Cyber supply chain risk management ASDE

© Stratsec.net Pty Ltd trading as BAE Systems Detica (2013). All rights reserved.

BAE SYSTEMS and DETICA are trade marks of BAE Systems plc.

Cyber security risks in your supply chain

ASDE WA Chapter

Version 1.0, 24th October, 2013

Aaron Doggett, BAE Systems Detica, WA Regional Manager



What is this about?

• Risks to cyber supply chains, and their real-world

implications

• Disruption

• Theft

• Failure of output

• Security of commercial and bespoke capabilities

• National defence and economical significance

2



What is this about?

• “Governments and commercial organizations worldwide

continue to voice concerns over the need to ensure the

security of commercial technology products and the

integrity of the world’s technology supply chains while

maintaining a diverse range of technology options and

preserving innovation.”

- Open Group White Paper

3



Supply chain risk management

• “Supply chain risk management (SCRM) is a discipline of risk

management which attempts to identify potential disruptions to continued

manufacturing production and thereby commercial financial exposure”

- Institute of Risk Managers

4

International

Journal of

Physical

Distribution &

Logistics

Management



A sample global supply chain

5

Software design

Product design Chip design

Chip manufacture

Component

manufacture

Product assembly

Software design

Product use

Product use



SCRM for Defence & cyber security

• SCRM in Defence has a number of angles:

• Defining operational capability and readiness

• Once operational, takes a logistical focus

• Focus on capability and resiliency

• SCRM as a product or service supplier:

• Support the customer’s supply chain requirement

• Cost, efficiency, integrity, resiliency of own supply chain

• SCRM in cyber security:

• Macro (geo-political) concerns about integrity

• Risks associated with supplier and component compromise

6



Why applicable to this group

• SCRM in a cyber security sense has real world implications

• Increasing number of cases resulting in:

• Theft of intellectual property

• Direct commercial advantage

• Brand/reputational damage

• National damage

• Increasingly, attacks are held against a component of the

supply chain, not the end entity

• Does pose a concern to national security, national economy

and specific industry

• Generally, is a concern for Defence & Defence suppliers

7



To consider

• Stages of a product lifecycle

• Development & manufacturing

• Delivery

• Configure & deploy

• Use / run

• End of life & disposal

• Whilst the ‘run’ stage is where we have the greatest control, do

we pay enough attention in the other areas?

8

Where the greatest widescale

attack could occur (unnoticed) Where a targeted attack could

occur (and go unnoticed)

Where the security industry typically

focuses its attention



What we are seeing

• Increasing public accounts of industrial espionage using

‘cyber’ as an attack vector

• Increasing attacks on the supply chain due to:

• Weaker links / softer targets than the end entity

• Ability to achieve deeper and wider penetration

9

Do any of your customers think that this is you?

Which of your vendors/suppliers is this?



Geo-politics of this problem are not new

10



Recent breaches have SCRM at their core

11

February 2012. VeriSign was “hacked repeatedly by outsiders who stole

undisclosed information from the leading internet infrastructure company” in

2010. (smh.com.au)

“security breaches … were not sufficiently reported to management” –

Verisign SEC Filing

March 2011. RSA compromised by an “Advanced Persistent Threat”, stealing

data related to the SecurID authentication system.

“It is likely that RSA growth will remain a bit slower as remediation efforts

continue” - David Goulden, EMC CFO

May 2011. Lockheed Martin was hit with a “significant and tenacious” cyber

attack, using the breached RSA SecurID authentication data.

"The fact is, in this new reality, we are a frequent target of adversaries

around the world." - Sondra Barbour, CIO

April 2011. DELL Australia’s customer data was compromised, during a

breach of US-based e-mail service provider epsilon.

(Also affected Barclays Bank, Citigroup, JPMorgan Chase, Visa, Marriott

International, Kraft, Tivo and others).

“China-based hackers looking to derail the $40 billion acquisition of the

world’s largest potash producer by an Australian mining giant zeroed in on

offices on Toronto’s Bay Street, home of the Canadian law firms handling the

deal.” - Bloomberg

An infrastructure company is compromised.

They are important to you. Fingers crossed.

An infrastructure company is compromised.

They are important to you. Fingers crossed.

The infrastructure breach gets used against you.

Your supplier gets compromised; your data gets

stolen.

Your supplier gets compromised; is your data

taken?



More examples - consumer & non-targeted

12

*Sample entries taken from the US Resilience Project



Two recent examples of attacks on supply chains

• NY Times website (end of August 2013)

• Attack left website unavailable for close to a day

• How performed*

• Attacker targets reseller of domain names

(personnel divulge their company email addresses and passwords)

• Attacker logs into email accounts

(identify details of customers, including username & passwords)

• Attacker changes domain registry to personal cause

(legitimate website unavailable)

• Attack via an Indian ISP, against a US reseller of Australian company

(that provides domain name services) and disrupts a global company!

13 *The Australian, 29/08/2013



Two recent examples of attacks on supply chains

• RSA beach (mid- 2011)

• Resulted in the theft of SecurID seed data

• How performed*

• April 2011 – targeted email to EMC employees.

• Excel attachment, embedded Flash (zero-day), drops ‘Poison Ivy’

backdoor.

• Remote access to workstation and network shares.

• Obtained SecurID seed data.

• Then (purportedly) used to attack Defence contractors.

• Prior to this event, how many people would have risks to the seed data

for their RSA tokens used for remote access on their corporate register?

14

*F-Secure, 26/08/2011



The ‘advanced threat’

• For the past few years, the phrase ‘advanced persistent

threat’ (or APT) has been with us

• Typically associated with gaining and maintaining access to

high profile / value targets, often over many years

• Well resourced, highly skilled entities (search APT1, Hidden

Lynx for examples)

• Difficult to protect against due to the targeted nature of

attacks and often superior sophistication

• Relevant to the Defence space due to the appeal of the

target to nation states or supported entities

• Represents a clear targeted attack

• New vector for traditional espionage activities?

15



Responses (Macro level) – WEF Report on SCRM

• Primarily about physical supply

chains… but the issues

identified, and the implications,

are equally as applicable to

cyber security.

16



WEF Report on SCRM

• “Trends such as globalization, lean processes and the

geographical concentration of production have made supply

chain networks more efficient, but have also changed their risk

profile. “

• “Recent high-profile events have highlighted how risks outside

the control of individual organizations can have cascading and

unintended consequences that cannot be mitigated by one

organization alone.”

17



WEF Report on SCRM

18



US SCRM Focus

• 2012 US Defense Budget contains

~$1.2BN for Cyber Security,

focusing on:

• Increase funding for the training of

cyber analysts.

• Improving Global Information Grid-

wide situational awareness.

• Developing pilot programs for supply

chain risk management.

• Improving intrusion detection and

analysis.

19



US SCRM Focus

• Office of the Secretary for Defense 2012 Budget Estimates

• US Department of Homeland Security

20



Aus SCRM Focus

• Cyber security and SCRM are generally not linked in any

public directives

• 2013 Defence whitepaper:

• Building and maintaining pre/operational supply chains

• Promoting Aus entities to be part of international supply chains

• “Innovation in Australian industry must be focused on products that

have a clearly defined path into defence capability.”

• Separate points around cyber security, specifically:

• “Australia, the United States and the United Kingdom have committed

to developing a comprehensive cyber partnership to address mutual

threats and challenges emerging in and from cyberspace.”

21



Aus SCRM Focus

• Australian Govt Cyber Security Strategy (2009)

• “Promote a secure, resilient and trusted global electronic

operating environment that supports Australia’s national

interests”

• “Australia is vulnerable to the loss of economic

competitiveness through the continued exploitation of ICT

networks and the compromise of intellectual property and

other sensitive commercial data.”

• Australian businesses operate secure and resilient

information and communications technologies to protect the

integrity of their own operations and the identity and privacy

of their customers”

22



Responses (Organisational level) – Board Ownership

• A cyber security breach is no longer an IT problem. It may:

• Create significant reputational damage

• Impact on share price

• Compromise strategic negotiations or transactions

• Provide an opportunity for a class action

• Result in market disclosures and compliance breaches

• Diminish competitive advantage

23



Supply chain risk management practices - NIST

• Uniquely identify supply chain elements, processes and actors

• Limit access and exposure within the supply chain

• Establish and maintain the provenance of elements, processes, tools,

and data

• Share information within strict limits

• Perform SCRM awareness and training

• Use defensive design for systems, elements, and processes

• Perform continuous integrator review

• Strengthen delivery mechanisms

• Assure sustainment activities and processes

• Manage disposal and final disposition activities throughout the life cycle

24

*NIST IR 7622



WEF Report Recommendations

25



WEF Report Recommendations

26



Responses (Individuals)

• Role to influence cyber SCRM will obviously vary

• Consider the value of the product/service to you

• Consider the value to other competitors (to you or your

customer if a supplier)

• Look at your work habits, the weaknesses/strengths

associated

• Work to identify the weaknesses in your supply chain for

your ‘most critical’ product/data/function

• Work backwards from there

• We need to work to prevent compromise from occurring, but

more importantly, to detect and recover from it.

27



Additional resources

• Cyber Supply Chain Risk Management: Toward a Global

Vision of Transparency and Trust, Microsoft, July 2011

• NIST IR 7622 - Notional Supply Chain Risk Management

Practices for Federal Information Systems, NIST, October

2012

• World Economic Forum

• New Models for Addressing Supply Chain and Transport Risk,

2012

• Building Resilience in Supply Chains, January 2013

• Cyber Supply Chain Risks, Strategies and Best Practices,

Chapter 4, US Resilience Project, 2011.

28



29

Contact details BAE Systems Detica

Suite 1, 50 Geils Court

Deakin ACT 2600

Australia

Tel: +61 1300 027 001

Fax: +61 2 6260 8828

Email: [email protected]

Web: www.baesystemsdetica.com.au

Copyright © Stratsec.net Pty Ltd (2012). All Rights reserved.

BAE Systems and DETICA are trade marks of BAE Systems plc.

Other company names, trade marks or products referenced herein are the

property of their respective owners and are used only to describe such

companies, trade marks or products.

Stratsec.net Pty Limited, trading as ‘BAE Systems Detica’, is registered in

Australia under ACN 111 187 270 and has its registered office at 50 Geils

Court, Deakin ACT 2600.

Aaron Doggett

0404 07 431

[email protected]

mailto:[email protected]

http://www.baesystemsdetica.com.au/

Date post:	16-May-2015
Category:	Business
Upload:	engineers-australia
View:	638 times
Download:	0 times

Cyber supply chain risk management ASDE

Business