National Defense University The iCollege

National Defense UniversityThe iCollege

National Defense UniversityThe iCollege

“The global hub for educating, informing, and connecting Information Age leaders.”

The Cyber Supply Chain:

Strategies for Managing the Risks and Challenges

IEEE STC ConferenceProfessor Russ Mattern

Professor Mike Donohoe

October 13, 2015“The views expressed in this presentation/article are those of the author and do not reflect the official policy or

position of the National Defense University, the Department of Defense, or the U.S. Government.”

1

2

2“The global hub for educating, informing, and connecting Information Age leaders.”

Agenda

� What’s the extent of the problem?

� Example of counterfeits in the military supply chain

� An interesting GAO Study

� The Smart Grid as an example of a critical US infrastructure inroads made into a one of the major US infrastructures

� How will Supply Chain Risk Management affect the Cost, Schedule & Performance of your Programs/Projects

� How can a Criticality Analysis focus your Risk effort more effectively

� How the NIST Risk Management Framework (RMF) can help

� Where can I finds a major resource to help detect & correct software vulnerabilities and common attack patterns--it’s free!

� “Which of my systems are more vulnerable, new or legacy?”

� Where do we go from here?

� A real life case study

10/12/2015 2

3


The Extent of the Counterfeit Problem

• Short video clip: first 1 minute and 30 seconds

–http://www.smtcorp.com/#

10/12/2015 3

4


Extent of the Problem

10/12/2015 4

Aerospace Industries Association

5


Extent of the Problem

10/12/2015 5

6


The Comprehensive National Cybersecurity Initiative

10/12/2015 6

7


Intelligence Community Directive 731 7 Dec 2013

• Purpose:

–This Directive establishes Intelligence Community (IC)

policy to protect the supply chain as it relates to the life-

cycle of mission-critical products, materials, and services

used by the IC through the identification, assessment, and

mitigation of threats.

–Section D: Policy• Supply chain risk management is the management of risk to the integrity,

trustworthiness, and authenticity of products and services within the

supply chain. It addresses the activities for foreign intelligence entities (as

defined in ICD 750, Counterintelligence Programs) and any other

adversarial attempts aimed at compromising the IC supply chain, which

may include the introduction of counterfeit or malicious items into the IC

supply chain.

10/12/2015 7

8


Counterfeits in the US Military ICT Supply Chain

10/12/2015 8

November 8, 2011

9


US Senate Report on Counterfeits

10/12/2015 9

10


US Senate Report on Counterfeits

• “…two year period, 2009-2011, the investigation uncovered

approximately 1,800 cases of suspected counterfeit electronic parts.”

• Of 100 tracked suspect parts, 70% were traced to China

• 3 cases investigated by the Senate Committee

– US Navy SH-60B helicopter Electronic Interference Filters integrated into

Forward Looking InfraRed (FLIR) System

– USAF C-130J & C27J Display units

– US Navy P-8A (modified Boeing 737) Ice Detection module

10/12/2015 10

11


A Government Accountability Office (GAO) Study

10/12/2015 11

GAO-12-375

12


GAO Report Cont’d• “The GAO created a fictitious company and gained

membership in two Internet platforms providing access to

vendors selling military-grade electronic parts”

• “GAO requested quotes from numerous vendors for a total of

16 parts from 3 categories.”

– CAT 1: “Authentic part numbers for obsolete and rare parts”

– CAT 2: “Authentic part numbers with postproduction date codes.”

– CAT 3: “Bogus, or fictitious, part numbers that are not associated with

any authentic part.”

– “…GAO received responses from 396 vendors, of which 334 were

located in China; 25 from the United States; and 37 in other countries,

including the United Kingdom and Japan.”

• “…vendors usually responded in a day. GAO selected the first

of any vendor among those offering the lowest prices…”

10/12/2015 12

13


Results Cat 1 (authentic, obsolete, rare) Analysis

10/12/2015 13

14


GAO Report: Summary

• All 7 parts in Category 1 (authentic, obsolete, rare) were

“Suspect Counterfeit” (the highest risk of being counterfeit)

• All 5 parts in Category 2 (authentic part number, but

postproduction dates) were “Suspect Counterfeit”

• All 4 parts in Category 3 (bogus part numbers) were “Bogus”

– 40 vendors offered to supply these parts

–Demonstrates the will and the ability to deliver parts that

technically don’ even exist.

10/12/2015 14

15


Critical Infrastructure: Smart Grid

� Current state of the US grid

� Advanced Metering Infrastructure (AMI)

� Challenges/vulnerabilities:

� SCADA Systems

� Software and hardware vulnerabilities

� Intelligence activities/Malware

10/12/2015 15

16


Current State of the US Power Grid• The US Power Grid is actually made up of 3 smaller grids: Eastern,

Western, & Texas comprising:

– 7,000 generating plants

– 2,000 distribution utilities

– 450,000 miles, high-voltage transmission lines

• 70 % of transmission lines > 25 years old

• 70 % of power transformers > 25 years old

• 60 % of circuit breakers > 30 years old

• The system is brittle: Red = my emphasis

– “But as the nearly 100 year old power grid has aged, facing a growing population

and higher load demands for power, the industry has simultaneously become

more and more deregulated by mandate. And deregulation has led to less and less

necessary preventative maintenance, upgrades in technology as well as necessary

investment in research and development. And the poorly maintained grid in many

of the areas of the country, predominantly the mid-Atlantic and northeast states,

has but put even more stress upon its transmission lines.”• Grassi, D. (March 24, 2009). US energy policy: Electrical grid in critical condition

10/12/2015 16

17


What is the Smart Grid?

• The Smart Grid is a network system that will allow the electric

companies, electricity generators (coal plants, wind turbine

plants, solar plants, etc.), businesses, houses, etc. be able to

communicate back and forth in order to meet the necessary

supply and demands of electricity. This system will help avoid

blackouts, reduce our carbon footprint, and save people &

businesses money by being able to adjust the amount of

electricity they use throughout the day. This network is made

up of hardware, software (data management and storage),

and a communication system that ties it all together.Solutions for the future, McKibbin, W. & McClurg, J.

10/12/2015 17

18


Smart Meters

10/12/2015 18

19


SCADA Systems

• Supervisory Control And Data Acquisition (SCADA) systems

are not only used in power generation and distribution, they

are also used to control:

– Natural gas, water, power generation/distribution, nuclear power

– Water & waste treatment facilities

– Manufacturing, food processing, pharmaceuticals, security systems,

and nuclear power plants

• Examples:

– SCADA vulnerabilities prompt US Government warning. – Kirk, J. (2011, March 23) Computerworld

http://www.computerworld.com/s/article/9214990/SCADA_vulnerabilities_prompt_U.S

._government_warning

• US Cert—Problems with Siemens, Iconics, 7-Technologies and Datac

systems-vulnerable to attack via internet

10/12/2015 19

20


SCADA systems cont‘d

• Hoping to teach a lesson, researchers release exploits for

critical infrastructure software– Zetter, K. (2012, January 1) Wired. http://www.wired.com/threatlevel/2012/01/scada-

exploits/

– Problems with programmable logic controllers

• Used in “water, power and chemical plants; gas pipelines and

nuclear facilities; as well as in manufacturing facilities such as food

processing plants and automobile and aircraft assembly lines.”

• “Peterson, speaking Thursday at the annual S4 conference that he

runs, said he hoped the presentation would serve as a “Firesheep

moment” for the SCADA community. Firesheep refers to a Wi-Fi

hacking tool that was released by a security researcher last year to

call attention to how easy it is to hijack accounts on social

networking sites like Facebook and Twitter and web e-mail services.

The release of Firesheep forced some companies to begin encrypting

customer sessions by default so that attackers on a Wi-Fi network

couldn’t sniff their credentials and hijack their accounts.

10/12/2015 20

21


Company ratings

10/12/2015 21

Chart listing the vulnerability

types found in PLCs the

researchers examined. A red

"x" indicates the vulnerability

is present in the system and is

easily exploited; a yellow

exclamation point indicates

the vulnerability exists but is

difficult to exploit; the green

checkmark indicates the

system lacks this vulnerability.

--Zetter. Hoping to teach a lesson,

researchers release exploits for critical

infrastructure software.

22


Logic ladder exploit

• Ladder logic is a programming language that represents a program by a

graphical diagram based on the circuit diagrams of relay logic hardware. It

is primarily used to develop software for programmable logic controllers

(PLCs) used in industrial control applications. The name is based on the

observation that programs in this language resemble ladders, with two

vertical rails and a series of horizontal rungs between them. -wikipedia

10/12/2015 22

Attacker downloads the logic ladder in the PLC,

modifies it and uploads back into the PLC.

23


Software and hardware vulnerabilities• There are many software and hardware vulnerabilities that

can directly affect the Smart Grid

–The fact that companies are relying on the internet to run their operations and control functions opens them up to all exploits we see daily in the news

–Billions will be spent on the build out of the Smart Grid

–Many software/hardware companies are getting into the game with the hope of garnering a piece of the Smart Grid pie

–Here a few names of some players you will recognize:• SAP, HP, Google, Microsoft, Cisco, Dell

–Here are more names, some of which are start-ups:• Tendril Networks, EnergyHub, Energrate, Control4, Greenbox

Technology, AlertMe, OpenPark, CurrentCost, Sequentric, 4Home, Agilewave BPL Global, Ecologic Analytics,Gridpoint, Silver Spring

Networks, SmartSynch, Tropos Networks source:

Greentechmedia.com

10/12/2015 23

24


Intelligence activities/Malware

• Report: Spies hacked into U.S. electricity grid– LaMonica, M. (2009, April 8). Cnet. http://news.cnet.com/8301-11128_3-

10214898-54.html

• “A Wall Street Journal report, quoting national security officials, says spies have infiltrated the power grid in an apparent attempt to map the utility infrastructure.”

• “The intruders don't appear to have done any damage to date but did leave behind software that could disrupt the system.”

• "The Chinese have attempted to map our infrastructure, such as the electrical grid," a senior intelligence official told the Journal. "So have the Russians."

• A report by security firm IOActive last month warned that people with $500 worth of equipment and the right training could manipulate smart meters with embedded communications in people's homes to potentially disrupt operation of the grid.

10/12/2015 24

25


How Cyber SCRM Affects Cost, Schedule & Performance

• Cost, Schedule & Performance

10/12/2015 25

Cost

Schedule

Performance

C-o-s-t Performance

S-c-h-e-d-u-l-e

26


Rethinking your Organization’s Projects & Programs

• Implementing a Supply Chain Risk Management (SCRM)

plan in your organization will require adjustment

– Validating the provenance/pedigree of critical electronic

components and software will likely require more time and

expense

–You may have to move to different and likely, more expensive

suppliers

• And, you may have to seek out secondary suppliers, just in case…

–Program schedules will stretch, causing lengthened

delivery times to customers & increased costs

10/12/2015 26

27


Rethinking your Organization’s Projects & Programs

–The organization’s governance board will have to

take a strategic look at the number of programs it

undertakes

• They will also have to look at the TYPES of programs they

chose:

• Some may present more risk than others when it comes

to assuring the quality and provenance of components

and software

• Programs/Projects with more Supply Chain risk may have

to be placed on hold until the organization can validate

the upstream supply chain

• Worse, some programs/projects may have to be

abandoned altogether due to high risk in the supply chain

10/12/2015 27

28


How can a Criticality Analysis Focus your Risk Effort

• It is cost prohibitive to ensure every last

component and line of software is without

defect, intentional or not

• The focus must be on what is considered to the

“Crown Jewels” of the system

• This may mean, it’s not the most expensive chip

or software algorithm

• It will likely come down to what the main

purpose of the program?

10/12/2015 28

29



• In DoD speak, this would be the “mission” of the

system

• Steps you can take to conduct your Criticality

Analysis:

– Identifying and prioritizing system mission threads;

–Decomposing the mission threads into their mission-critical

functions; and

– Identifying the system components (hardware, software, and

firmware) that implement those functions; i.e., components

that are critical to the mission effectiveness of the system or

an interfaced network. Source: Interos Jan 2015

10/12/2015 29

30



• A few hints to help your Criticality Analysis (CA)

–Focus on the entire life-cycle of your project or program

• Limiting your efforts in just the development phase may leave a gaping hole

after the system is deployed

–The “crown jewels” of your system may not be the most expensive

–The CA should begin with the system engineering and design

process—in other words, as early in the program life-cycle as

possible

–The CA is not a static, one-time event:

• Revisit the CA often as changes in the mission or program focus often

–The goal is to keep adversaries out and to protect your system

while not bankrupting it Source: Interos Jan 2015

10/12/2015 30

31


Criticality Analysis Exercise

10/12/2015 31

32


NIST Risk Management Framework (RMF)

10/12/2015 32

33



• NIST Special Publication 800-53 revision 4

–Security and Privacy Controls for Federal Information

Systems and Organizations (April 2013)

• NIST Special Publication 800-60

–Volume 1: Guide for Mapping Types of Information and

Information Systems to Security Categories (Aug 2008)

• NIST Special Publication 800-70 revision 3

–National Checklist Program for IT Products-Guidelines for

Checklist Users and Developers

• NIST Special Publication 800-37

–Guide for Applying the Risk Management Framework to

Federal Information Systems

10/12/2015 33

34



• Applying the Risk Management Framework to

Federal Information Systems

• Instructional Video:

–http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-

Framework/rmf-training/index.html

10/12/2015 34

35


Common Weakness Enumeration (CWE)

10/12/2015 35

36


Common Vulnerability Enumeration (CVE)

10/12/2015 36

37


Common Attack Pattern Enumeration & Classification

10/12/2015 37

38


Structured Threat Information Expression (STIX)

• The Structured Threat Information Expression (STIX) is a language

for describing cyber threat information in standardized and

structured manner. STIX characterizes and extensive set of cyber

threat information, to include indicators of adversary activity (e.g. IP

addresses and file hashes) as well as additional contextual

information regarding threats (e.g. adversary Tactics, Techniques

and Procedures (TTPs); exploitation targets; Campaigns; and

Courses of Action (COA)) that together more completely

characterize the cyber adversary’s motivations, capabilities, and

activities, and thus, how to best defend against them. It is intended

to support both more effective analysis and exchange of cyber

threat information.

10/12/2015 38

39


Trusted Automated Exchange of Indicator Information

• TAXII

– Trusted Automated Exchange of Indicator Information

standardizes the trusted, automated exchange of cyber threat

information. TAXII defines a set of services and message

exchanges that, when implemented, enable sharing of

actionable cyber threat information across organization and

product/service boundaries for the detection, prevention, and

mitigation of cyber threats. TAXII is not a specific information

sharing initiative, and it does not define trust agreements,

governance, or non-technical aspects of cyber threat

information sharing. Instead, TAXII empowers organizations to

achieve improved situational awareness about emerging

threats, and enables organizations to achieve improved to easily

share the information they choose with partners they chose,

while leveraging existing relationships and systems.

10/12/2015 39

40


Which of my Systems are more Vulnerable?

• Those under development or legacy?

• My guess is legacy

• Why?

–When the space shuttle was still flying, they were looking

for 8088 chips to replace failed chips

–The B-52 is based on 1950s technology and expected to

have a service life till 2040

–The Defense Logistics agency is tasked with supporting

systems that have been deployed for decades with

decades old technologies

–How do you find trusted suppliers for systems that are no

longer manufactured?

10/12/2015 40

41


Where do we go from here?

• Trusted foundries

• Use Original Component Manufacturers (OCMs)

• Use Original Equipment Manufacturers (OEMs) or their authorized resellers

• Blind buys

• Should we hold Integration Contractors responsible for all the components that go into a system?

–We do in the auto industry

• DNA marking of chips to increase confidence they are what they say they are

10/12/2015 41

42


Where do we go from here?

10/12/2015 42

43


Case Study: Production of a Medical Device

• CPAP production in China

• Dr. Mike Donohoe, Professor at University of

Pittsburg at the Katz School of Business

• Role as a VP in Information Systems in Medical

Device OEM.

10/12/2015 43

44


Questions?

–Dr. Russ Mattern

• [email protected]

–Dr. Mike Donohoe

• [email protected]

10/12/2015 44

Documents

National Defense University The iCollege