View
2
Download
0
Category
Preview:
Citation preview
Trust but Manage; Real Life Lessons in Controlling Supply Chain Risk
Matthew Butkovic – Software Engineering Institute John Haller – Software Engineering Institute
October 13, 2015
2© 2015 Carnegie Mellon University
Disclaimer
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution except as restricted below.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.
Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
DM-0001524
3© 2015 Carnegie Mellon University
Agenda
Supply Chain and External Dependency Risk Defined
Case Studies
A Resilience-based Approach
Resources and Conclusion
4© 2015 Carnegie Mellon University
A Holistic View: EXD, SCRM, and ICT
External Dependencies
(EXD)
Supply Chain Risk
Management
(SCRM)
Information and Communciations
Technology
(ICT)
5© 2015 Carnegie Mellon University
What Do We Mean by External Dependencies?
Depending on external entities that have access to, ownership of, control
of, responsibility for, or some other defined obligation relating to an asset
that is important to a critical service.
SCRM focuses on external entities that provide, sustain, or operate
hardware and software to support an organization.
© 2014 Carnegie Mellon University
Case Studies
7© 2015 Carnegie Mellon University
Supply Chain: Example Incidents
� Heartland Payment Systems (2009)
� Silverpop (2010)
� Epsilon (2011)
� New York State Electric and Gas (2012)
� California Department of Child Support Services (2012)
� Thrift Savings Plan (2012)
� Target (2013)
� Lowes (2014)
� AT&T(2014)
� Goodwill Industries International (2014)
� HAVEX / Dragonfly attacks on energy industry
� DOD TRANSCOM contractor breaches
8© 2015 Carnegie Mellon University
Case Study: HAVEX Malware / Dragonfly
9© 2015 Carnegie Mellon University
Anatomy of an Attack: Havex/Dragonfly*
Spear Phishing phase: February 2013 – June 2013 (seven target
companies, 1 to 84 emails sent to each)
Supply Chain phase: May 2013 – April 2014
� Watering hole attacks using energy related websites
� Trojanized software updates on ICS manufacturer websites
� MB Connectline GmBH– Germany
� eWon, Sa – Belgium
� Mesa Imaging – Switzerland
Effects:
� Infection with Remote Access Trojans (Backdoor.Oldrea,Trojan.Karagany)
� 2000 unique energy company victims (Spain, US, France, Italy, Germany)
� Exfiltration of information
*Sources: Symantec, F-secure, Belden, ICS-CERT
10© 2015 Carnegie Mellon University
Case study: TRANSCOM
11© 2015 Carnegie Mellon University
TRANSCOM: SASC Findings
� Fifty intrusions or cyber events targeted TRANSCOM
contractors between June 2012 and May 2013. At least 20
were successful
� Contractor targets:
� CRAF – Civil Reserve Air Fleet
� VISA – Voluntary Intermodal Sealift Agreement Program
� TRANSCOM was aware of two intrusions
� Identified root causes:
� Gaps in requirements resulted in no reporting
� DoD and FBI did not know that corporate victims were TRANSCOM contractors
� Misperceptions about the sharing of incident information
12© 2015 Carnegie Mellon University
Who notifies organizations of data breach?
© 2014 Carnegie Mellon University
A Resilience-based Approach
14© 2015 Carnegie Mellon University
Barriers to Effective Management
� Siloed departments operating under different requirements
� Procurement/Acquisitions
� Operations
� Incident management
� Vagueness or limitations in formal agreements
� Changing requirements across system lifecycles
� Incomplete or narrow Risk Management processes
15© 2015 Carnegie Mellon University
External Dependencies Management: A Unified, Resilience-based Approach
Relationship Formation
Planning
Evaluating vendors
Entering into agreements
Deploying technology
Relationship Management
Prioritizing relationships
Managing vendor performance
Change Management
Managing access
Protecting and Sustaining Services
Service continuity
Incident management
Risk Management
Process maturity across the lifecycle
EDM Practices
Risk Management Risk Management
16© 2015 Carnegie Mellon University
Assessing Process Institutionalization: Maturity Indicator Levels (MILs)
Higher degrees of
institutionalization translate to
more stable processes that:
• produce consistent results over time
• are retained during times of stress
Level 1
EDM Practices Performed
Level 2-Planned
Level 3-Managed
Level 4-Measured
Level 5-Defined
Lifecycle
17© 2015 Carnegie Mellon University
Example EDM Practices at Level 1
Relationship Formation
� Plan the selection and evaluation of suppliers
� Consider the ability of suppliers to meet resilience requirements.
� Include requirements in formal agreements
Relationship Management
� Identify and prioritize dependencies
� Update requirements
Service Protection and Sustainment
� Include suppliers in incident management planning
� Test service continuity and incident management plans
18© 2015 Carnegie Mellon University
EDM Maturity Indicator Levels 2 – 5: Institutionalizing Capability
MIL2 – Planned:
� Have stakeholders been identified and made aware of their roles?
� Are there documented plans and policies?
MIL3 – Managed:
� Is there management oversight?
� Are risks to the process controlled?
� Is there an appropriate level of staffing and funding?
MIL4 – Measured
� Are EDM processes reviewed for effectiveness?
� Are processes adhering to the plan?
MIL5 - Defined
� Is there a defined process enterprise wide?
� Is there a lessons-learned process?
19© 2015 Carnegie Mellon University
Example Effectiveness Measures (MIL 4)
� Count of external dependency risks that remain unresolved
� Count of external entity relationships formed outside the process
� Number and frequency of critical service outages traceable to external
entities
� Percentage of suppliers successfully passing third-party audits
� Contracts or agreements that did not follow established procedures or
policy
� Response times and other metrics relating to business continuity or
cybersecurity exercises with external entities
© 2014 Carnegie Mellon University
Application to Case Studies
21© 2015 Carnegie Mellon University
TRANSCOM Example: Incident Declaration Criteria
TRANSCOM’s contract clause:
(MIL 1 Practice) Include requirement to report incidents that “affect
organizational information resident or in transit on vendor systems”
Reportable cyber intrusion events include the following:
1. A cyber intrusion event appearing to be an advanced persistent threat.
2. A cyber intrusion event involving data exfiltration or manipulation or
other loss of any DOD information resident on or transiting the
contractor's, or its subcontractors', unclassified information systems.
3. Intrusion activities that allow unauthorized access to an unclassified
information system on which DOD information is resident or transiting.
22© 2015 Carnegie Mellon University
TRANSCOM Example, Incident Criteria
Contract incident declaration criteria were:
� Interpreted differently by contractors, for example to mean system intrusions that actually affected DOD information
� Required contractors to know what systems contained DOD information
MIL4 Question: How do we assess the effectiveness of this control?
Very challenging, some possibilities:
� Event reporting?
� Service reviews and information sharing?
� Penetration testing?
23© 2015 Carnegie Mellon University
Havex Related Example: Software Vendor Dependencies
MIL 1 Practices:
� Evaluate the capability of suppliers
� Identify and prioritize ICS software updates as a dependency
� Update resilience requirements to ensure currency
� Conduct situational awareness activities
MIL 2 Practice: Involve the right stakeholders in MIL 1 activities
MIL 3 Practice: Identify process risks
MIL 4 Practice: Detect process exceptions to ensure relationships with small software vendors are formed as planned
24© 2015 Carnegie Mellon University
Process Maturity for Cyber Resilience
The degree of process maturity can help to answer severalimportant questions when managing cyber resilience:
• How well are we performing today?
• Can we repeat our successes?
• Do we consistently produce expected results?
• Can we adapt seamlessly to changing risk environments?
• Are our processes stable enough to depend on them during times of stress?
Process maturity helps avoid the pitfalls of a project (set and forget) approach to cyber resilience and helps “make it stick.”
25© 2015 Carnegie Mellon University
First Steps for Getting Started . . .
� Identify program management objectives
� Prioritize critical services
� Identify service requirements
� Identify enterprise requirements
� Plan relationship formation
� Plan relationship management
26© 2015 Carnegie Mellon University
EDM Process Improvement
© 2014 Carnegie Mellon University
Resources and Conclusion
28© 2015 Carnegie Mellon University
Our Approach: Cyber Resilience
“… the ability to prepare for and adapt to changing
conditions and withstand and recover rapidly from
disruptions. Resilience includes the ability to
withstand and recover from deliberate attacks,
accidents, or naturally occurring threats or
incidents…”
- Presidential Policy Directive – PPD 21
February 12, 2013
Protect (Security) Sustain (Continuity)
Perform (Capability) Repeat (Maturity)
29© 2015 Carnegie Mellon University
Cyber Resilience Value Proposition
Flexibility and scalability: deciding what to do to manage cybersecurity
� Using a broadly applicable approach to allow organizational
comparison
� Focusing on “what” versus how to manage cybersecurity risk
Cybersecurity ecosystem: addressing the interconnectedness challenge
� Managing dependencies
� Addressing organizational challenges and silos
Efficiency: helping critical infrastructure organizations make smart
choices
� Using resources effectively
� Understanding organizational capability and picking smart
improvement goals
30© 2015 Carnegie Mellon University
DHS External Dependency Risk Management Assessment
Purpose: To measure the organization’s ability to manage external dependencies and foster improvement. How are we doing and where can we do better?
Based on the DHS Cyber Resilience Review and the CERT ®
Resilience Management Model (CERT® RMM), a process improvement model for managing operational resilience
• Developed by Carnegie Mellon University's Software Engineering Institute
• More information: http://www.cert.org/resilience/rmm.html
The assessment will be fully released in October 2015. Please send inquiries to CSE@hq.dhs.gov
31© 2015 Carnegie Mellon University
EDM Assessment
32© 2015 Carnegie Mellon University
In Closing . . .
� Supply Chain Risk Management is a key business
challenge
� SCRM is part of the broad challenge of external
dependencies, and extends well beyond ICT vendors
� Relationships are key – organizations cannot effectively
manage dependency risks on their own
� Taking a converged approach to the challenge is key
� Resilience management can help simplify the measurement and management of operational and dependency risks
33© 2015 Carnegie Mellon University
PresenterMatthew Butkovic
Technical Manager
CERT Program – Software Engineering
Institute
Telephone: (412) 268-6727
Email: mjb101@cert.org
Presenter
John Haller
Member of the Technical Staff
CERT program – Software Engineering Institute
Telephone: (412) 268-6648
Email: jhaller@cert.org
34© 2015 Carnegie Mellon University
Acronyms
CRR: DHS Cyber Resilience Review
DHS: Department of Homeland Security
EDM: External Dependencies Management
EXD: External Dependencies
RMM: Carnegie Mellon Resilience Management Model
SCRM: Supply Chain Risk Management
Recommended