reducing cybersecurity risks in the supply chain · 2018. 6. 20. · top 9 emerging risks for...
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Jeff FawcettAdvanced Services DirectorJeff’s Opinion (Not Cisco’s) Regarding Other Nation States
Reducing Cybersecurity Risks in The Supply Chain
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Introductions…
Supply Chain Security:
Supply chain security management is the application of policies, procedures, and technology
to protect supply chain assets (product, facilities, equipment, information and personnel) from
theft, damage, or terrorism, and to prevent the introduction of unauthorized contraband,
people to commit fraud, theft, or any illegal activities.
It is not an IT problem, but a sourcing, vendor mgt, supply chain continuity, and security
challenge
3© 2012 Cisco Systems, Inc. All rights reserved. Cisco Confidential Cisco Confidential 3© 2012 Cisco and its affiliates. All rights reserved.
AgendaPrograms and Mitigation to Achieve Your Objectives
What are the Challenges of Mitigating Them
Practical Examples Like Programs, Segmentation, Authentication, and Monitoring
What are the Most Common and Dangerous Risk
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
What Are The Most Common and Dangerous Risks For Your Own Vendors, Suppliers, and Contractors
There Are 4 Key Areas of Impact to Assuring our Commercial Off the Shelf (COTS) Supply Chain:
1. Malicious Modification/Substitution of Technology2. Counterfeit Products (free, left on your shipping dock)
3. Security in Times of Supply Chain Disruption4. Misuse of Intellectual Property (Chinese Switches and Routers)
Examples:1. Fake Drugs (80% plus on Internet)
2. Social Engineering to write checks to criminals3. Getting inside your CritSit environments like water and power. (Russian, Iranian)
4. Audience, more examples? Digital Signage, Dams, Roads
Understand who and what provides value to you and what is made in China or Russia. DHS wants to include security in supply chain….
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Top 9 Emerging Risks For Supply Chain Risk Management (SCRM)
1. Politics (just Jeff’s view – Iran in Utilities; Russia in Election Servers; China in Space).2. Cyber (who is mad at us this week)3. National Disaster (where do we get large generators from? 12 month waiting list)4. Infrastructure (Water, Power, Roads, Airports, Hospitals)5. Workforce (Insider vs hacker owning insider’s machine)6. Environment (Dams, Refineries, etc)6. Regulatory Compliance7. Suppliers8. 3rd Party Vendors9. DHS Regulatory Requirements - They want to integrate cyber vetting in to Supply Chain checks. Feb 2018
6© 2012 Cisco Systems, Inc. All rights reserved. Cisco Confidential Cisco Confidential 6© 2012 Cisco and its affiliates. All rights reserved.
AgendaMitigation to Achieve Your Objectives
What are the Challenges of Mitigating Them
Practical Examples Like Programs, Segmentation, Authentication, and Monitoring
What are the Most Common and Dangerous Risk
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Major Security Challenges:
1. Supply Chain involves many players
2. Multiple modes of transport
3. Various types of intermediaries
4. Several government agencies
5. Complexity of the system leads to challenges
6. Compliance Procedures
7. The Human element……. Maybe even Politics..
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Increasing:
• Complexity of the network
• Privacy protected content
• Risk of a compromised network
• Network attack sophistication
• Focus on Supply Chain
Emerging Security Challenges:What Supply Chains Must Address
End-point security is not enough
9© 2012 Cisco Systems, Inc. All rights reserved. Cisco Confidential Cisco Confidential 9© 2012 Cisco and its affiliates. All rights reserved.
AgendaPrograms and Mitigation to Achieve Your Objectives
What are the Challenges of Mitigating Them
Practical Examples Like Programs, Segmentation, Authentication, and Monitoring
Three Cisco Things You Can Do (ISE, Umbrella, Segmentation)
What are the Most Common and Dangerous Risk
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
12 Elements of Supply Chain Security Guidelines:
1. Physical Security
2. Risk Analysis
3. Access Control
4. Communicative Ecosystem that is integrated
5. Business Partner Security
6. Incident Management / Investigations
7. Crisis Management and Disaster Recovery
8. Education and Training Awareness
9. Documentation Processing Security
10. Information Security
11. Personnel Security
12. Procedural Security
NIST Best Practices In Cyber Supply Chain Risk Management White Paper….
Cisco Confidential 11© 2016 Cisco and/or its affiliates. All rights reserved.
Third Party Risk
of organizations have
experienced a data
breach as a result of
negligent or malicious
employees
of organizations say
third party mishaps
were the root cause
of incidents in the last
1-2 years
32% 78%
Cisco Confidential 12© 2016 Cisco and/or its affiliates. All rights reserved.
Interconnected business
relationships increase
the impact of risks and need
to be actively managed
Third Party Risk Management
Cisco Confidential 13© 2016 Cisco and/or its affiliates. All rights reserved.
Programmatic Approach to Managing Third-Party Risk
Why Create a Program?• Interconnected business relationships increase the impact of risks and need to be managed
• Regulator scrutiny is increasing
• Compliance and contractual obligations are more demanding
• Boards are increasingly aware of third-party risk issues
• Gaps exist in traditional audits and certifications (SOC 2, ISO 27001)
• To ensure the maximum reduction in risk from the investment
Common Challenges to In-House Program Development
• Budget pressures
• Staff is already over-burdened
• A unique combination of security, risk management, program management, and vendor relationship
skills is required
• The risk environment is constantly evolving
• Emerging risk is not well understood
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Sample Risk Summary: Any businesses you are working with having money issues? If so, likely to cut corners around cybersecurity…
Vendor Risk Distribution
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Sample Scorecard:
Third-Party Assessments
Quarterly Scorecard for Q4 FY12
Q4 FY12 Lifetime to Date
21
Vendor BU High Medium
Vendor 1 13 10
Vendor 2 10 2
Vendor 3 3 1
Vendor 4 1 4
Vendor 5 0 9
21 Open
+Closed
Total
High
59
0
59
Med
90
0
90
90
Vendor BU High Medium Trend
Vendor 1 13 10
Vendor 7 10 2
Vendor 4 3 1
Vendor 12 1 4
Vendor 8 0 9
59
4 9 8 4 9 8
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Control Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Design /Develop
Plan / Order
Source Make Quality Delivery Service /EOL
Supply Chain Security Areas of Discipline
Secure Development
Information Exchange and Access ControlsSecurity
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Design /Develop
Plan / Order
Source Make Quality Delivery Service /EOL
Supply Chain Security Areas of Discipline
Physical Plant Security
Security
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Plan / Order
Design /Develop
Source Make Quality Delivery Service /EOL
Supply Chain Security Areas of Discipline
Talent Security and Integrity
Security
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Design /Develop
Plan / Order
QualitySource Make Delivery Service /EOL
Supply Chain Security Areas of Discipline
Supplier Resiliency and Crisis Management
Security
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Design /Develop
Plan / Order
QualitySource Make Delivery Service /EOL
Supply Chain Security Areas of Discipline
Protection of High Value/IP Containing Components and Finished Goods
Security
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Design /Develop
Plan / Order
QualitySource Make Delivery Service /EOL
Supply Chain Security Areas of Discipline
Logistics Security
Security
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Design /Develop
Plan / Order
Source Make Quality Delivery Service /EOL
Supply Chain Security Areas of Discipline
Fabrication Security
Security
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Plan / Order
Design /Develop
Source Make Quality Delivery Service /EOL
Supply Chain Security Areas of Discipline
Security
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
Scrap Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Design /Develop
Plan / Order
Source Make Quality Delivery Service /EOL
Supply Chain Security Areas of Discipline
Service & EOL Security Management
Security
Technology
Innovation
Physical
Security
Practices
Logical
Security
Processes
26© 2012 Cisco Systems, Inc. All rights reserved. Cisco Confidential Cisco Confidential 26© 2012 Cisco and its affiliates. All rights reserved.
AgendaMitigation to Achieve Your Objectives
What are the Challenges of Mitigating Them
Practical Examples Like Programs, Segmentation, Authentication, and Monitoring
What are the Most Common and Dangerous Risk
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Procurement is an important part of overall security strategy
• Procurement Language – Defining the requirements and criteria
Suppliers are Authorized Partners
Require Partners Purchase from Either Cisco Direct or through a Cisco Authorized Distributor in the United States
Consider Partner Certifications
Validation of Product Upon Delivery
• Log and Maintain All IT Records
Procurement Best Practices to Minimize Risk
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
11 Best Practices in SCRM (NIST Interagency Report 7622)
1. Uniquely identify supply chain elements, processes, and actors.
2. Limit access and exposures within the supply chain.
3. Establish and maintain the provenance of elements, processes, tools, and data.
4. Share information with strict limits
5. Perform SCRM awareness training
6. Use defensive designs for systems, elements, and processes.
7. Perform continuous Integrator review
8. Strengthen delivery mechanisms
9. Assure sustainment activities and processes.
10. Manage disposal and final disposition activities throughout the system or element lifecycle
11. Watch for counterfeit hardware and software
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
We Want:
1. Vendors who are on par with us in security
2. 3rd Party Program with staffing
3. Risk Management overview (Threat * Vulnerability * Impact = Risk)
4. Once a year Red Team exercise
5. An inventory of where our sensitive data sits
6. Least privilege enforcement for sensitive data
7. Audit on who has rights to what; Separation of Duties too
8. Code review of sensitive applications
9. Someone to read NIST 800-161 Appendix A SCRM Control Summary “High Baseline”
10. Someone to read NIST 800-161 Appendix B Relevant Controls. NIST 800-161 is 185 pages
11. Learn from your peers in other states – lessons learned
12. Monitoring of key risks like checks bring cut, infrastructure (water, power), websites key to day-day
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Why are IT devices Counterfeited and Sold via Secondary Market Channels?
• Profiteering and illegal financial gain
• Conduct Offensive Cyber Operations
Example: Upon command the device shuts down
• Conduct Computer Network Exploitation
Traffic shaping
Data diversion
Cisco Confidential
Striving for ubiquitous communication
on any device, any where, any time with assurance
Thank you.
My thanks to Edna Conway our CTO who runs Cisco’s Supply Chain Security Group and who let me use many of her slides.