unleash the data around your supply chain program · 2019-08-28 · energysec 2019 –unleash your...
TRANSCRIPT
EnergySec 2019
Unleash the Data Around Your Supply Chain Program
EnergySec 2019 – Unleash Your Data // 2
Presenters
• Steve leads the supply chain risk consulting
business for Fortress, working with clients in several
critical infrastructure industries, including the Power
industry
• 25+ years IT experience, 15 years audit/risk/security
covering Energy, Financial Services, Healthcare,
Government, Public Accounting
• Commander (Ret.), U.S. Navy: specialized in
information assurance and cyber intelligence
• Tony is the primary security solutions architect and
leads the asset and vulnerability management services
and threat analysis business for Fortress clients
• 25+ years IT experience, 15 in security
engineering/architecture/consulting and management
across Energy, Government, Transportation,
Manufacturing, Retail, Electronics and security vendor
landscape
• Active OWASP Chapter leader and other information
security community orgs, open source project
leader/contributor
Steve EarleyVP Third Party Risk
Fortress Information Security
Tony TurnerVP Security Solutions
Fortress Information Security
EnergySec 2019 – Unleash Your Data // 3
Fortress is uniquely focused on the ecosystem of assets & vendors
Critical Infrastructure Expertise• Secures 10% of US power grid
• Managing over 300,000 assets
• Over 40,000 vendors managed
• The only company scanning 2M companies/mo
Unlock Value• Bridge vendor and IT/OT/IoT/IIoT risk management
• Eliminate waste through analytics
• Integrate with existing tools
Vendors
OT Assets
Fortress A2V Platform
IT Assets
Data Driven Focus• Focused on providing insights
• The right data provides actionable outcomes
• The data is everywhere
• Human analysis provides targeted intelligence
EnergySec 2019 – Unleash Your Data // 4
Supply chain is the new frontier for cyber security threat actors
Complex Supply Chain
50% of cyber-attacks involved the supply chain in 2018.
- Infosecurity-Magazine .com
Rise in Supply Chain Attacks
Supply chains remain a soft target with attacks ballooning by 78 percent.
- Nextgov.com
Many Attack Vectors
71% of attacks in 2017 began with spear phishing.
Mobile malware increased 54%In 2017
Apprehension Interdependence
Executive order
13873 highlights the
importance of
cybersecurity in
supply chain as a
vital element of
national security
Over 80% of
software
components used
in today’s
applications come
from third parties. – 2017 Veracode State
of Software Security
Report
EnergySec 2019 – Unleash Your Data // 5
NIST 800-161 Supply Chain Risk Model
Risk
Assessments
EnergySec 2019 – Unleash Your Data // 6
Supply Chain Vulnerabilities
Principal vulnerabilities to identify:
• Access paths within the supply chain that allow malicious actors to gain
information about the system and ultimately introduce components that could
cause the system to fail at some later time (“components” here include hardware,
software, and firmware)
• Access paths that allow malicious actors to trigger a component malfunction or
failure during system operations
• Dependencies on supporting or associated components that might be more
accessible or easier for malicious actors to subvert than components that directly
perform critical functions.
EnergySec 2019 – Unleash Your Data // 7
Broadcasts
C y bers ec urity is a great s tartin g po in t to un ders tan d s u pply ch ain
ris k , but muc h mo re data is needed to co m plete the pic tu re
We must fight fire with fire.
If information compromises the supply chain, it can also be used to secure the supply chain. Financial News Sentiment Geopolitical
Safety
Compliance
Inherent Risk RegulatoryAnti-Bribery Anti-Money Laundering
Legal
EnergySec 2019 – Unleash Your Data // 8
Automating Assessments for Large Vendor PopulationsIt can take an analyst up to 80 work hours to manually complete a query on one device. - DoD & FedBiz News
DATA ANALYTICS TECHNOLOGY
CIP-013 WEBINAR //
Use Data to Identify Your Vendor Population You need a holistic view of risk in your organization. Data will help.
• Start with your large population of vendors, for example 40,000
• Utilize combination of automated data collection and analysis to reduce the number to the riskiest 10 percent (4,000)
• Sort by impact and dig even deeper for more intelligence on the top tier of vendors. Perform assessments only on those vendors with the greatest impact.
• Automation drives continuous monitoring activities, looking for signs of potential risk or vulnerability that might get missed in traditional vendor audits or self-reporting.
EnergySec 2019 – Unleash Your Data // 10
Dig Deeper for Data Insights
Vendor Profile• 60% of an organization’s risk can be identified just from understanding what they do FOR
YOU.• What is their scope of services for your organization?• What do they have access to?• Why are they important for your processes?
Operations Locations• Offshore delivery centers can be monitored with cyber monitoring solutions. But what
about THEIR 3rd parties?• What about cloud presence?• How are they managing your data?
Cyber Evidence• IP Reputation - Malware, DDoS, spam propagation, etc.• Cyber footprint – Open ports, patching, SSL, DNS, Appsec• Vulnerabilities
Open Source Intel• Confidential docs, exposed credentials, misuse of corporate emails, blog posting of
confidential data• Presence (or absence) of staff with cyber security skills (data gathered from Linked In and
other sources)• Social media sentiment monitoring• Operational risk factors – Reputation, Financial, Safety, etc.
EnergySec 2019 – Unleash Your Data // 11
But how is it really all connected?
EnergySec 2019 – Unleash Your Data // 12
Example (Oversimplified) Supply Chain
Assembly & Test Severity
China High
United States
Arrow Electronics,
Jabil
Low
OEM
Locations
Severity
China High
United
Kingdom
Medium
United States Low
FABS Assembly &
Test
Severity
Italy China High
France Malaysia Medium
Singapore Singapore Low
EnergySec 2019 – Unleash Your Data // 13
Example BES ASSET
12 Known Vulnerabilities
7% Procured from Chinese
alternate Supplier
Subcomponent probability
of counterfeit (7%)
Subcomponent of Unknown
origin
Source Code for SOC
leaked on Pastebin
Distributor with failing
Cyber score
Sole source supplier under
investigation for antitrust
Substation Baseline
Component 67%
EnergySec 2019 – Unleash Your Data // 14
Tie-in to CIP-013: it’s all about risk
Document
• Create documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems
Classify
• Understand which vendors fall under CIP-013 umbrella and assess risks; begins with the Procurement cycle
Policy• Create requirements and timelines when vendor must disclose vulnerabilities to you
Alerts
• Ensure vendors are notifying you when a cyber incident occurs within their operations which may impact you
Reaction
• Establish how your company will get involved in the incident and the level of information you require
Notifications
• Vendors must notify when employees with access to your environment leave their company
Verification
• Verification of software integrity and authenticity of all software and patches provided by the vendor
Control• Ensure full control over vendor remote access to your environment
EnergySec 2019 – Unleash Your Data // 15
Reporting Example