EnergySec 2019

Unleash the Data Around Your Supply Chain Program

EnergySec 2019 – Unleash Your Data // 2

Presenters

• Steve leads the supply chain risk consulting

business for Fortress, working with clients in several

critical infrastructure industries, including the Power

industry

• 25+ years IT experience, 15 years audit/risk/security

covering Energy, Financial Services, Healthcare,

Government, Public Accounting

• Commander (Ret.), U.S. Navy: specialized in

information assurance and cyber intelligence

• Tony is the primary security solutions architect and

leads the asset and vulnerability management services

and threat analysis business for Fortress clients

• 25+ years IT experience, 15 in security

engineering/architecture/consulting and management

across Energy, Government, Transportation,

Manufacturing, Retail, Electronics and security vendor

landscape

• Active OWASP Chapter leader and other information

security community orgs, open source project

leader/contributor

Steve EarleyVP Third Party Risk

Fortress Information Security

Tony TurnerVP Security Solutions

Fortress Information Security

EnergySec 2019 – Unleash Your Data // 3

Fortress is uniquely focused on the ecosystem of assets & vendors

Critical Infrastructure Expertise• Secures 10% of US power grid

• Managing over 300,000 assets

• Over 40,000 vendors managed

• The only company scanning 2M companies/mo

Unlock Value• Bridge vendor and IT/OT/IoT/IIoT risk management

• Eliminate waste through analytics

• Integrate with existing tools

Vendors

OT Assets

Fortress A2V Platform

IT Assets

Data Driven Focus• Focused on providing insights

• The right data provides actionable outcomes

• The data is everywhere

• Human analysis provides targeted intelligence

EnergySec 2019 – Unleash Your Data // 4

Supply chain is the new frontier for cyber security threat actors

Complex Supply Chain

50% of cyber-attacks involved the supply chain in 2018.

- Infosecurity-Magazine .com

Rise in Supply Chain Attacks

Supply chains remain a soft target with attacks ballooning by 78 percent.

- Nextgov.com

Many Attack Vectors

71% of attacks in 2017 began with spear phishing.

Mobile malware increased 54%In 2017

Apprehension Interdependence

Executive order

13873 highlights the

importance of

cybersecurity in

supply chain as a

vital element of

national security

Over 80% of

software

components used

in today’s

applications come

from third parties. – 2017 Veracode State

of Software Security

Report

EnergySec 2019 – Unleash Your Data // 5

NIST 800-161 Supply Chain Risk Model

Risk

Assessments

EnergySec 2019 – Unleash Your Data // 6

Supply Chain Vulnerabilities

Principal vulnerabilities to identify:

• Access paths within the supply chain that allow malicious actors to gain

information about the system and ultimately introduce components that could

cause the system to fail at some later time (“components” here include hardware,

software, and firmware)

• Access paths that allow malicious actors to trigger a component malfunction or

failure during system operations

• Dependencies on supporting or associated components that might be more

accessible or easier for malicious actors to subvert than components that directly

perform critical functions.

EnergySec 2019 – Unleash Your Data // 7

Broadcasts

C y bers ec urity is a great s tartin g po in t to un ders tan d s u pply ch ain

ris k , but muc h mo re data is needed to co m plete the pic tu re

We must fight fire with fire.

If information compromises the supply chain, it can also be used to secure the supply chain. Financial News Sentiment Geopolitical

Safety

Compliance

Inherent Risk RegulatoryAnti-Bribery Anti-Money Laundering

Legal

EnergySec 2019 – Unleash Your Data // 8

Automating Assessments for Large Vendor PopulationsIt can take an analyst up to 80 work hours to manually complete a query on one device. - DoD & FedBiz News

DATA ANALYTICS TECHNOLOGY

CIP-013 WEBINAR //

Use Data to Identify Your Vendor Population You need a holistic view of risk in your organization. Data will help.

• Start with your large population of vendors, for example 40,000

• Utilize combination of automated data collection and analysis to reduce the number to the riskiest 10 percent (4,000)

• Sort by impact and dig even deeper for more intelligence on the top tier of vendors. Perform assessments only on those vendors with the greatest impact.

• Automation drives continuous monitoring activities, looking for signs of potential risk or vulnerability that might get missed in traditional vendor audits or self-reporting.

EnergySec 2019 – Unleash Your Data // 10

Dig Deeper for Data Insights

Vendor Profile• 60% of an organization’s risk can be identified just from understanding what they do FOR

YOU.• What is their scope of services for your organization?• What do they have access to?• Why are they important for your processes?

Operations Locations• Offshore delivery centers can be monitored with cyber monitoring solutions. But what

about THEIR 3rd parties?• What about cloud presence?• How are they managing your data?

Cyber Evidence• IP Reputation - Malware, DDoS, spam propagation, etc.• Cyber footprint – Open ports, patching, SSL, DNS, Appsec• Vulnerabilities

Open Source Intel• Confidential docs, exposed credentials, misuse of corporate emails, blog posting of

confidential data• Presence (or absence) of staff with cyber security skills (data gathered from Linked In and

other sources)• Social media sentiment monitoring• Operational risk factors – Reputation, Financial, Safety, etc.

EnergySec 2019 – Unleash Your Data // 11

But how is it really all connected?

EnergySec 2019 – Unleash Your Data // 12

Example (Oversimplified) Supply Chain

Assembly & Test Severity

China High

United States

Arrow Electronics,

Jabil

Low

OEM

Locations

Severity

China High

United

Kingdom

Medium

United States Low

FABS Assembly &

Test

Severity

Italy China High

France Malaysia Medium

Singapore Singapore Low

EnergySec 2019 – Unleash Your Data // 13

Example BES ASSET

12 Known Vulnerabilities

7% Procured from Chinese

alternate Supplier

Subcomponent probability

of counterfeit (7%)

Subcomponent of Unknown

origin

Source Code for SOC

leaked on Pastebin

Distributor with failing

Cyber score

Sole source supplier under

investigation for antitrust

Substation Baseline

Component 67%

EnergySec 2019 – Unleash Your Data // 14

Tie-in to CIP-013: it’s all about risk

Document

• Create documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems

Classify

• Understand which vendors fall under CIP-013 umbrella and assess risks; begins with the Procurement cycle

Policy• Create requirements and timelines when vendor must disclose vulnerabilities to you

Alerts

• Ensure vendors are notifying you when a cyber incident occurs within their operations which may impact you

Reaction

• Establish how your company will get involved in the incident and the level of information you require

Notifications

• Vendors must notify when employees with access to your environment leave their company

Verification

• Verification of software integrity and authenticity of all software and patches provided by the vendor

Control• Ensure full control over vendor remote access to your environment

EnergySec 2019 – Unleash Your Data // 15

Reporting Example