SlideShare a Scribd company logo

Emerging ICT Supply Chain Security Practices

EnergySec
EnergySec

The document discusses information and communication technology (ICT) supply chain security risks, existing practices for managing these risks, and emerging standards and frameworks. It notes risks like intentional insertion of malware, use of counterfeit components, and poor security practices in supplier networks. Additionally, it outlines government and industry efforts to develop guidelines and best practices for ICT supply chain risk management.

TechnologyBusiness
1 of 34
Download to read offline
© 2012 Utilities Telecom Council Information and Communication Technology (ICT) Supply Chain Security – Learning from Recent Incidents and Other Sectors Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist
© 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 2
© 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 3
© 2012 Utilities Telecom Council What is ICT Supply Chain Risk Management? • Information and Communication Technology (ICT) products are assembled, built, and transported by geographically extensive supply chains of multiple suppliers • Acquirer does not always know how that happens, even with the primary supplier • Not all suppliers are ready to articulate their cybersecurity and cyber supply chain practices • Abundant opportunities exist for malicious actors to tamper with and sabotage products, ultimately compromising system integrity, reliability, and safety Acquirers need to be able to understand and manage associated risks 4 Problem Definition Source: Nadya Bartol, ACSAC Case Study, December 2010
© 2012 Utilities Telecom Council How does this look? “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks” Problem Definition 5
© 2012 Utilities Telecom Council From The World Is Flat by Thomas Friedman Dell Inspiron 600m Notebook: Key Components and Suppliers Problem Definition 6 Source: Booz Allen Hamilton and DoD
© 2012 Utilities Telecom Council What does this have to do with utilities? • Utilities networks consist of ICT products • These products are purchased by acquirers from suppliers • These suppliers have supply chains of their own 7 Utilities need to ask their vendors questions about security and other practices exercised by the vendors’ upstream suppliers
© 2012 Utilities Telecom Council How is ICT SCRM Different from Traditional Supply Chain Risk Management Traditional Supply Chain Risk Management ICT SCRM Will my physical product get to me on time? Will my product (physical or logical) or get to me as it was shipped and as I ordered? Is my supply chain resilient and will it continue delivering what I need in case of disaster? Is my supply chain infiltrated by someone who is inserting extra features into my hardware and software to exploit my systems and get to my information now or later? What is the risk TO my supply chain that delivers critical products and services that I need to mitigate? What is the risk TO AND THROUGH my supply chain to my business and mission that I need to mitigate? Problem Definition 8
© 2012 Utilities Telecom Council What are the risks? • Intentional insertion of malicious functionality • Counterfeit electronics • Poor practices upstream 9 Problem Definition
© 2012 Utilities Telecom Council Intentional insertion of malicious functionality 10 Problem Definition Provider/ Integrator Supplier Supplier SupplierSupplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Backdoor Virus Extra Features Supplier Supplier
© 2012 Utilities Telecom Council Counterfeit Electronics 11 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Counterfeit Component Counterfeit Component Extra Features Poor Performance Supplier Supplier Supplier Supplier Supplier
© 2012 Utilities Telecom Council Poor practices upstream 12 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Poor quality Poor coding practices Poor Performance Supplier Supplier Supplier
© 2012 Utilities Telecom Council This may impact reliability and safety for years 13 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Poor quality Poor coding practices Poor Performance Counterfeit Component Counterfeit Component Extra Features Backdoor Virus Supplier Supplier Supplier
© 2012 Utilities Telecom Council From acknowledgement to reality 14 US government reports on globalization, supplier risk, offshoring, foreign influence in software, and microelectronics 1999-2006 2007-2009 2008 US Comprehensive National Cybersecurity Initiative Stood Up 2010 Stuxnet Oct 2011 ODNI report on foreign industrial espionage Sept-Oct 2012 Telvent hacked US House Intelligence Committee Huawei and ZTE report released European reports on robustness of communications infrastructures and IT supply chain risks Problem Definition 2013 NDAA 2013 Cyber EO PPD 21 Mandiant Report ENISA study on supply chain integrity
© 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 15
© 2012 Utilities Telecom Council Existing and Emerging Practices 16 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Existing and Emerging Practices 17 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Existing and Emerging Practices 18 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Existing and Emerging Practices 19 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Existing and Emerging Practices 20 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Existing and Emerging Practices 21 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Existing and Emerging Practices 22 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Existing and Emerging Practices 23 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Existing and Emerging Practices 24 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
© 2012 Utilities Telecom Council Solutions Are Multidisciplinary 25 Source: NISTIR 7622 Existing and Emerging Practices
© 2012 Utilities Telecom Council Who Is the Audience? 26 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] Existing and Emerging Practices
© 2012 Utilities Telecom Council Who Is the Audience – ISO/IEC 27036 27 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] Existing and Emerging Practices
© 2012 Utilities Telecom Council Who Is the Audience – NIST SP 800-161 28 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] System Integrator An organization that customizes (e.g., combines, adds, optimizes) components, systems, and corresponding processes. The integrator function can also be performed by acquirer. [NISTIR 7628] External Service Provider A provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. [NIST SP 800-53 Rev4] Existing and Emerging Practices
© 2012 Utilities Telecom Council Who Is the Audience – OTTF 29 Acquirer One who procures hardware and software products and services to create solutions that meet their customers’ requirements. Supplier An upstream vendor who develops hardware or software components for providers. Integrator A third-party organization that specializes in combining products from several suppliers to produce systems for a customer. Provider A midstream vendor developing products and managing the supply chain to provide acquirers and integrators with trustworthy products. Component Supplier Entity that supplies components, typically as business partners to providers. Existing and Emerging Practices
© 2012 Utilities Telecom Council When Should These Standards Be Used? Standard Supplier Relationship  Scope Audience Context of Use ISO/IEC 27036‐1 Any Acquirers and  Suppliers Describes the problem in general and how  to use 27306 ISO/IEC 27036‐2 Any Acquirers and  Suppliers Security in supplier relationships for any  products and services ISO/IEC 27036‐3 ICT products and  services Acquirers and  Suppliers Security in supplier relationships for ICT  products and services ISO/IEC 27036‐4 Cloud services Acquirers and  Suppliers Security aspects of cloud services  acquisition IEC 62443‐2‐4 ICS services Acquirers and  Suppliers Requirements for ICS service providers IEC 62443‐3‐3 ICS products Acquirers  Requirements for ICS products  NIST SP 800‐161 US Fed Agency ICT products and services Acquirers US Federal agency ICT product and service  acquisition The Open Group TTPF Commercial‐off‐the‐ shelf products ICT Providers COTS products development and  component acquisition DHS Procurement  Language Update ICS products ICS Acquirers ICS product acquisition Common Criteria ICT products ICT Acquirers,  Providers, Evaluators,  Certifiers, and Users When putting together evidence for  Common Criteria evaluation SAFECode ICT products ICT Providers To enhance software development  processes 30 Existing and Emerging Practices
© 2012 Utilities Telecom Council How do these standards help? By answering the following key question: • How should an organization manage security risks associated with acquiring ICT products and services? AND By providing a rich menu of items to chose from to • Define your own processes for supplier management • Ask your suppliers about their processes 31 Existing and Emerging Practices
© 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 32
© 2012 Utilities Telecom Council Summary • The problem is real • Practices are available to make things better • Solutions come from multiple disciplines • This is complex – start somewhere and improve 33 Summary and Questions
© 2012 Utilities Telecom Council Contact Information • Nadya Bartol nadya.bartol@utc.org 9/9/2013 34

Recommended

Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationEnergySec
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsGovernment Technology and Services Coalition
 

Recommended

Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationEnergySec
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsGovernment Technology and Services Coalition
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...Government Technology and Services Coalition
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsIgnyte Assurance Platform
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistMatthew Rosenquist
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security failEnclaveSecurity
 
Security Awareness
Security AwarenessSecurity Awareness
Security AwarenessDinesh O Bareja
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT CybersecurityPAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT CybersecurityMighty Guides, Inc.
 
Mobile First, Security First!
Mobile First, Security First!Mobile First, Security First!
Mobile First, Security First!Tripwire
 
ComResource Business Solutions
ComResource Business SolutionsComResource Business Solutions
ComResource Business SolutionsAnthony Dials
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityMatthew Rosenquist
 
Come See What’s Cooking in My Lab
Come See What’s Cooking in My LabCome See What’s Cooking in My Lab
Come See What’s Cooking in My LabEnergySec
 
Energy Biographies Final Research report
Energy Biographies Final Research reportEnergy Biographies Final Research report
Energy Biographies Final Research reportenergybiographies
 

More Related Content

What's hot

Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsIgnyte Assurance Platform
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistMatthew Rosenquist
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security failEnclaveSecurity
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT CybersecurityPAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT CybersecurityMighty Guides, Inc.
 
Mobile First, Security First!
Mobile First, Security First!Mobile First, Security First!
Mobile First, Security First!Tripwire
 
ComResource Business Solutions
ComResource Business SolutionsComResource Business Solutions
ComResource Business SolutionsAnthony Dials
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityMatthew Rosenquist
 

What's hot (20)

David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew Rosenquist
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security fail
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges
 
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT CybersecurityPAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
 
Mobile First, Security First!
Mobile First, Security First!Mobile First, Security First!
Mobile First, Security First!
 
ComResource Business Solutions
ComResource Business SolutionsComResource Business Solutions
ComResource Business Solutions
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in Cybersecurity
 

Viewers also liked

Come See What’s Cooking in My Lab
Come See What’s Cooking in My LabCome See What’s Cooking in My Lab
Come See What’s Cooking in My LabEnergySec
 
Energy Biographies Final Research report
Energy Biographies Final Research reportEnergy Biographies Final Research report
Energy Biographies Final Research reportenergybiographies
 
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...energybiographies
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS EnvironmentsEnergySec
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through SecurityEnergySec
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration EnergySec
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedEnergySec
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
How I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterHow I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterEnergySec
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response TeamEnergySec
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersEnergySec
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
Energy biographies: narrative genres, lifecourse transitions and practice change
Energy biographies: narrative genres, lifecourse transitions and practice changeEnergy biographies: narrative genres, lifecourse transitions and practice change
Energy biographies: narrative genres, lifecourse transitions and practice changeenergybiographies
 
Living the "Good Life"?: energy biographies, identities and competing normati...
Living the "Good Life"?: energy biographies, identities and competing normati...Living the "Good Life"?: energy biographies, identities and competing normati...
Living the "Good Life"?: energy biographies, identities and competing normati...energybiographies
 

Viewers also liked (19)

Come See What’s Cooking in My Lab
Come See What’s Cooking in My LabCome See What’s Cooking in My Lab
Come See What’s Cooking in My Lab
 
Energy Biographies Final Research report
Energy Biographies Final Research reportEnergy Biographies Final Research report
Energy Biographies Final Research report
 
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
How I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterHow I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart Meter
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response Team
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 
Energy biographies: narrative genres, lifecourse transitions and practice change
Energy biographies: narrative genres, lifecourse transitions and practice changeEnergy biographies: narrative genres, lifecourse transitions and practice change
Energy biographies: narrative genres, lifecourse transitions and practice change
 
The grit in the oyster:
The grit in the oyster: The grit in the oyster:
The grit in the oyster:
 
Living the "Good Life"?: energy biographies, identities and competing normati...
Living the "Good Life"?: energy biographies, identities and competing normati...Living the "Good Life"?: energy biographies, identities and competing normati...
Living the "Good Life"?: energy biographies, identities and competing normati...
 

Similar to Emerging ICT Supply Chain Security Practices

IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalSyam Madanapalli
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorKaspersky
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPEnergySec
 
Dr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati
 
NIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric UtilitiesNIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric UtilitiesDr Dev Kambhampati
 
Cybersecurity in Utilities
Cybersecurity in UtilitiesCybersecurity in Utilities
Cybersecurity in UtilitiesSougata Mitra
 
Power Grid Identity Management addressed with NIST 1-800
Power Grid Identity Management addressed with NIST 1-800Power Grid Identity Management addressed with NIST 1-800
Power Grid Identity Management addressed with NIST 1-800David Sweigert
 
Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022
Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022
Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022Ulrich Seldeslachts
 
Cybersecurity of powergrid
Cybersecurity of powergrid Cybersecurity of powergrid
Cybersecurity of powergrid Rajesh Sawale
 
Cyber security of power grid
Cyber security of power gridCyber security of power grid
Cyber security of power gridP K Agarwal
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...TI Safe
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
 
Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsBob Marcus
 
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...IBM_Info_Management
 

Similar to Emerging ICT Supply Chain Security Practices (20)

IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address them
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIP
 
Dr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational Awareness
 
NIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric UtilitiesNIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric Utilities
 
02 ibm security for smart grids
02 ibm security for smart grids02 ibm security for smart grids
02 ibm security for smart grids
 
Cybersecurity in Utilities
Cybersecurity in UtilitiesCybersecurity in Utilities
Cybersecurity in Utilities
 
Power Grid Identity Management addressed with NIST 1-800
Power Grid Identity Management addressed with NIST 1-800Power Grid Identity Management addressed with NIST 1-800
Power Grid Identity Management addressed with NIST 1-800
 
Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022
Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022
Rombit LSEC IoTSecurity IoTSBOM CyberSec Europe 2022
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
 
Cybersecurity of powergrid
Cybersecurity of powergrid Cybersecurity of powergrid
Cybersecurity of powergrid
 
Cyber security of power grid
Cyber security of power gridCyber security of power grid
Cyber security of power grid
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
 
Nreca kickoff meeting
Nreca kickoff meetingNreca kickoff meeting
Nreca kickoff meeting
 
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT Security
 
Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical Systems
 
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
 

More from EnergySec

Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueEnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherEnergySec
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
 

More from EnergySec (20)

Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure Program
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Recently uploaded (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

Emerging ICT Supply Chain Security Practices

  • 1. © 2012 Utilities Telecom Council Information and Communication Technology (ICT) Supply Chain Security – Learning from Recent Incidents and Other Sectors Nadya Bartol, CISSP, CGEIT UTC Senior Cybersecurity Strategist
  • 2. © 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 2
  • 3. © 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 3
  • 4. © 2012 Utilities Telecom Council What is ICT Supply Chain Risk Management? • Information and Communication Technology (ICT) products are assembled, built, and transported by geographically extensive supply chains of multiple suppliers • Acquirer does not always know how that happens, even with the primary supplier • Not all suppliers are ready to articulate their cybersecurity and cyber supply chain practices • Abundant opportunities exist for malicious actors to tamper with and sabotage products, ultimately compromising system integrity, reliability, and safety Acquirers need to be able to understand and manage associated risks 4 Problem Definition Source: Nadya Bartol, ACSAC Case Study, December 2010
  • 5. © 2012 Utilities Telecom Council How does this look? “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks” Problem Definition 5
  • 6. © 2012 Utilities Telecom Council From The World Is Flat by Thomas Friedman Dell Inspiron 600m Notebook: Key Components and Suppliers Problem Definition 6 Source: Booz Allen Hamilton and DoD
  • 7. © 2012 Utilities Telecom Council What does this have to do with utilities? • Utilities networks consist of ICT products • These products are purchased by acquirers from suppliers • These suppliers have supply chains of their own 7 Utilities need to ask their vendors questions about security and other practices exercised by the vendors’ upstream suppliers
  • 8. © 2012 Utilities Telecom Council How is ICT SCRM Different from Traditional Supply Chain Risk Management Traditional Supply Chain Risk Management ICT SCRM Will my physical product get to me on time? Will my product (physical or logical) or get to me as it was shipped and as I ordered? Is my supply chain resilient and will it continue delivering what I need in case of disaster? Is my supply chain infiltrated by someone who is inserting extra features into my hardware and software to exploit my systems and get to my information now or later? What is the risk TO my supply chain that delivers critical products and services that I need to mitigate? What is the risk TO AND THROUGH my supply chain to my business and mission that I need to mitigate? Problem Definition 8
  • 9. © 2012 Utilities Telecom Council What are the risks? • Intentional insertion of malicious functionality • Counterfeit electronics • Poor practices upstream 9 Problem Definition
  • 10. © 2012 Utilities Telecom Council Intentional insertion of malicious functionality 10 Problem Definition Provider/ Integrator Supplier Supplier SupplierSupplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Backdoor Virus Extra Features Supplier Supplier
  • 11. © 2012 Utilities Telecom Council Counterfeit Electronics 11 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Counterfeit Component Counterfeit Component Extra Features Poor Performance Supplier Supplier Supplier Supplier Supplier
  • 12. © 2012 Utilities Telecom Council Poor practices upstream 12 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Poor quality Poor coding practices Poor Performance Supplier Supplier Supplier
  • 13. © 2012 Utilities Telecom Council This may impact reliability and safety for years 13 Problem Definition Provider/ Integrator Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Poor quality Poor coding practices Poor Performance Counterfeit Component Counterfeit Component Extra Features Backdoor Virus Supplier Supplier Supplier
  • 14. © 2012 Utilities Telecom Council From acknowledgement to reality 14 US government reports on globalization, supplier risk, offshoring, foreign influence in software, and microelectronics 1999-2006 2007-2009 2008 US Comprehensive National Cybersecurity Initiative Stood Up 2010 Stuxnet Oct 2011 ODNI report on foreign industrial espionage Sept-Oct 2012 Telvent hacked US House Intelligence Committee Huawei and ZTE report released European reports on robustness of communications infrastructures and IT supply chain risks Problem Definition 2013 NDAA 2013 Cyber EO PPD 21 Mandiant Report ENISA study on supply chain integrity
  • 15. © 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 15
  • 16. © 2012 Utilities Telecom Council Existing and Emerging Practices 16 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 17. © 2012 Utilities Telecom Council Existing and Emerging Practices 17 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 18. © 2012 Utilities Telecom Council Existing and Emerging Practices 18 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 19. © 2012 Utilities Telecom Council Existing and Emerging Practices 19 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 20. © 2012 Utilities Telecom Council Existing and Emerging Practices 20 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 21. © 2012 Utilities Telecom Council Existing and Emerging Practices 21 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 22. © 2012 Utilities Telecom Council Existing and Emerging Practices 22 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 23. © 2012 Utilities Telecom Council Existing and Emerging Practices 23 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 24. © 2012 Utilities Telecom Council Existing and Emerging Practices 24 2008 Comprehensive National Cybersecurity Initiative Stood Up GovernmentIndustry DoD ICT SCRM Key Practices Document 2009 2010 2011 2012 2013 NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 – Industrial- process measurement, control and automation ISO/IEC 27036 – Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) Existing and Emerging Practices DHS Vendor Procurement Language NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of ReferenceGAO Report Cyberspace Policy Review The President’s International Strategy for Cyberspace DHS Procurement Language Revision
  • 25. © 2012 Utilities Telecom Council Solutions Are Multidisciplinary 25 Source: NISTIR 7622 Existing and Emerging Practices
  • 26. © 2012 Utilities Telecom Council Who Is the Audience? 26 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] Existing and Emerging Practices
  • 27. © 2012 Utilities Telecom Council Who Is the Audience – ISO/IEC 27036 27 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] Existing and Emerging Practices
  • 28. © 2012 Utilities Telecom Council Who Is the Audience – NIST SP 800-161 28 Acquirer Stakeholder that procures a product or service from another party [adapted from ISO/IEC 15288] Supplier Organization or an individual that enters into agreement with the acquirer for the supply of a product or service [ISO/IEC 15288] System Integrator An organization that customizes (e.g., combines, adds, optimizes) components, systems, and corresponding processes. The integrator function can also be performed by acquirer. [NISTIR 7628] External Service Provider A provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. [NIST SP 800-53 Rev4] Existing and Emerging Practices
  • 29. © 2012 Utilities Telecom Council Who Is the Audience – OTTF 29 Acquirer One who procures hardware and software products and services to create solutions that meet their customers’ requirements. Supplier An upstream vendor who develops hardware or software components for providers. Integrator A third-party organization that specializes in combining products from several suppliers to produce systems for a customer. Provider A midstream vendor developing products and managing the supply chain to provide acquirers and integrators with trustworthy products. Component Supplier Entity that supplies components, typically as business partners to providers. Existing and Emerging Practices
  • 30. © 2012 Utilities Telecom Council When Should These Standards Be Used? Standard Supplier Relationship  Scope Audience Context of Use ISO/IEC 27036‐1 Any Acquirers and  Suppliers Describes the problem in general and how  to use 27306 ISO/IEC 27036‐2 Any Acquirers and  Suppliers Security in supplier relationships for any  products and services ISO/IEC 27036‐3 ICT products and  services Acquirers and  Suppliers Security in supplier relationships for ICT  products and services ISO/IEC 27036‐4 Cloud services Acquirers and  Suppliers Security aspects of cloud services  acquisition IEC 62443‐2‐4 ICS services Acquirers and  Suppliers Requirements for ICS service providers IEC 62443‐3‐3 ICS products Acquirers  Requirements for ICS products  NIST SP 800‐161 US Fed Agency ICT products and services Acquirers US Federal agency ICT product and service  acquisition The Open Group TTPF Commercial‐off‐the‐ shelf products ICT Providers COTS products development and  component acquisition DHS Procurement  Language Update ICS products ICS Acquirers ICS product acquisition Common Criteria ICT products ICT Acquirers,  Providers, Evaluators,  Certifiers, and Users When putting together evidence for  Common Criteria evaluation SAFECode ICT products ICT Providers To enhance software development  processes 30 Existing and Emerging Practices
  • 31. © 2012 Utilities Telecom Council How do these standards help? By answering the following key question: • How should an organization manage security risks associated with acquiring ICT products and services? AND By providing a rich menu of items to chose from to • Define your own processes for supplier management • Ask your suppliers about their processes 31 Existing and Emerging Practices
  • 32. © 2012 Utilities Telecom Council Agenda • Problem Definition • Existing and Emerging Practices • Summary and Questions 32
  • 33. © 2012 Utilities Telecom Council Summary • The problem is real • Practices are available to make things better • Solutions come from multiple disciplines • This is complex – start somewhere and improve 33 Summary and Questions
  • 34. © 2012 Utilities Telecom Council Contact Information • Nadya Bartol nadya.bartol@utc.org 9/9/2013 34