SUPPLY CHAIN CYBERTHREATS TO THE US ENERGY SECTOR

Cynthia James, CISSPGlobal Director Business Development Technical Alliances

2

AGENDA

SUPPLY CHAIN MAPPING…AND RECONNAISSANCE

SUPPLIERS: LACK OF LEVERAGE & COMMUNICATION CHALLENGES

GOVERNMENT GUIDANCE, POLICY, LAW ENERGY VS ELECTRIC VS NUCLEAR

DEVELOPING THE IDEAL CYBERSECURITY POSTURE

FINAL RECOMMENDATIONS

ORGANIZATIONAL CHANGES

TO ALL FACEBOOK USERS: STAY SAFE!

OUR NEW SLED TEAM

LEGAL PRODUCT EXPERTISE TO HELP WITH PROJECT EFFORTS

14

27

22

17

THE SUPPLY CHAIN MAP

PAGE 3 |

|

Equipment

Reseller

Critical Provider

Secure Energy facility

boards

apps

landscaping

Paper supplie

r

SW consultan

t

Malicious insider

(consultant)

1 degree

3 degrees

2 degrees

Phishing attacks

Customers Who do we Supply?

branch

Is there bi-directionality? If so, what data or access?

4

RECONNAISSANCE: SUPPLY CHAIN MAPPING • RFQs…press releases or any public notification• Conferences & Working Groups

• Speakers make technology references & recommendations • Vendor criteria

• Jobs available • Profiles of employees

• Experience, background

• Blogs about company policies, etc. • Information shared by others about you• What is your supply chain saying?

• “XYZ Energy is a customer” or “we now adhere to these specs”

• Filling in the gaps • An opportunistic infection

5

LOWER YOUR RECONNAISSANCE PROFILE

Raise awareness, reduce specifics Management oversight of profiles, request that certain details are omitted Set up google search alerts for key phrases Boost awareness of the issue in the company - start at stakeholder level?

Create a recon profile and circulate it

Note: going “stealth mode” with on-line resumes helps the organization but not the individual (legally employers can’t interfere with your job search)

SUPPLIERS HAVE SUPPLIERS WHO HAVE SUPPLIERS WHO…

7

SUPPLY CHAIN ATTACK EXAMPLES

HAVEX – infecting software updates (ICS) IceFog –

v1: hitting Western companies through entry points in Asia – mostly defensev2: oil & gas in the US (using java)Most likely cyber mercenaries

“Watering Hole attack” ICS-CERT & NCCIC Monitor: 79% of all 2014 attacks were on Energy; infection vector for the majority was unknown

8

LEVERAGE AND COST: DIRECTLY ASSOCIATED

How much leverage do you have now with suppliers?

Do you need it? (Are they already compliant?) Can you require compliance or request it? Can you conduct reviews remotely? Site review:

What they say they doProbability of them doing it To what degree? Risk represented by them not doing it

Where customizations of practice are required, compliance and cost may be affected: added testing, collection, analysis, data protectionBut…it doesn’t cost to ask (and it’s always better to know)

OUR COMMUNICATION CHALLENGE

PAGE 9 |

Few groups talking to each other

Government agencies (1999)Cybersecurity industry

2015

Infosec journalists

NuclearSCADA

IT

2006Chemical Defense etc

2010

Mainstream journalistsTotal lexicon in existence describing all things cybersecurity related

Just for “supply chain”: ICT, SCRM, ICT SCRM (NIST favors), cyber supply chain, cyber supply chain security, supply chain risk management, EDM (DoE/DHS favors)*

* paper in 2014, Nadya Bartol, Utilities Telecom Council

So…when NIST says

“ICT SCRM” it’s the same

as when DHS/DoE say:

“EDM”

10

WORD GAMES…

2009 – the word cybersecurity starts being used* 2009 – NERC first uses the term “Critical Cyber Assets” Current terms used for “supply chain”: *

Information and Communication Technology (ICT) Supply Chain Risk Management (SCRM) Information and Communication Technology (ICT) supply chain securitySupply Chain Risk Management Cyber supply chainCyber supply chain security Cyber supply chain risk management

Finally in 2014 “External Dependencies Management” EDM (Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2-M2) by DoE/DHS) Although NIST SP800-161, the mother of all such docs (282 pages, dedicated to supply chain, 2015) currently calls it ICT SCRM

*paper in 2014, Nadya Bartol, Utilities Telecom Council

11

THE PROBLEM WITH NEW LANGUAGES…

• Agreeing on terms and usage • Collaborating across sectors and supply chain

organizations • Sharing cyber incident information • Defining best practices which underlie multiple

sectors • Educating across sectors Recommendation: be sure to reference the document with the definitions you are applying

12

GOVERNMENT REGULATION AND “GUIDANCE”

Electric utilities and Nuclear – the only CI “mandatory” cybersecurity standards enforceable through FERC & NRC US NRC – US Nuclear Regulatory Committee

NEI – Nuclear’s “policy organization”

FERC (Fed Eng Reg Commission) NERC –North American Electric Reliability

Corporation – FERC policy org; rules became effective 2014, compliance by 2016 and 2017

13

SUMMARY OF GOVERNING RULES

• NERC Reliability Standards are mandatory within the US• These include CIP (Critical Infrastructure Protection)

rules which address the security of cyber assets “essential to the reliable operation of the electric grid”

• CIP first released in 2008, the latest ones were approved by FERC in 2013 (v5) – enforceable by April 2016, some in 2017

• Code of Federal Regulations (law) which is applicable to all Energy is Title 10 CFR (“Energy”). But no laws about cybersecurity except for Chapter 1.

• Chapter 1 of that are rules set forth by the Nuclear Regulatory Commission. Section 73 covers “physical protection of plant and resources”; 73.54 covers the information systems part of that https://www.law.cornell.edu/cfr/text/10/73.54 -

• Nuclear Energy Institute 08-09, April 2010 Cyber Security Plan for Nuclear Power Reactors with heavy reference to 10 CFR 73.54

14

NEW GUIDELINES TO FOLLOW – ENERGY

• “The Energy Department released guidance to help the energy sector establish cybersecurity risk management programs” (energy.gov)

• This was: • The Electricity Subsector Cybersecurity Capability Maturity

Model (ES-C2M2) of February 2014. “Developed by the Department of Energy and contributors…and other government agencies” (jointly published with DHS) “to help critical infrastructure organizations evaluate and potentially improve their cybersecurity practices. As this section demonstrates, using the C2M2 also provides a means for any energy sector organization to implement the NIST Cybersecurity Framework.”

• Nuclear: • Follow NEI 08-09

15

DEPARTMENT OF ENERGY “ES-C2M2”

Provides: “an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.”

• One component = “Supply Chain or External Dependencies Management” (EDM) covers:

• Asset Management (catalogue, prioritize) • Business Environment (roles defined and ranked) • Dependencies and critical functions for delivery of critical

services and product are established

Now you have a list of External Dependencies…

16

ES-C2M2

External dependencies must be managed contractually:

a.) vendor responsibilities (reference specific standards: RM-1c) b.) auditing rights and monitoring; c.) sharing of cybersecurity “threat information”; d.) reporting of cyber incidents; e.) must adhere to a defined risk assessment process

17

ES-C2M2 DESCRIPTION OF RISK

• Security of products varies widely

• How was SW developed? What code input?

• Counterfeit HW or malware injection • RFPs don’t specify detailed security or

QA• Utility branches granted leeway in

procurement

Not to forget: security capabilities of organizations varies widely

18

NEI -8-09 CYBERSECURITY PLAN FOR NUCLEAR

11.2 SUPPLY CHAIN PROTECTION“This security control protects against supply chain threats by employing the following measures…to maintain the integrity of the CDAs that are acquired: 1. Establishment of trusted distribution paths,2. Validation of vendors, and3. Requirement of tamper proof products or

tamper evident seals on acquired products.”(NEI April 2010)

19

CYBERSECURITY PLAN BASED ON NEI 08-09: GOALS

Procure CDA products and software from vendors who practice good cyber security and are capable of implementing NEI 08-09, Rev. 6 controls

Negotiate with vendors to ensure their environment and products are secure

Develop a program to ensure that products received are secure *

* Author: Barbara WeberSheffield Scientific, LLCSenior Cyber Security ConsultantBarbara.Weber@SheffieldScientific.com

20

EXPECTATIONS OF CDA SUPPLIERS

Should be operating at the same level of security as the plant itself: • Establish a secure developing and operating

environment • Verify staff is trustworthy• Verify they are managing their suppliers• They are obligated to patch vulnerabilities in

products or services provided • All received products are hardened• Access Control is managedNote: 10 CFR 74.53 comparable to NQA-1

Author: Barbara WeberSheffield Scientific, LLCSenior Cyber Security ConsultantBarbara.Weber@SheffieldScientific.com

21

TO BEGIN THE PROCESS…

• Perform an evaluation (mini-risk assessment/risk analysis) on top priority suppliers

• Identify security gaps • Evaluate partnership versus their security

weaknesses: What upgrades possible? What auditing rights? What level of priority? What cost?

• Periodically audit and reevaluate

22

SUPPLY CHAIN SHOULD COMPLY TO WHAT LEVEL?

• Many aspects of supply chain management are their own mature specialties with expertise, tools, processes – ie, software assurance or the receiving/testing of goods. These need to be integrated at the level which makes sense

• Is it better to use a supplier who already have adequate security in place?

• Cybersecurity challenges grow so much faster than guideline adoption by regulatory agencies (so far)

23

THE “IDEAL” SUPPLY CHAIN SECURITY POSTURE

Locating the best information depends upon goals

Are organization goals to find: • Easiest to implement? Fastest? Cheapest? Best? • Easiest to get stakeholders to agree to?

Do we search: • Compliance• Guiding principles (not compliance yet) • Search by terms• Search by agency

Most important: complianceNext level: best security practices

24

FINAL RECOMMENDATIONS

Ensure that “supply chain risk” (all external dependencies) are identified and included in your organization’s risk assessmentsDetermine the needs/desires of stakeholders in your organization regarding supply chain risk• Choose between NEI compliance or ES-C2-

E2• Identify the best source documents • Identify supporting documents (like NIST

SP 800-161) Follow the process Repeat! (all suppliers, annually)

25

KASPERSKY LAB PROVIDES BEST IN THE INDUSTRY PROTECTION*

20 40 60 80 1000%

20%

40%

60%

80%

100%

N of independent tests/reviews

Scor

e of

TO

P 3

plac

esKaspersky Lab

Bitdefender

Sophos

G DATA

Symantec

F-Secure Intel Security (McAfee)

Trend Micro

Avira

Avast

BullGuard

AVG

ESET

AhnLabMicrosoft

Panda Security

In 2014 Kaspersky Lab products participated in 93 independent tests and reviews. Our products were awarded 51 firsts and received 66 top-three finishes.

* Notes:• According to summary results of

independent tests in 2014 for corporate, consumer and mobile products.

• Summary includes tests conducted by the following independent test labs and magazines: Test labs: AV-Comparatives, AV-Test, Dennis Technology Labs, MRG Effitas, NSS Labs, PC Security Labs, VirusBulletin

• The size of the bubble reflects the number of 1st places achieved.ThreatTrack (VIPRE)

Qihoo 360

Kingsoft

Tencent

1st places – 51Participation in 93

tests/reviewsTOP 3 = 71%

THANK YOU! QUESTIONS?Cynthia James – cynthia.james@kaspersky.com Kaspersky Lab Technology Alliances & Business Development