trust but manage; real life lessons in controlling supply ... · cyber resilience value proposition...

Trust but Manage; Real Life Lessons in Controlling Supply Chain Risk

Matthew Butkovic – Software Engineering Institute John Haller – Software Engineering Institute

October 13, 2015

2© 2015 Carnegie Mellon University

Disclaimer

Copyright 2015 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution except as restricted below.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].

Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

DM-0001524


Agenda

Supply Chain and External Dependency Risk Defined

Case Studies

A Resilience-based Approach

Resources and Conclusion


A Holistic View: EXD, SCRM, and ICT

External Dependencies

(EXD)

Supply Chain Risk

Management

(SCRM)

Information and Communciations

Technology

(ICT)


What Do We Mean by External Dependencies?

Depending on external entities that have access to, ownership of, control

of, responsibility for, or some other defined obligation relating to an asset

that is important to a critical service.

SCRM focuses on external entities that provide, sustain, or operate

hardware and software to support an organization.

© 2014 Carnegie Mellon University

Case Studies


Supply Chain: Example Incidents

� Heartland Payment Systems (2009)

� Silverpop (2010)

� Epsilon (2011)

� New York State Electric and Gas (2012)

� California Department of Child Support Services (2012)

� Thrift Savings Plan (2012)

� Target (2013)

� Lowes (2014)

� AT&T(2014)

� Goodwill Industries International (2014)

� HAVEX / Dragonfly attacks on energy industry

� DOD TRANSCOM contractor breaches


Case Study: HAVEX Malware / Dragonfly


Anatomy of an Attack: Havex/Dragonfly*

Spear Phishing phase: February 2013 – June 2013 (seven target

companies, 1 to 84 emails sent to each)

Supply Chain phase: May 2013 – April 2014

� Watering hole attacks using energy related websites

� Trojanized software updates on ICS manufacturer websites

� MB Connectline GmBH– Germany

� eWon, Sa – Belgium

� Mesa Imaging – Switzerland

Effects:

� Infection with Remote Access Trojans (Backdoor.Oldrea,Trojan.Karagany)

� 2000 unique energy company victims (Spain, US, France, Italy, Germany)

� Exfiltration of information

*Sources: Symantec, F-secure, Belden, ICS-CERT


Case study: TRANSCOM


TRANSCOM: SASC Findings

� Fifty intrusions or cyber events targeted TRANSCOM

contractors between June 2012 and May 2013. At least 20

were successful

� Contractor targets:

� CRAF – Civil Reserve Air Fleet

� VISA – Voluntary Intermodal Sealift Agreement Program

� TRANSCOM was aware of two intrusions

� Identified root causes:

� Gaps in requirements resulted in no reporting

� DoD and FBI did not know that corporate victims were TRANSCOM contractors

� Misperceptions about the sharing of incident information


Who notifies organizations of data breach?


A Resilience-based Approach


Barriers to Effective Management

� Siloed departments operating under different requirements

� Procurement/Acquisitions

� Operations

� Incident management

� Vagueness or limitations in formal agreements

� Changing requirements across system lifecycles

� Incomplete or narrow Risk Management processes


External Dependencies Management: A Unified, Resilience-based Approach

Relationship Formation

Planning

Evaluating vendors

Entering into agreements

Deploying technology

Relationship Management

Prioritizing relationships

Managing vendor performance

Change Management

Managing access

Protecting and Sustaining Services

Service continuity

Incident management

Risk Management

Process maturity across the lifecycle

EDM Practices

Risk Management Risk Management


Assessing Process Institutionalization: Maturity Indicator Levels (MILs)

Higher degrees of

institutionalization translate to

more stable processes that:

• produce consistent results over time

• are retained during times of stress

Level 1

EDM Practices Performed

Level 2-Planned

Level 3-Managed

Level 4-Measured

Level 5-Defined

Lifecycle


Example EDM Practices at Level 1

Relationship Formation

� Plan the selection and evaluation of suppliers

� Consider the ability of suppliers to meet resilience requirements.

� Include requirements in formal agreements

Relationship Management

� Identify and prioritize dependencies

� Update requirements

Service Protection and Sustainment

� Include suppliers in incident management planning

� Test service continuity and incident management plans


EDM Maturity Indicator Levels 2 – 5: Institutionalizing Capability

MIL2 – Planned:

� Have stakeholders been identified and made aware of their roles?

� Are there documented plans and policies?

MIL3 – Managed:

� Is there management oversight?

� Are risks to the process controlled?

� Is there an appropriate level of staffing and funding?

MIL4 – Measured

� Are EDM processes reviewed for effectiveness?

� Are processes adhering to the plan?

MIL5 - Defined

� Is there a defined process enterprise wide?

� Is there a lessons-learned process?


Example Effectiveness Measures (MIL 4)

� Count of external dependency risks that remain unresolved

� Count of external entity relationships formed outside the process

� Number and frequency of critical service outages traceable to external

entities

� Percentage of suppliers successfully passing third-party audits

� Contracts or agreements that did not follow established procedures or

policy

� Response times and other metrics relating to business continuity or

cybersecurity exercises with external entities


Application to Case Studies


TRANSCOM Example: Incident Declaration Criteria

TRANSCOM’s contract clause:

(MIL 1 Practice) Include requirement to report incidents that “affect

organizational information resident or in transit on vendor systems”

Reportable cyber intrusion events include the following:

1. A cyber intrusion event appearing to be an advanced persistent threat.

2. A cyber intrusion event involving data exfiltration or manipulation or

other loss of any DOD information resident on or transiting the

contractor's, or its subcontractors', unclassified information systems.

3. Intrusion activities that allow unauthorized access to an unclassified

information system on which DOD information is resident or transiting.


TRANSCOM Example, Incident Criteria

Contract incident declaration criteria were:

� Interpreted differently by contractors, for example to mean system intrusions that actually affected DOD information

� Required contractors to know what systems contained DOD information

MIL4 Question: How do we assess the effectiveness of this control?

Very challenging, some possibilities:

� Event reporting?

� Service reviews and information sharing?

� Penetration testing?


Havex Related Example: Software Vendor Dependencies

MIL 1 Practices:

� Evaluate the capability of suppliers

� Identify and prioritize ICS software updates as a dependency

� Update resilience requirements to ensure currency

� Conduct situational awareness activities

MIL 2 Practice: Involve the right stakeholders in MIL 1 activities

MIL 3 Practice: Identify process risks

MIL 4 Practice: Detect process exceptions to ensure relationships with small software vendors are formed as planned


Process Maturity for Cyber Resilience

The degree of process maturity can help to answer severalimportant questions when managing cyber resilience:

• How well are we performing today?

• Can we repeat our successes?

• Do we consistently produce expected results?

• Can we adapt seamlessly to changing risk environments?

• Are our processes stable enough to depend on them during times of stress?

Process maturity helps avoid the pitfalls of a project (set and forget) approach to cyber resilience and helps “make it stick.”


First Steps for Getting Started . . .

� Identify program management objectives

� Prioritize critical services

� Identify service requirements

� Identify enterprise requirements

� Plan relationship formation

� Plan relationship management


EDM Process Improvement


Resources and Conclusion


Our Approach: Cyber Resilience

“… the ability to prepare for and adapt to changing

conditions and withstand and recover rapidly from

disruptions. Resilience includes the ability to

withstand and recover from deliberate attacks,

accidents, or naturally occurring threats or

incidents…”

- Presidential Policy Directive – PPD 21

February 12, 2013

Protect (Security) Sustain (Continuity)

Perform (Capability) Repeat (Maturity)


Cyber Resilience Value Proposition

Flexibility and scalability: deciding what to do to manage cybersecurity

� Using a broadly applicable approach to allow organizational

comparison

� Focusing on “what” versus how to manage cybersecurity risk

Cybersecurity ecosystem: addressing the interconnectedness challenge

� Managing dependencies

� Addressing organizational challenges and silos

Efficiency: helping critical infrastructure organizations make smart

choices

� Using resources effectively

� Understanding organizational capability and picking smart

improvement goals


DHS External Dependency Risk Management Assessment

Purpose: To measure the organization’s ability to manage external dependencies and foster improvement. How are we doing and where can we do better?

Based on the DHS Cyber Resilience Review and the CERT ®

Resilience Management Model (CERT® RMM), a process improvement model for managing operational resilience

• Developed by Carnegie Mellon University's Software Engineering Institute

• More information: http://www.cert.org/resilience/rmm.html

The assessment will be fully released in October 2015. Please send inquiries to [email protected]


EDM Assessment


In Closing . . .

� Supply Chain Risk Management is a key business

challenge

� SCRM is part of the broad challenge of external

dependencies, and extends well beyond ICT vendors

� Relationships are key – organizations cannot effectively

manage dependency risks on their own

� Taking a converged approach to the challenge is key

� Resilience management can help simplify the measurement and management of operational and dependency risks


PresenterMatthew Butkovic

Technical Manager

CERT Program – Software Engineering

Institute

Telephone: (412) 268-6727

Email: [email protected]

Presenter

John Haller

Member of the Technical Staff

CERT program – Software Engineering Institute

Telephone: (412) 268-6648

Email: [email protected]


Acronyms

CRR: DHS Cyber Resilience Review

DHS: Department of Homeland Security

EDM: External Dependencies Management

EXD: External Dependencies

RMM: Carnegie Mellon Resilience Management Model

SCRM: Supply Chain Risk Management

trust but manage; real life lessons in controlling supply ... · cyber resilience value proposition...

Documents