny is increasing

• Compliance and contractual obligations are more demanding

• Boards are increasingly aware of third-party risk issues

• Gaps exist in traditional audits and certifications (SOC 2, ISO 27001)

• To ensure the maximum reduction in risk from the investment

Common Challenges to In-House Program Development

• Budget pressures

• Staff is already over-burdened

• A unique combination of security, risk management, program management, and vendor relationship

skills is required

• The risk environment is constantly evolving

• Emerging risk is not well understood


Sample Risk Summary: Any businesses you are working with having money issues? If so, likely to cut corners around cybersecurity…

Vendor Risk Distribution


Sample Scorecard:

Third-Party Assessments

Quarterly Scorecard for Q4 FY12

Q4 FY12 Lifetime to Date

21

Vendor BU High Medium

Vendor 1 13 10

Vendor 2 10 2

Vendor 3 3 1

Vendor 4 1 4

Vendor 5 0 9

21 Open

+Closed

Total

High

59

0

59

Med

90

0

90

90

Vendor BU High Medium Trend

Vendor 1 13 10

Vendor 7 10 2

Vendor 4 3 1

Vendor 12 1 4

Vendor 8 0 9

59

4 9 8 4 9 8


Control Summary


Design /Develop

Plan / Order

Source Make Quality Delivery Service /EOL

Supply Chain Security Areas of Discipline

Secure Development

Information Exchange and Access ControlsSecurity

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes


Design /Develop

Plan / Order



Physical Plant Security

Security

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes


Plan / Order

Design /Develop



Talent Security and Integrity

Security

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes


Design /Develop

Plan / Order

QualitySource Make Delivery Service /EOL


Supplier Resiliency and Crisis Management

Security

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes


Design /Develop

Plan / Order



Protection of High Value/IP Containing Components and Finished Goods

Security

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes


Design /Develop

Plan / Order



Logistics Security

Security

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes


Design /Develop

Plan / Order



Fabrication Security

Security

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes


Plan / Order

Design /Develop



Security

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes

Scrap Management


Design /Develop

Plan / Order



Service & EOL Security Management

Security

Technology

Innovation

Physical

Security

Practices

Logical

Security

Processes


AgendaMitigation to Achieve Your Objectives





Procurement is an important part of overall security strategy

• Procurement Language – Defining the requirements and criteria

Suppliers are Authorized Partners

Require Partners Purchase from Either Cisco Direct or through a Cisco Authorized Distributor in the United States

Consider Partner Certifications

Validation of Product Upon Delivery

• Log and Maintain All IT Records

Procurement Best Practices to Minimize Risk


11 Best Practices in SCRM (NIST Interagency Report 7622)

1. Uniquely identify supply chain elements, processes, and actors.

2. Limit access and exposures within the supply chain.

3. Establish and maintain the provenance of elements, processes, tools, and data.

4. Share information with strict limits

5. Perform SCRM awareness training

6. Use defensive designs for systems, elements, and processes.

7. Perform continuous Integrator review

8. Strengthen delivery mechanisms

9. Assure sustainment activities and processes.

10. Manage disposal and final disposition activities throughout the system or element lifecycle

11. Watch for counterfeit hardware and software


We Want:

1. Vendors who are on par with us in security

2. 3rd Party Program with staffing

3. Risk Management overview (Threat * Vulnerability * Impact = Risk)

4. Once a year Red Team exercise

5. An inventory of where our sensitive data sits

6. Least privilege enforcement for sensitive data

7. Audit on who has rights to what; Separation of Duties too

8. Code review of sensitive applications

9. Someone to read NIST 800-161 Appendix A SCRM Control Summary “High Baseline”

10. Someone to read NIST 800-161 Appendix B Relevant Controls. NIST 800-161 is 185 pages

11. Learn from your peers in other states – lessons learned

12. Monitoring of key risks like checks bring cut, infrastructure (water, power), websites key to day-day


Why are IT devices Counterfeited and Sold via Secondary Market Channels?

• Profiteering and illegal financial gain

• Conduct Offensive Cyber Operations

Example: Upon command the device shuts down

• Conduct Computer Network Exploitation

Traffic shaping

Data diversion

Cisco Confidential

Striving for ubiquitous communication

on any device, any where, any time with assurance

Thank you.

My thanks to Edna Conway our CTO who runs Cisco’s Supply Chain Security Group and who let me use many of her slides.

reducing cybersecurity risks in the supply chain · 2018. 6. 20. · top 9 emerging risks for...

Documents