Presentation

*Managing
Global
Supply Chain
Risk:
Carrots & Sticks
Discussion
(Government Panel)
.
Mr. Donald Davidson,
Chief, Outreach, Science & Standards
Trusted Mission Systems & Networks
TMSN / DoD CIO
[email protected]
Globalization is good, but it brings challenges
 The government has
suppliers that it may not
know and may never see
 Less insight into suppliers’
security practices
 Less control over business
practices
 Increased vulnerability to
adversaries
“Scope of Supplier Expansion and Foreign Involvement” graphic in DACS
www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software
Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678
report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
Globalization is good, but it brings challenges
People
Acquirers
 The government has
suppliers that it may not
know and may never see
Systems
Integrators
Suppliers
 Less insight into suppliers’
security practices
 Less control over business
practices
 Increased vulnerability to
adversaries
(measures)
Technology
“Scope of Supplier Expansion and Foreign Involvement” graphic in DACS
www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software
Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678
report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
Supply Chain: PERSPECTIVES
Air Gateways
Supply Chain SECURITY
•Nodes of
storage & throughput
•Lines of
transport (& communication)
Exports
Land Gateways
Imports
Port of Blaine
$68 Billion
Exports
Imports
Imports
$64 Billion
Seattle-Tacoma International
Port of Seattle
Exports Port Gateways
$81 Billion
Port of Sweetgrass
Port of Pembina
Port of Tacoma
Port of Champlain-Rouses Pt.
Port of Portland
Port of Alexandria Bay
Port of Buffalo-Niagara FallsBoston Logan Airport
Port of Huron
Chicago
JFK International Airport
Port of Detroit Cleveland
Port of New York
San Francisco International Airpor
Port of Philadelphia
Port of Oakland
Port of Baltimore
Port of Norfolk Harbor
Los Angeles International Airport
Atlanta
Port of Los AngelesPort of Calexico-East
Port of Otay Mesa Station
Port of Nogales
Port of El Paso
Dallas-Fort Worth
Port of Charleston
Port of Long Beach
New Orleans
Port of Morgan City
Port of Laredo
Port of Savannah
Port of Jacksonville
Port of Beaumont Port of New Orleans
Port of Houston
Miami International Airport,
Port of Corpus Christi
Port of Brownsville-Cameron
Port of Port EvergladesPort of Miami
Port of Hidalgo
New 2012 US National
Supply Chain
SECURITY
Strategy
Supply Chain: PERSPECTIVES
Supply Chain RESILIENCE
•Multi-sources
•Multi-nodes
•Multi-routes
Tacoma
Los Angeles
Hampton Roads
New York/New Jersey
Oakland
Charleston
Long Beach
Jeddah
San Juan
Dubai
Salalah Nhava Sheva
Colombo
Less than 2 million TEU
2 to 4 million TEU
4 to 7 million TEU
7 to 10 million TEU
•fix-on-the-fly
(while doing ,
w/ no pause)
… to continue
to move &
deliver product.
Melbourne
More than 10 million TEU
Pacific Asia
Tianjin
Dalian
Laem Chabang
Hong Kong
Port Kalang
Tanjung Pelepas
Singapore
Europe
Antwerp
LeHavre
Quingdao
Ningbo Shanghai
Keelung
Kaohsiung
Busan
Osaka
Nagoya
Genoa
Barcelona
Kobe
Tokyo
Manila
Valencia
Algeciras
Tanjung Perak
Dubai Ports World
Hutchison Port Holdings
Peninsular and Oriental Ports
Port of Singapore Authority
Pacific Asia
Hamburg
Rotterdam Bremen/Bremerhafen
Guangzhou
Shenzhen Xiamen
Tanjung Priok
APM Terminals
Felixstowe
Europe
Gioia Tauro
Piraeus
Supply Chain: PERSPECTIVES
Product INTEGRITY
How do we improve our trust & confidence
in HW, SW & Services we source from a
global supply chain?
What is ICT?
Images extracted from a presentation on actual counterfeit IT products incidents
and use of company names, labels do not indicate preference or problem area.
From The World Is Flat by Thomas Friedman
Dell Inspiron 600m Notebook: Key Components and Suppliers
JSF Extended Team – U.S.
HOTAS
• Essex
RIUs
VMC
Lift Fan
Alt Engine
• BAE Systems Controls
• Rolls Royce Allison • Smiths Aerospace • GE
Canopy Actuator
ICP
LGS
EPGS • MPC
• LM Owego
• Goodrich
• Hamilton Sundstrand
Ext. Lighting
Anti Ice
ICP
• LSI
•
Goodrich
• LMTS
EHAS
CNI -Components
• Rockwell Collins
MFD
• Rockwell Collins
(Kaiser)
• Moog
Gun System
• General Dynamics
Landing Aid Antennas
• EDO
EW/CM
• BAE IEWS
Driveshaft
• Goodrich
Engine
• Pratt & Whitney
HMD
• VSI
RF Cables
• Times Microwave
Stores & Rel. Sys
TRS
• McCormick Selph
• EDO
TDE
• Smiths Aerospace
Radar, EO-DAS
• NG ES
EW/CM components
• NG
Edges
• LM Aero- Palmdale
Rudder Pedal
• Pacific Scientific
Transparency
• ATK
Center Fuse
• NG
ADS
• Avionics Specialties, Inc.
Forebody Test Sled Articles
• Advanced Technologies
AME
• Marvin
Raytheon
• GPS
LEFD, Wing Fold
• Moog
Fuel System
• Parker Aerospace
CNI
• Northrop Grumman RS
ICP Panel
• L3 Comm
CNI Apertures
• Ball
PTMS
Supply Chain
• Honeywell
• Honeywell/Cat Alliance
Raytheon
• Weapons
Source: Lockheed Martin Aeronautics Company
Final Assy, Fwd Fuse, Wing
• LM Aero-Ft Worth
HPGS
• Eaton
NDB
• MTI
Boeing
• Weapons
CNI
• Components SCI
ICP Components
• Raytheon Systems
LEFAS
• Curtiss Wright
Fire Protection
• Kidde
Radome
• General Dynamics Marion
INS
• Honeywell
T&S
• LMIS
EOTS
• LM Missiles & Fire Control
Harris
• Common Components
F-35 Extended Team - International
Industrial Participation
Turkey
U.K.
Gate Elektronic
TAI
BAE SYSTEMS
ALP Aviation
Ayesas
Goodrich Adv. Sys
Aselsan
Havelsan
Helmet
AYESAS
KaleKalip
Integrated Sys.
Gate Elektronic
TAI
Martin Baker
Havelsan
Aselsan
Hambles Sturc.
Hema/Alp
MIKES
Smiths +Others
Kale Kalip
Hema
Beaufort
Marconi
KaleKalip
Smiths
Mikes
ALP
GKN
Parsan Steel
Parsans
Microfiltrex
Forging
HS Claverham
TAI
HS Marston
TEI
QinetiQ
+ Others
Didsbury Engr
Kennard
Netherlands
+ Others
ATS Kleizen
Fokker Elmo, Aero, Defense
Sun Electronic
Philips Aerospace
SP Aerospace
Thales Cyrogenics
DAP
Thales Optronics
Sun Electronic
Phillips Aerospace
Thales Cyrogenics + Others
Axxiflex
Senior Aerospace Bosman
PHM Group
Urenco
+ Others
Norway
Kongsberg
Metronor
Techni
NERA
Kongsberg
Kitron
3D Perception
Applica
Ericsson
Kitron
Metronor
Nammo
Natech
NERA
Presens
SensoNor AS
SINTEF
T & G Elektro
Thales Comm.
+Others
Australia
Micro LTD
Ferra Engineering
Hovitt
Cablex
Varley
Production Parts
Calytrix Technologies
+ Others
Micreo
Cablex
Lovitt + Others
Compucat
Rosebank Eng
+ Others
Denmark
Terma AS
GPV
SSE
IFAD
HiQ Wise
Corena
Terma
SSE
GPV
E.Falk Schmidt
Maersk Data Def
Elbo Production
Danish Aerotech
Hamann Electronics
+ Others
Italy
Alenia
Marconi Sirio Panel
Galileo
Piaggio
Moog- Caselle
UOP
Secondo Mona
Samputensilli
Marconi Selenia
York
+Others
Global Development and Production
Source: Lockheed Martin Aeronautics Company
Canada
Herovx-Devtek
Magellan-Chicopee
Honeywell Eng. Sys
DY4
Mindready
Howmet
Virtek +Others
Mustang Surv. Co
Bristol Aerospace
Graphico
Novatronics
DMG + Othes
Bombardier
Air Data Inc
CMC Electronics
Noranco + Others
OMA
Mecaer
Aerea
Aermacchi
Galileo
ASE
Forgital
Inossman
Logic
+ Others
Focus Area 3
Focus Area 2 Focus Area 1
Comprehensive National
Cybersecurity Initiative (CNCI)
Deploy Passive
Sensors Across
Federal Systems
Trusted Internet
Connections
Pursue Deployment of
Intrusion Prevention
System
Coordinate and
Redirect R&D Efforts
(Dynamic Defense)
Establish a front line of defense
Connect Current
Centers to Enhance
Cyber Situational
Awareness
Develop a Government
Wide Cyber
Counterintelligence
Plan
Increase the Security of
the Classified Networks
Expand Education
Demonstrate resolve to secure U.S. cyberspace & set conditions for long-term success
Define and Develop
Enduring Leap Ahead
Technology, Strategies
& Programs
Define and Develop
Enduring Deterrence
Strategies & Programs
Develop Multi-Pronged
Approach for Global
Supply Chain Risk
Management
Define the Federal
Role for Extending
Cybersecurity into
Critical Infrastructure
Domains
Shape the future environment to demonstrate resolve to secure
U.S. technological advantage and address new attack and defend vectors
Product Assurance
TRADESPACE
Higher COST can buy Risk Reduction
$
Unique
Requirements
Slippery Slope /
Unmeasurable Reqts
Acquirers
Systems
Integrators
Suppliers
SCRM Standardization and Levels of Assurance
will enable Acquirers to better communicate
requirements to Systems Integrators & Suppliers,
so that the “supply chain” can demonstrate
good/best practices and enable better overall
risk measurement and management.
COTS
products
Lower Cost usually means Higher RISK
Risk
SCRM Stakeholders
US has vital interest in the global supply chain.
Other Users
CIP
SCRM “commercially
acceptable global
standard(s)”
must be derived from
Commercial Industry
Best Practices.
DoD
DHS & IA
Commercial
Industry
COTS
SCRM Standardization Requires Public-Private Collaborative Effort
ICT- “Elephants in the Room”
US has vital interest in the global supply chain.
Other Users
CIP
SCRM believes
“commercially acceptable
global standard(s)”
must be derived from
Commercial Industry Best
Practices.
DoD
Commercial
Industry
DHS & IA
Software
Assurance
Counterfeits
COTS
SCRM Standardization Requires Public-Private Collaborative Effort
Government Panel
Managing
Global
Supply Chain
Risk:
Carrots & Sticks
Discussion
15
Government Panelists
•Mitch Komaroff, Director, Trusted Mission
Systems & Networks (TMSN) in the DoD CIO
(covering DoD, NSS & CNCI-SCRM, etc…)
•Jon Boyens, Senior Advisor,
Computer Security Division at NIST
(covering Interagency Policy & Standards… UMD Study, -7622, 800-53, etc…)
•Lisa Kaiser, Director, Control Systems Cybersecurity
Strategic Planning, Control Systems Security Program at DHS
(covering Critical Infrastructure Control Systems, etc…)
16
Mitch Komaroff
(DoD, NSS & CNCI-SCRM …)
US has vital interest in the global supply chain.
Other Users
CNCISCRM
CIP
NSS
SCRM believes
“commercially acceptable
global standard(s)”
must be derived from
Commercial Industry Best
Practices.
DoD
DoD
DHS & IA
Commercial
Industry
COTS
SCRM Standardization Requires Public-Private Collaborative Effort
Jon Boyens
(InterAgency & Standards …)
US has vital interest in the global supply chain.
Other Users
NIST
UMD Study
IR-7622
800-53
CIP
WG2
AdHoc
WG
CCDB
SCRM believes
“commercially acceptable
global standard(s)”
must be derived from
Commercial Industry Best
Practices.
TOGOTTF
DoD
DHS & IA
Commercial
Industry
COTS
SCRM Standardization Requires Public-Private Collaborative Effort
Lisa Kaiser
(Critical Infrastructure Control Systems …)
US has vital interest in the global supply chain.
Other Users
CIP
CIP
SCRM believes
“commercially acceptable
global standard(s)”
must be derived from
Commercial Industry Best
Practices.
DoD
DHS & IA
Commercial
Industry
COTS
SCRM Standardization Requires Public-Private Collaborative Effort
Government Panelists
•Mitch Komaroff, Director, Trusted Mission
Systems & Networks (TMSN) in the DoD CIO
(covering DoD, NSS & CNCI-SCRM, etc…)
•Jon Boyens, Senior Advisor,
Computer Security Division at NIST
(covering Interagency Policy & Standards… UMD Study, -7622, 800-53, etc…)
•Lisa Kaiser, Director, Control Systems Cybersecurity
Strategic Planning, Control Systems Security Program at DHS
(covering Critical Infrastructure Control Systems, etc…)
20
Background
INFO
Globalization impact
 IT Supply Chain is global, no longer under US (or any other nation’s)
control and is increasingly not trusted
 IT communications connects nearly all DoD IT functionality
together and with the functionality of the rest of the world
Including our adversaries (Information Assurance)
 Commercial IT functionality has penetrated nearly every
aspect of our Mission Critical Functionality
(Systems Assurance / Mission Assurance / Readiness)
 In this converged environment we compete with sophisticated
nation-state adversaries, terrorists and criminal organizations
-- Competitors and adversaries actively participating in the
same / shared global supplier chain
DoD weapons and command and control systems must be robust
against a full spectrum of attacks to achieve mission assurance
Things that can go wrong…
 IF, we practice this Behavior: integrating (untrusted) technologies without
regard to the criticality and risk levels of the parent system or network
 Our Vulnerabilities: All ICT (incl. systems, networks, applications) are vulnerable to:
─ Intentionally implanted logic (e.g., back doors, logic bombs, spyware)
─ Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code)
─ Counterfeit components/products prematurely degrade / otherwise disrupt operations
 Adversaries will have increased access and opportunity to infiltrate otherwise
closed-off technologies and services
 THEN, we suffer these Consequences: Stolen critical data & technology;
corruption, denial of critical functionality…or more simply,
degraded / lost Mission Assurance
Addressing the
Globalization Challenge
 2003
DSD signs out Defense Trusted Integrated Circuits (IC) Strategy Memo
 2004-2006
Operational risk to DoD networks and systems from globally
sourced ICT assessed as high
─ NII sponsored 2004 Johns Hopkins study
─ NII led 2006 CNSS Global IT Report
─ NII/AT&L Software Assurance Tiger Team
─ DSB microelectronics (2006), software (2007) studies
 Sept 2006
DoD calls Deputy’s Committee on globalization risks to ICT
─ Leads to interagency effort, co-chaired by NII/CIO to develop
strategic approach to supply chain risk management (SCRM)
─ DSD establishes the Globalization Task Force
 Sept 2007
Interagency SCRM effort integrated into Initiative 11 of the
Comprehensive National Cyber Initiative (CNCI)
─ Budget request includes funds to begin implementing SCRM in DoD
 Sept 2008
DoD continues to drive interagency and develop internal tools and
policies
─ CNCI SCRM Strategy and Implementation Plan completed
─ DODI 5200.39 “Critical Program Information Protection Within the
DoD”
─ NII / AT&L (NDIA): “Engineering for Systems Assurance”
2009… 2010 Trusted Mission Systems & Networks … 2011… 2012
Findings, Strategy and Direction
• National Security Presidential Directive-54/Homeland Security Presidential
Directive-23, paragraph 45 Tasking to DoD and DHS:
• Initiative 11: Develop Multi-Pronged Approach for Global Supply Chain Risk
Management (SCRM)
• Significant gaps exist in USG policy regarding supply chain risk management
– No mandate to address supply chain risk
– Limited tools to manage risk
– and an overall … Lack of guidance & governance for SCRM
• Strategy:
– Provide investment in SCRM for high priority systems
– Maximize use of -informed technical mitigations and engineering
– Where technical mitigation is not sufficient, utilize procurement tools
What are the problems and gaps we are trying to address?
 Information and Communication Technology (ICT) products are assembled,
built, and transported by multiple vendors around the world before they are
acquired (often) without the knowledge of the acquirer
 Abundant opportunities exist for malicious actors to tamper with and
sabotage products, ultimately compromising system integrity and operations
evidenced by multiple recently publicized incidents (counterfeit
hardware sold to government agencies)
 Organizations acquiring hardware, software, and services are (often) not
able to understand and/or manage the security risks associated with the use
of these products and services
 Challenges range from poor acquirer practices to lack of transparency
into the supply chain
 Substantial number of organizations or people can “touch” an ICT product without being identified
 No standardized methodology or lexicon exists for managing ICT supply chain risks
 Poor ICT products and services acquisition practices contribute to acquirers’ lack of understanding what is in
their supply chain
 Counterfeit hardware and software proliferate
 Acquirers do not have a framework to help enforce security and assurance compliance for vendors
Courtesy of Nadya Bartol (BAH)
SCRM Guiding Principles
 Defense-in-breadth: Mitigate risk across the entire lifecycle
 Understand risk management problem from a systems perspective
 Response should be commensurate with risk and system/network
criticality
 Need to understand levels of vulnerability and threat relative to each
system
 Drive higher assurance characteristics into commercial products where we
have leverage
 Continued access to global ICT is critical to DoD mission
To meet tomorrow’s threat we must develop protection measures across
product lifecycle and reinforce these measures through USG acquisition
processes and effective implementation of agency security practices
SCRM Key Components
 Supply Chain Information Sharing
• DoD.mil, InterAgency.gov & Industry.com
 Engineering
• Develop acquisition and engineering guidance enabling SCRM
• Utilize global sourcing risk management standards and best
practices from industry
 Procurement Tools
• Supply chain -informed procurement remains challenge
Engineering for Systems Assurance
 Developed by AT&L and NII through NDIA Systems
Assurance Committee
 Intent of the Guidebook: Provide practical guidance
augmenting systems engineering with systems
assurance practices
“SYSTEM ASSURANCE
IN NATO PROGRAMMES”
(AEP-67)
 Provide knowledge for applying technical assurance
measures within ISO 15288 systems engineering technical
process
Key Practices
 Encompass overall program and project management
 Integrate systems assurance into the acquisition lifecycle
 Guidance developed using DOD Lifecycle Framework
 Guidance for each technical review within the lifecycle
 “Proto-checklist” level of detail
 Built IA, program protection, Anti-tamper into lifecycle, as
they pertain to and enforce system assurance
 Scope
“NIST-IR 7622”
 Management of risk
 Assurance of security
 All within the context of system and software lifecycles
Guide
DoD Supporting Policy
 DoDI 5000.02, dated Dec 2008
 Operation of the Defense Acquisition System
 Regulatory Requirement for Program Protection Plan at MS B/C
 References DoDI 5200.39
• DoDI 5200.39, dated Dec 2010
– Critical Program Information (CPI) Protection Within the DoD
– Assigns responsibility for Counterintelligence, Security, and System
Engineering support for the ID and protection of CPI
– Expands definition of CPI to include degradation of mission
effectiveness
– Technology, information, elements, or components
• Directive-Type Memorandum (DTM) 09-016, dated 20 Aug 2011
– Supply Chain Risk Management to Improve the Integrity of Components
Used in DoD Systems
– Establishes policy and defense-in-breadth strategy for managing Supply
Chain Risk to information and communications technology
ICT Supply Chain Risk Management requires contributions and
collaboration among many disciplines with recognized
standards
•ISO/IEC a27005 (Risk
Management: Information
Security)
•ISO/IEC 16085
(Risk Management: Life
Cycle Processes )
•ISO/IEC 31000 (Risk
Management: Principles and
Guidelines)
•ISO/IEC 20000
(IT Service
Management)
•Resiliency
Management Model
(RMM)
•ISO/IEC/IEEE 15288 (Systems)
•ISO/IEC15026 (Systems Assurance)
•IEEE 1062 (Software Acquisition)
•Capability Maturity Model Integration
(CMMI)
Systems
Engineering
ICT Supply
Chain
Assurance
Supply Chain
&
Logistics
•ISO/IEC 28000 (Supply
Chain Resiliency)
•ISO/IEC 27036
(Information Security for
Supplier Relationships)
•ISO/IEC 27000 Family
(Information Security
Management Systems)
•Common Criteria
•OSAMM
•BSIMM
•Microsoft Secure Development
Lifecycle
•ISO/IEC 27034 (Guidelines for
Application Security)
•ISO/IEC TR 24772
(Programming Language
Vulnerabilities)