Defence Assurance and Information Security

Ministry

of

Defence

UK Defence

Info-Cyber Supply Chain

Protection

Brief to US SSCA

15 March 2017

Ian Bryant

DAIS Assistant Head for Information Security Policy

[DAIS/ISP/2016/B/056 | v1.1 | 2017-03-15]

UK MOD

DAIS

Today’s Presenter

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

UK MOD

DAIS

MOD Context

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

As a National Defence organisation, MOD is

perceived through 3 main “Lenses”:

– From the view of Government Department

– From the view of Military Organisation

– From the view of large acquisition

and delivery organisation†

All aspects of operation need to be tailored to best

meet (sometimes divergent) requirements of these

differing Lenses † With large and diverse Defence Supply Base

UK MOD

DAIS

Info-Cyber Context

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

Cyberspace InfospaceIOCT-space

IOCT:Information Technologies; Operational Technologies;

Consumer Technologies

CPS:Cyber-Physical

Systems

Non-digital DIKW:Data;Information;Knowledge;Wisdom

Cyber-Info-space

UK MOD

DAIS

Defence Cyber-Info Protection Stakeholders

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

(Tier 0)(Policy Team)

Tier 1Core Stakeholder Representatives

(DAIS, JCU, PSyA, DSTL)

Tier 2Wider Stakeholder Community

(MOD CyI Practitioners incl. Acquisition)

Tier 3Defence Community(All MOD personnel)

Tier 4Partners

4A: Defence Allies (esp. NATO and

AUSCANNZUKUS)

4B: Defence Supply Base

(via DCPP)

4C: UK Wider Public Sector

4D: Standards Development

Organsations (SDO)

UK MOD

DAIS

Supply Chain Structural Context

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

Defence

Security

staffs

(MOD DefSy)

Defence

Assurance &

Information

Security

(MOD DAIS)

Defence

Cyber

Protection

Partnership

(DCPP)

Defence

Industry

Security

Association

(DISA)

I

S

P

UK MOD

DAIS

Exploiting Standards

•Wherever possible, Defence seeks to either directly adopt

and/or interpret Public Standards, for instance

•British Standards (BS)

– {BS7799 – now ISO/IEC 27001/2}

– BS10754 series {replacing PAS754}

• International Standards (predominantly ISO/IEC):

• ISO/IEC 27001

• ISO/IEC 27002

• ISO/IEC 27010

• ISO/IEC 27036 series

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

UK MOD

DAIS

Defence-Specific Outputs of Interest

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

DefSy DAIS

DCPPDISA

JSP440

ISN DefStan 05-138

D

I

C

y

P

N

• JSP440 – Defence

Manual of Security

• ISN – Industrial

Security Notices

• DICyPN – Defence

Info-Cyber Protection

Notices

• DefStan 05-138 –

Cyber Security for

Defence Suppliers

UK MOD

DAIS

DICyPAG Mission Statement

The Defence Info-Cyber Protection Advisory Group

(DICyPAG) is an intra-departmental committee of the UK

Ministry of Defence (MOD), operated in conjunction with

Crown Commercial Services (CCS), that aims to provide

a consensus, standardised approach to trustworthy use of

commodity “Off The Shelf” (OTS) Protection Solutions

(products and services).

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

UK MOD

DAIS

Defence Cyber Protection Partnership (DCPP)

No organisation is an island

•Suppliers with connections to our network

•Suppliers who handle or generate information we care

about

MOD has:

•Approximately 6,000 “Tier One” suppliers

•Unknown number in the further supply chain, but at least

30,000+

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

UK MOD

DAIS

DCPP Concept

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

Private Sector

Revenue, profit & share price• Intellectual property

• Competitive position

• Disruption of production

• Reputation

• Destruction

Cyber-security requirements

in MOD contracts

Public Sector

• Prosperity & Growth

• Intellectual property

• Competitive position

• Reputation

• Security

• Disruption

• Destruction

• Military capability

Team Defence UK is

able to function

effectively despite the

increasing number

and sophistication of

cyber attacks

UK MOD

DAIS

DCPP Participants

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

UK MOD

DAIS

DCPP Cyber Security Model (CSM)

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

Risk assessment –

conducted by

customer based on

specific contract

Supplier assurance

questionnaire –

measures

compliance

Cyber Profiles – set

out the required

measures at each

staged risk levels

DCPP has agreed the mechanism for assessing risk, specifying required controls and evaluating suppliers

UK MOD

DAIS

Info-Cyber Protection Segmentation Model

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

Segment Treatment Approach

(No requirement) TL0

Mass Market

/ Implicit Need (M/I)

TL1 –Fundamental Practices

→ Commodity

Mass Market / Explicit Need (M/E)

TL2 –StructuredPractices

Niche Market / Explicit Need (N/E)

TL3 –EnhancedPractices

Custom

TL4 –SpecialistPractices

Derived from:

BS PAS 754:2014

“Software

Trustworthiness.

Governance and

management.

Specification”

(tbrb BS10754 in

2017)

UK MOD

DAIS

DICyP Notes (DICyPN)

•DICyPNs are issued under the auspices of the Defence

Info-Cyber Protection Advisory Group (DICyPAG)

•DICyPNs should be read in conjunction with relevant

Policy Documents, in particular JSP440/490/491/604 for

internal Defence deployment, and DefStan 05-138 and

associated Industrial Security Notices (ISN) for the

Defence Supply Base

•DICyPNs predominantly cover endorsement, advice and

guidance over Protection Solutions (PS), both Products

and Services

[DAIS/ISP/2016/B/056 | v1.2 | 2017-03-15]

UK MOD

DAIS

DICyPNs as “Departmental Wrap”

•UK Government defines “Departmental Wraps” as that needed to

customise external approvals / practices to Departmental Context

•DICyPN (replacing previous ‘DIPCOG’ model) defines the Wrap

for Protection Solutions (PS) as being at minimum:

– Review of existing external Approvals

– Due Diligence check of organisational viability

– Ensuring that adequate Documentation was generated [including Bill

of Materials; Defect/Deviation List (DDL); Configuration; Use]

– Adherence to DCPP [DefStan 05-138]

– Alignment to DART Application Channel [PAS754:2014]

– Commitment to ‘Post Marketing Surveillance’

– Commitment to Flaw Remediation

[DAIS/ISP/2016/B/056 | v1.1 | 2017-03-15]

UK MOD

DAIS

“Post Marketing Surveillance” (PMS)

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

Protection

Solutions

(Products &

Services)

{C,I,A = FR}

Apps

{C,I,A = NFR}

Direct or Collateral deleterious

{C, I, A} Impacts†

DICyPAG Scope† - c.f. former UNIRAS “GS490A” Scheme

UK MOD

DAIS

ICyP – Challenging Use Cases

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

Category Class Group Customer Proposed Product(s) Challenge Type

Flow Control One Way Diode USB LockedUSB 1. Hardware2. Inexpensive

PortaPow USB Data Block 1. Hardware2. Inexpensive

Plugable USB Charge-Only 1. Hardware2. Inexpensive

JASTEK USB Sync Stop 1. Hardware2. Inexpensive

Content Scan AntiMalware Endpoint ClamAV 3. FOSS

Infrastructure ClamAV 3. FOSS

Secure Remote Access

Captive Portal Access

Travel Router TP-Link TP-WR802N 1. Hardware2. Inexpensive

HooToo TripMate Nano 1. Hardware2. Inexpensive

• Existing Certification / Approval Schemes concentrate on Niche

Software products

• Challenging when Demand-side identifiers alternative solutions, e.g.:

UK MOD

DAIS

Questions?

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]

UK MOD

DAIS

Contact DetailsIan Bryant

Assistant Head

(Information Security Policy)

Defence Assurance and Information Security

Zone D Floor 0 MOD Main Building

Horseguards Avenue

London SW1A 2HB

United Kingdom

ibryant@relay.mod.uk

tel:+44-300-030-1924; Single Number (UK Landline Rates)

http://www.mod.uk

[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]