uk defence info-cyber supply chain of protection defence · uk mod dais icyp –challenging use...
TRANSCRIPT
Defence Assurance and Information Security
Ministry
of
Defence
UK Defence
Info-Cyber Supply Chain
Protection
Brief to US SSCA
15 March 2017
Ian Bryant
DAIS Assistant Head for Information Security Policy
[DAIS/ISP/2016/B/056 | v1.1 | 2017-03-15]
UK MOD
DAIS
MOD Context
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
As a National Defence organisation, MOD is
perceived through 3 main “Lenses”:
– From the view of Government Department
– From the view of Military Organisation
– From the view of large acquisition
and delivery organisation†
All aspects of operation need to be tailored to best
meet (sometimes divergent) requirements of these
differing Lenses † With large and diverse Defence Supply Base
UK MOD
DAIS
Info-Cyber Context
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
Cyberspace InfospaceIOCT-space
IOCT:Information Technologies; Operational Technologies;
Consumer Technologies
CPS:Cyber-Physical
Systems
Non-digital DIKW:Data;Information;Knowledge;Wisdom
Cyber-Info-space
UK MOD
DAIS
Defence Cyber-Info Protection Stakeholders
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
(Tier 0)(Policy Team)
Tier 1Core Stakeholder Representatives
(DAIS, JCU, PSyA, DSTL)
Tier 2Wider Stakeholder Community
(MOD CyI Practitioners incl. Acquisition)
Tier 3Defence Community(All MOD personnel)
Tier 4Partners
4A: Defence Allies (esp. NATO and
AUSCANNZUKUS)
4B: Defence Supply Base
(via DCPP)
4C: UK Wider Public Sector
4D: Standards Development
Organsations (SDO)
UK MOD
DAIS
Supply Chain Structural Context
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
Defence
Security
staffs
(MOD DefSy)
Defence
Assurance &
Information
Security
(MOD DAIS)
Defence
Cyber
Protection
Partnership
(DCPP)
Defence
Industry
Security
Association
(DISA)
I
S
P
UK MOD
DAIS
Exploiting Standards
•Wherever possible, Defence seeks to either directly adopt
and/or interpret Public Standards, for instance
•British Standards (BS)
– {BS7799 – now ISO/IEC 27001/2}
– BS10754 series {replacing PAS754}
• International Standards (predominantly ISO/IEC):
• ISO/IEC 27001
• ISO/IEC 27002
• ISO/IEC 27010
• ISO/IEC 27036 series
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
UK MOD
DAIS
Defence-Specific Outputs of Interest
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
DefSy DAIS
DCPPDISA
JSP440
ISN DefStan 05-138
D
I
C
y
P
N
• JSP440 – Defence
Manual of Security
• ISN – Industrial
Security Notices
• DICyPN – Defence
Info-Cyber Protection
Notices
• DefStan 05-138 –
Cyber Security for
Defence Suppliers
UK MOD
DAIS
DICyPAG Mission Statement
The Defence Info-Cyber Protection Advisory Group
(DICyPAG) is an intra-departmental committee of the UK
Ministry of Defence (MOD), operated in conjunction with
Crown Commercial Services (CCS), that aims to provide
a consensus, standardised approach to trustworthy use of
commodity “Off The Shelf” (OTS) Protection Solutions
(products and services).
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
UK MOD
DAIS
Defence Cyber Protection Partnership (DCPP)
No organisation is an island
•Suppliers with connections to our network
•Suppliers who handle or generate information we care
about
MOD has:
•Approximately 6,000 “Tier One” suppliers
•Unknown number in the further supply chain, but at least
30,000+
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
UK MOD
DAIS
DCPP Concept
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
Private Sector
Revenue, profit & share price• Intellectual property
• Competitive position
• Disruption of production
• Reputation
• Destruction
Cyber-security requirements
in MOD contracts
Public Sector
• Prosperity & Growth
• Intellectual property
• Competitive position
• Reputation
• Security
• Disruption
• Destruction
• Military capability
Team Defence UK is
able to function
effectively despite the
increasing number
and sophistication of
cyber attacks
UK MOD
DAIS
DCPP Participants
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
UK MOD
DAIS
DCPP Cyber Security Model (CSM)
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
Risk assessment –
conducted by
customer based on
specific contract
Supplier assurance
questionnaire –
measures
compliance
Cyber Profiles – set
out the required
measures at each
staged risk levels
DCPP has agreed the mechanism for assessing risk, specifying required controls and evaluating suppliers
UK MOD
DAIS
Info-Cyber Protection Segmentation Model
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
Segment Treatment Approach
(No requirement) TL0
Mass Market
/ Implicit Need (M/I)
TL1 –Fundamental Practices
→ Commodity
Mass Market / Explicit Need (M/E)
TL2 –StructuredPractices
Niche Market / Explicit Need (N/E)
TL3 –EnhancedPractices
Custom
TL4 –SpecialistPractices
Derived from:
BS PAS 754:2014
“Software
Trustworthiness.
Governance and
management.
Specification”
(tbrb BS10754 in
2017)
UK MOD
DAIS
DICyP Notes (DICyPN)
•DICyPNs are issued under the auspices of the Defence
Info-Cyber Protection Advisory Group (DICyPAG)
•DICyPNs should be read in conjunction with relevant
Policy Documents, in particular JSP440/490/491/604 for
internal Defence deployment, and DefStan 05-138 and
associated Industrial Security Notices (ISN) for the
Defence Supply Base
•DICyPNs predominantly cover endorsement, advice and
guidance over Protection Solutions (PS), both Products
and Services
[DAIS/ISP/2016/B/056 | v1.2 | 2017-03-15]
UK MOD
DAIS
DICyPNs as “Departmental Wrap”
•UK Government defines “Departmental Wraps” as that needed to
customise external approvals / practices to Departmental Context
•DICyPN (replacing previous ‘DIPCOG’ model) defines the Wrap
for Protection Solutions (PS) as being at minimum:
– Review of existing external Approvals
– Due Diligence check of organisational viability
– Ensuring that adequate Documentation was generated [including Bill
of Materials; Defect/Deviation List (DDL); Configuration; Use]
– Adherence to DCPP [DefStan 05-138]
– Alignment to DART Application Channel [PAS754:2014]
– Commitment to ‘Post Marketing Surveillance’
– Commitment to Flaw Remediation
[DAIS/ISP/2016/B/056 | v1.1 | 2017-03-15]
UK MOD
DAIS
“Post Marketing Surveillance” (PMS)
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
Protection
Solutions
(Products &
Services)
{C,I,A = FR}
Apps
{C,I,A = NFR}
Direct or Collateral deleterious
{C, I, A} Impacts†
DICyPAG Scope† - c.f. former UNIRAS “GS490A” Scheme
UK MOD
DAIS
ICyP – Challenging Use Cases
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]
Category Class Group Customer Proposed Product(s) Challenge Type
Flow Control One Way Diode USB LockedUSB 1. Hardware2. Inexpensive
PortaPow USB Data Block 1. Hardware2. Inexpensive
Plugable USB Charge-Only 1. Hardware2. Inexpensive
JASTEK USB Sync Stop 1. Hardware2. Inexpensive
Content Scan AntiMalware Endpoint ClamAV 3. FOSS
Infrastructure ClamAV 3. FOSS
Secure Remote Access
Captive Portal Access
Travel Router TP-Link TP-WR802N 1. Hardware2. Inexpensive
HooToo TripMate Nano 1. Hardware2. Inexpensive
• Existing Certification / Approval Schemes concentrate on Niche
Software products
• Challenging when Demand-side identifiers alternative solutions, e.g.:
UK MOD
DAIS
Contact DetailsIan Bryant
Assistant Head
(Information Security Policy)
Defence Assurance and Information Security
Zone D Floor 0 MOD Main Building
Horseguards Avenue
London SW1A 2HB
United Kingdom
tel:+44-300-030-1924; Single Number (UK Landline Rates)
http://www.mod.uk
[DAIS/ISP/2016/B/056 | v1.0 | 2017-03-15]