international cybersecurity standards webinar/media/files/insights... · notional supply chain risk...
TRANSCRIPT
www.dlapiper.com 0September 12, 2016
September 12, 2016
INTERNATIONAL CYBERSECURITY STANDARDS Practical Applications for Growing Corporate Value
If you cannot hear us speaking, please make sure you have called into the teleconferencenumber on your invite information. US participants: 1 800 743 4304 Outside the US: 1 212 231 2921 The audio portion is available via conference call. It is not broadcast through your
computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
www.dlapiper.com 1September 12, 2016
Moderator - Kelly Friedman, Partner, DLA Piper Eric Hibbard, CTO for Security and Privacy, Hitachi Data
Systems Nadya Bartol, Associate Head of Cybersecurity Practice,
BCG Platinion Tyson Macaulay, CISSP, CISA - Author of forthcoming
cybersecurity book RIoT Control: Managing Risk and the Internet of Things
Speakers
IntroductionKelly Friedman, Partner, DLA Piper
www.dlapiper.com 3September 12, 2016
“Given the increasingly global, complex, and interconnected nature of the world economy, characterized by rapid advances in technology and use of commercial off the shelf products to assure cybersecurity and resilience, the use of international cybersecurity standards for information technologies (IT)and industrial control systems (ICS)are necessary for the cybersecurity and resilience of all U.S. information and communications systems and supporting infrastructures.”
Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity, prepared by the International Cybersecurity Standardization Working Group of the National Security Council’s Cyber Interagency Policy Committee, December 2015
www.dlapiper.com 4September 12, 2016
“A Standard is a document, established by consensus and approved by a recognized body, which provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.”
ISO/IEC Guide 2:2004: Standardization and related activities - General Vocabulary
www.dlapiper.com 5September 12, 2016
One of the key organizations in the world developing international cybersecurity standards is the International Organization for Standardization / International Electrotechnical Commission Joint Technical Committee 1, Information Technology (ISO/IEC JTC1)
In particular, Subcommittee 27: “IT Security Techniques”
ISO/IEC JTC 1, SC27
ISO/IEC JTC 1 Security StandardizationEric Hibbard, CISSP-ISSAP, ISSEP, ISSMP, CCSP, CISA CTO for Security and Privacy, Hitachi Data Systems
SC 27 is an internationally recognized centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Its work covers the development of standards for the protection of information and ICT. This includes requirements, methods, techniques and guidelines to address aspects of both security and privacy in regard to: Information security management systems (ISMS)
Cryptographic and security mechanisms
Security evaluation, testing and specification
Security controls and services
Identity management and privacy technologies
SC 27 (IT security techniques)
7
ISO project development process
Source: Welcome package of ISO/IEC JTC 1/SC 27 -- IT Security Techniques
8
27000 family of standards (1)
Source: Laura Lindsay, Microsoft
9
ISO/IEC 27000 — Information technology - Security Techniques - Information security management systems — Overview and vocabulary
ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems — Requirements.
ISO/IEC 27002 — Information technology - Security Techniques - Code of practice for information security management
ISO/IEC 27003 — Information technology - Security Techniques - Information security management system implementation guidance
ISO/IEC 27004 — Information technology - Security Techniques - Information security management —Measurement
ISO/IEC 27005 — Information technology - Security Techniques - Information security risk management
ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27007 — Information technology - Security Techniques - Guidelines for information security management systems auditing (focused on the management system)
ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)
ISO/IEC 27009 - Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements
ISO/IEC 27010 — Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications
27000 family of standards (2)
10
• ISO/IEC 27011 — Information technology - Security Techniques - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
• ISO/IEC 27013 — Information technology - Security Techniques - Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
• ISO/IEC 27014 — Information technology - Security Techniques - Information security governance
• ISO/IEC TR 27015 — Information security management guidelines for financial services
• ISO/IEC TR 27016— IT Security — Security techniques — Information security management –Organizational economics
ISO/IEC 27017 — Information security management for cloud systems
ISO/IEC 27018 — Data protection for cloud systems
ISO/IEC 27019 — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
• ISO/IEC 27031 — Information technology - Security Techniques - Guidelines for information and communication technology readiness for business continuity
• ISO/IEC 27032 — Information technology - Security Techniques - Guideline for cybersecurity
• ISO/IEC 27033 — Information technology - Security Techniques - Network security
• ISO/IEC 27034 — Information technology - Security Techniques - Application security
27000 family of standards (3)
11
• ISO/IEC 27035 — Information technology - Security Techniques - Information security incident management
• ISO/IEC 27036 — Information technology - Security Techniques - Information security for supplier relationships –
• ISO/IEC 27037 — Information technology - Security Techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence
• ISO/IEC 27038 — Specification for redaction of digital documents
• ISO/IEC 27039 — Intrusion detection and protection systems
• ISO/IEC 27040 — Guideline on storage security
• ISO/IEC 27041 — Assurance for digital evidence investigation methods
• ISO/IEC 27042 — Analysis and interpretation of digital evidence
• ISO/IEC 27043 — Digital evidence investigation principles and processes
• ISO/IEC 27050- Information technology -- Security techniques -- Electronic discovery
• ISO 27799 — Information security management in health using ISO/IEC 27002
27000 family of standards (4)
12
Interdependencies (e.g. cloud)
13
Sample cloud SDO relationships
14
Cyber Supply Chain Risk Management: Using Standards to Communicate ExpectationsNadya Bartol, Associate Head of Cybersecurity Practice, BCG Platinion
16
72% of Fortune 500 CEOs already consider their company to be a "digital technology company"1
When every company is (becoming) a technology company, supply chain is a major cybersecurity risk
1. 2016 Fortune 500 CEO Survey; 2. JuneOven.com/
17
From The World Is Flat by Thomas FriedmanDell Inspiron 600m Notebook: Key Components and Suppliers
Source: Booz Allen Hamilton and DoD
18
Everyone along the supply chain needs to communicate expectations and provide assurances
ISO/IEC 27036-1: 2013 – Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts
19
There are several ways to communicate expectations
Supplier Self Assessment
Acquirer Assessment
Independent Third Party Certification
Supplier Attestation
Assessment Results
Certification
Source: Utilities Technology Council
20
Standards help communicate expectations and document conformance
2008
Comprehensive National
Cybersecurity Initiative
Gov
ernm
ent
Indu
stry
DoD ICT SCRM Key Practices
Document
2009 2010 2011 2012 2013
NIST IR 7622 Notional Supply Chain Risk
Management Practices for Federal
Information Systems
SAFECodeSoftware Supply Chain Integrity
papers
SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)
DHS Vendor Procurement
Language
PMOs developed in DOJ and DOE
DHS ICT Supply Chain Exploits Frame of Reference
GAO ReportCyberspace
Policy Review
The President’s
International Strategy for Cyberspace
Cybersecurity Procurement Language for
Energy Delivery Systems
2014
NIST SP 800-161
2015
IEC 62443-2-4 –Requirements for
IACS Solution Suppliers
ISO/IEC 27036 –Guidelines for Information
Security in Supplier Relationships
ISO/IEC 20243 – Open Trusted Technology Framework and
Conformity Assessments
Source: Utilities Technology Council
21
You can determine which standard(s) applies to you by asking key questions
Industry sector
Required standards
Your role – acquirer or supplier?
Product, service, or both
Context of use
Tailor for your purpose!
IoT Security and Risk ManagementTyson Macaulay, CISSP, CISA
My own participation in IoT standards development (2012 to present)
• ISO JTC1 Working Group 10 – IoT – Delegate• ISO JTC1 Working Group 7 – Sensor Networking• ISO JTC1 SC27 Study Group on IoT – Convener (Concluded)
• ISO JTC1 SC27 WG 4 – Study Period on Emerging Virtualization
• ISO JTC1 SC27 WG 4 – Study Period on IoT Gaps and Requirements
• ITU‐T Study Group 20 ‐ IoT
23
IoT security is a BIG STORY!
Available on Amazon.com
24
“CEO’s Guide to IoT Security” – AT&T, March 2016
of global organizations are considering, exploring, or
implementing an IoTstrategy
85%
IoT deployments are on the rise
How many connected devices do you have in your organization?
of organizations are fully confident that their connected devices are secure
10%1%
8%20%
35% 32%
5%
NoneFewer than 100100‐9991,000‐4,9995,000+Don't know
Source: AT&T, March 2016
25
Threat agents in the IoT
Criminals Hacktivists Industrial Spies Nation States
Terrorists Insiders Chaotic Actors & Vigilantes
Regulators
26
Big threat #1 – device‐to‐device attacks
Infected device enters the home and attacks adjacent devices – which in turn launch attacks
Infected/ compromised devices attack internally and externally
27
Big threat #2 – IoT as the weakest link
Personally Identifiable Info
Sabotage or
privacy invasions
Attack on information‐rich devices
IoT Cloud services
Man‐in‐the‐Middle or
compromise Cloud
Messages pushed to device manager
“Upgrade now for your own safety”
Fetch “patches” = malware
Malware
Drop
Compromise of one device leads to all adjacent systems
Social engineering in the IoT
28
Big threat #3 – management of complexity IoT ecosystem has many stakeholders and service providers at each point in the architecture
Cascading impacts almost impossible to project or monitor
Assumptions will fail
3
1 2
Gateway
Service function owner
Gateway owner
Gateway manager
Gateway maker
Supply chain
Cloud / DC
Service tenant Platform vendor
Software owner Infrastructure owner
Software manager Infrastructure manage
Software vendor Infrastructure vendors
Platform owner Supply chain
Platform manager
Network
Network provider Equipment maker
Network owner Supply chain
Network manager
End point
Device user(s)
Device owner
Device manager
Device maker
Supply chain
4
29
WHERE DO THE IOT SECURITY ANSWERS LIE?
PARTIALLY WITH THE IOT DEVICES THEMSELVES
BUT MOSTLY WITH THE NETWORK
30
Evolving IoT infrastructure with 5G wireless
31
Evolving 5G / IoT infrastructure with security
Micro‐segmentation(by in‐home service) Form factor: Virtual
Micro‐segmentation(by subscriber)
Form factor: Virtual
Virtualization of the network elements
(hardware become software)32
How are standards helping the IoTcause?1. Highlighting that IoT is not the same as
“conventional” IT• Physical risks• Enhanced privacy risks
2. Gateways are critical controls points• Formerly just considered “dumb” network elements
3. Virtualization of the network has profound security effects• Opportunities• Challenges
33
www.dlapiper.com 34September 12, 2016
Questions?
Contact us to learn more
Kelly FriedmanPartnerDLA [email protected]
Nadya BartolAssociate Head of Cybersecurity PracticeBCG [email protected]
Eric HibbardCTO for Security and Privacy Hitachi Data Systems [email protected]
Tyson MacaulayAuthor of forthcoming cybersecurity book RIoTControl: Managing Risk and the Internet of [email protected]