cyber supply chain risk management asde
TRANSCRIPT
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Cyber security risks in your supply chain
ASDE WA Chapter
Version 1.0, 24th October, 2013
Aaron Doggett, BAE Systems Detica, WA Regional Manager
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
What is this about?
• Risks to cyber supply chains, and their real-world
implications
• Disruption
• Theft
• Failure of output
• Security of commercial and bespoke capabilities
• National defence and economical significance
2
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
What is this about?
• “Governments and commercial organizations worldwide
continue to voice concerns over the need to ensure the
security of commercial technology products and the
integrity of the world’s technology supply chains while
maintaining a diverse range of technology options and
preserving innovation.”
- Open Group White Paper
3
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Supply chain risk management
• “Supply chain risk management (SCRM) is a discipline of risk
management which attempts to identify potential disruptions to continued
manufacturing production and thereby commercial financial exposure”
- Institute of Risk Managers
4
International
Journal of
Physical
Distribution &
Logistics
Management
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
A sample global supply chain
5
Software design
Product design Chip design
Chip manufacture
Component
manufacture
Product assembly
Software design
Product use
Product use
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
SCRM for Defence & cyber security
• SCRM in Defence has a number of angles:
• Defining operational capability and readiness
• Once operational, takes a logistical focus
• Focus on capability and resiliency
• SCRM as a product or service supplier:
• Support the customer’s supply chain requirement
• Cost, efficiency, integrity, resiliency of own supply chain
• SCRM in cyber security:
• Macro (geo-political) concerns about integrity
• Risks associated with supplier and component compromise
6
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Why applicable to this group
• SCRM in a cyber security sense has real world implications
• Increasing number of cases resulting in:
• Theft of intellectual property
• Direct commercial advantage
• Brand/reputational damage
• National damage
• Increasingly, attacks are held against a component of the
supply chain, not the end entity
• Does pose a concern to national security, national economy
and specific industry
• Generally, is a concern for Defence & Defence suppliers
7
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
To consider
• Stages of a product lifecycle
• Development & manufacturing
• Delivery
• Configure & deploy
• Use / run
• End of life & disposal
• Whilst the ‘run’ stage is where we have the greatest control, do
we pay enough attention in the other areas?
8
Where the greatest widescale
attack could occur (unnoticed) Where a targeted attack could
occur (and go unnoticed)
Where the security industry typically
focuses its attention
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
What we are seeing
• Increasing public accounts of industrial espionage using
‘cyber’ as an attack vector
• Increasing attacks on the supply chain due to:
• Weaker links / softer targets than the end entity
• Ability to achieve deeper and wider penetration
9
Do any of your customers think that this is you?
Which of your vendors/suppliers is this?
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Geo-politics of this problem are not new
10
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Recent breaches have SCRM at their core
11
February 2012. VeriSign was “hacked repeatedly by outsiders who stole
undisclosed information from the leading internet infrastructure company” in
2010. (smh.com.au)
“security breaches … were not sufficiently reported to management” –
Verisign SEC Filing
March 2011. RSA compromised by an “Advanced Persistent Threat”, stealing
data related to the SecurID authentication system.
“It is likely that RSA growth will remain a bit slower as remediation efforts
continue” - David Goulden, EMC CFO
May 2011. Lockheed Martin was hit with a “significant and tenacious” cyber
attack, using the breached RSA SecurID authentication data.
"The fact is, in this new reality, we are a frequent target of adversaries
around the world." - Sondra Barbour, CIO
April 2011. DELL Australia’s customer data was compromised, during a
breach of US-based e-mail service provider epsilon.
(Also affected Barclays Bank, Citigroup, JPMorgan Chase, Visa, Marriott
International, Kraft, Tivo and others).
“China-based hackers looking to derail the $40 billion acquisition of the
world’s largest potash producer by an Australian mining giant zeroed in on
offices on Toronto’s Bay Street, home of the Canadian law firms handling the
deal.” - Bloomberg
An infrastructure company is compromised.
They are important to you. Fingers crossed.
An infrastructure company is compromised.
They are important to you. Fingers crossed.
The infrastructure breach gets used against you.
Your supplier gets compromised; your data gets
stolen.
Your supplier gets compromised; is your data
taken?
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
More examples - consumer & non-targeted
12
*Sample entries taken from the US Resilience Project
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Two recent examples of attacks on supply chains
• NY Times website (end of August 2013)
• Attack left website unavailable for close to a day
• How performed*
• Attacker targets reseller of domain names
(personnel divulge their company email addresses and passwords)
• Attacker logs into email accounts
(identify details of customers, including username & passwords)
• Attacker changes domain registry to personal cause
(legitimate website unavailable)
• Attack via an Indian ISP, against a US reseller of Australian company
(that provides domain name services) and disrupts a global company!
13 *The Australian, 29/08/2013
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Two recent examples of attacks on supply chains
• RSA beach (mid- 2011)
• Resulted in the theft of SecurID seed data
• How performed*
• April 2011 – targeted email to EMC employees.
• Excel attachment, embedded Flash (zero-day), drops ‘Poison Ivy’
backdoor.
• Remote access to workstation and network shares.
• Obtained SecurID seed data.
• Then (purportedly) used to attack Defence contractors.
• Prior to this event, how many people would have risks to the seed data
for their RSA tokens used for remote access on their corporate register?
14
*F-Secure, 26/08/2011
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
The ‘advanced threat’
• For the past few years, the phrase ‘advanced persistent
threat’ (or APT) has been with us
• Typically associated with gaining and maintaining access to
high profile / value targets, often over many years
• Well resourced, highly skilled entities (search APT1, Hidden
Lynx for examples)
• Difficult to protect against due to the targeted nature of
attacks and often superior sophistication
• Relevant to the Defence space due to the appeal of the
target to nation states or supported entities
• Represents a clear targeted attack
• New vector for traditional espionage activities?
15
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Responses (Macro level) – WEF Report on SCRM
• Primarily about physical supply
chains… but the issues
identified, and the implications,
are equally as applicable to
cyber security.
16
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
WEF Report on SCRM
• “Trends such as globalization, lean processes and the
geographical concentration of production have made supply
chain networks more efficient, but have also changed their risk
profile. “
• “Recent high-profile events have highlighted how risks outside
the control of individual organizations can have cascading and
unintended consequences that cannot be mitigated by one
organization alone.”
17
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
WEF Report on SCRM
18
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
US SCRM Focus
• 2012 US Defense Budget contains
~$1.2BN for Cyber Security,
focusing on:
• Increase funding for the training of
cyber analysts.
• Improving Global Information Grid-
wide situational awareness.
• Developing pilot programs for supply
chain risk management.
• Improving intrusion detection and
analysis.
19
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
US SCRM Focus
• Office of the Secretary for Defense 2012 Budget Estimates
• US Department of Homeland Security
20
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Aus SCRM Focus
• Cyber security and SCRM are generally not linked in any
public directives
• 2013 Defence whitepaper:
• Building and maintaining pre/operational supply chains
• Promoting Aus entities to be part of international supply chains
• “Innovation in Australian industry must be focused on products that
have a clearly defined path into defence capability.”
• Separate points around cyber security, specifically:
• “Australia, the United States and the United Kingdom have committed
to developing a comprehensive cyber partnership to address mutual
threats and challenges emerging in and from cyberspace.”
21
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Aus SCRM Focus
• Australian Govt Cyber Security Strategy (2009)
• “Promote a secure, resilient and trusted global electronic
operating environment that supports Australia’s national
interests”
• “Australia is vulnerable to the loss of economic
competitiveness through the continued exploitation of ICT
networks and the compromise of intellectual property and
other sensitive commercial data.”
• Australian businesses operate secure and resilient
information and communications technologies to protect the
integrity of their own operations and the identity and privacy
of their customers”
22
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Responses (Organisational level) – Board Ownership
• A cyber security breach is no longer an IT problem. It may:
• Create significant reputational damage
• Impact on share price
• Compromise strategic negotiations or transactions
• Provide an opportunity for a class action
• Result in market disclosures and compliance breaches
• Diminish competitive advantage
23
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Supply chain risk management practices - NIST
• Uniquely identify supply chain elements, processes and actors
• Limit access and exposure within the supply chain
• Establish and maintain the provenance of elements, processes, tools,
and data
• Share information within strict limits
• Perform SCRM awareness and training
• Use defensive design for systems, elements, and processes
• Perform continuous integrator review
• Strengthen delivery mechanisms
• Assure sustainment activities and processes
• Manage disposal and final disposition activities throughout the life cycle
24
*NIST IR 7622
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
WEF Report Recommendations
25
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
WEF Report Recommendations
26
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Responses (Individuals)
• Role to influence cyber SCRM will obviously vary
• Consider the value of the product/service to you
• Consider the value to other competitors (to you or your
customer if a supplier)
• Look at your work habits, the weaknesses/strengths
associated
• Work to identify the weaknesses in your supply chain for
your ‘most critical’ product/data/function
• Work backwards from there
• We need to work to prevent compromise from occurring, but
more importantly, to detect and recover from it.
27
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
Additional resources
• Cyber Supply Chain Risk Management: Toward a Global
Vision of Transparency and Trust, Microsoft, July 2011
• NIST IR 7622 - Notional Supply Chain Risk Management
Practices for Federal Information Systems, NIST, October
2012
• World Economic Forum
• New Models for Addressing Supply Chain and Transport Risk,
2012
• Building Resilience in Supply Chains, January 2013
• Cyber Supply Chain Risks, Strategies and Best Practices,
Chapter 4, US Resilience Project, 2011.
28
© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.
BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.
29
Contact details BAE Systems Detica
Suite 1, 50 Geils Court
Deakin ACT 2600
Australia
Tel: +61 1300 027 001
Fax: +61 2 6260 8828
Email: [email protected]
Web: www.baesystemsdetica.com.au
Copyright © Stratsec.net Pty Ltd (2012). All Rights reserved.
BAE Systems and DETICA are trade marks of BAE Systems plc.
Other company names, trade marks or products referenced herein are the
property of their respective owners and are used only to describe such
companies, trade marks or products.
Stratsec.net Pty Limited, trading as ‘BAE Systems Detica’, is registered in
Australia under ACN 111 187 270 and has its registered office at 50 Geils
Court, Deakin ACT 2600.
Aaron Doggett
0404 07 431