Supply Chain Threats to the US Energy Sector
•Als PPTX, PDF herunterladen•
4 gefällt mir•2,483 views
This presentation by Cynthia James discusses steps to take towards cyber-securing the supply chain of Energy sector organizations in the U.S. From the biggest challenges to a review of regulation and compliance guidelines, this deck covers three areas of Energy: nuclear, electric and "other". Cynthia James is a CISSP (Certified Information Systems Security Professional) and frequent presenter for the TABD group at Kaspersky Lab, global provider of cybersecurity solutions. With 9 years of experience in the cybersecurity space, Cynthia is a regular speaker on the subject and has authored a book on cybercrime: “Stop Cybercrime from Ruining Your Life".
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Supply Chain Threats to the US Energy Sector
Ähnlich wie Supply Chain Threats to the US Energy Sector (20)
Mehr von Kaspersky
Mehr von Kaspersky (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Supply Chain Threats to the US Energy Sector
- 1. SUPPLY CHAIN CYBERTHREATS TO THE US ENERGY SECTOR Cynthia James, CISSP Global Director Business Development Technical Alliances
- 2. AGENDA 2 SUPPLY CHAIN MAPPING…AND RECONNAISSANCE SUPPLIERS: LACK OF LEVERAGE & COMMUNICATION CHALLENGES GOVERNMENT GUIDANCE, POLICY, LAW ENERGY VS ELECTRIC VS NUCLEAR DEVELOPING THE IDEAL CYBERSECURITY POSTURE FINAL RECOMMENDATIONS
- 3. THE SUPPLY CHAIN MAP PAG | Equipment Reseller Critical Provider Secure Energy facility boards apps landscaping Paper supplier SW consultant Malicious insider (consultant) 1 degree 3 degrees 2 degrees Phishing attacks Customers Who do we Supply? branch Is there bi-directionality? If so, what data or access?
- 4. RECONNAISSANCE: SUPPLY CHAIN MAPPING 4 • RFQs…press releases or any public notification • Conferences & Working Groups • Speakers make technology references & recommendations • Vendor criteria • Jobs available • Profiles of employees • Experience, background • Blogs about company policies, etc. • Information shared by others about you • What is your supply chain saying? • “XYZ Energy is a customer” or “we now adhere to these specs” • Filling in the gaps • An opportunistic infection
- 5. LOWER YOUR RECONNAISSANCE PROFILE 5 Raise awareness, reduce specifics Management oversight of profiles, request that certain details are omitted Set up google search alerts for key phrases Boost awareness of the issue in the company - start at stakeholder level? Create a recon profile and circulate it Note: going “stealth mode” with on-line resumes helps the organization but not the individual (legally employers can’t interfere with your job search)
- 6. SUPPLIERS HAVE SUPPLIERS WHO HAVE SUPPLIERS WHO…
- 7. SUPPLY CHAIN ATTACK EXAMPLES 7 HAVEX – infecting software updates (ICS) IceFog – v1: hitting Western companies through entry points in Asia – mostly defense v2: oil & gas in the US (using java) Most likely cyber mercenaries “Watering Hole attack” ICS-CERT & NCCIC Monitor: 79% of all 2014 attacks were on Energy; infection vector for the majority was unknown
- 8. LEVERAGE AND COST: DIRECTLY ASSOCIATED 8 How much leverage do you have now with suppliers? Do you need it? (Are they already compliant?) Can you require compliance or request it? Can you conduct reviews remotely? Site review: What they say they do Probability of them doing it To what degree? Risk represented by them not doing it Where customizations of practice are required, compliance and cost may be affected: added testing, collection, analysis, data protection But…it doesn’t cost to ask (and it’s always better to know)
- 9. OUR COMMUNICATION CHALLENGE PAGE 9 | Few groups talking to each other Government agencies (1999) Cybersecurity industry 2015 Infosec journalists NuclearSCADA IT 2006 Chemical Defense etc 2010 Mainstream journalists Total lexicon in existence describing all things cybersecurity related Just for “supply chain”: ICT, SCRM, ICT SCRM (NIST favors), cyber supply chain, cyber supply chain security, supply chain risk management, EDM (DoE/DHS favors)* * paper in 2014, Nadya Bartol, Utilities Telecom Council So…when NIST says “ICT SCRM” it’s the same as when DHS/DoE say: “EDM”
- 10. WORD GAMES… 10 2009 – the word cybersecurity starts being used* 2009 – NERC first uses the term “Critical Cyber Assets” Current terms used for “supply chain”: * Information and Communication Technology (ICT) Supply Chain Risk Management (SCRM) Information and Communication Technology (ICT) supply chain security Supply Chain Risk Management Cyber supply chain Cyber supply chain security Cyber supply chain risk management Finally in 2014 “External Dependencies Management” EDM (Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2-M2) by DoE/DHS) Although NIST SP800-161, the mother of all such docs (282 pages, dedicated to supply chain, 2015) currently calls it ICT SCRM *paper in 2014, Nadya Bartol, Utilities Telecom Council
- 11. THE PROBLEM WITH NEW LANGUAGES… 11 • Agreeing on terms and usage • Collaborating across sectors and supply chain organizations • Sharing cyber incident information • Defining best practices which underlie multiple sectors • Educating across sectors Recommendation: be sure to reference the document with the definitions you are applying
- 12. GOVERNMENT REGULATION AND “GUIDANCE” 12 Electric utilities and Nuclear – the only CI “mandatory” cybersecurity standards enforceable through FERC & NRC US NRC – US Nuclear Regulatory Committee NEI – Nuclear’s “policy organization” FERC (Fed Eng Reg Commission) NERC –North American Electric Reliability Corporation – FERC policy org; rules became effective 2014, compliance by 2016 and 2017
- 13. SUMMARY OF GOVERNING RULES 13 • NERC Reliability Standards are mandatory within the US • These include CIP (Critical Infrastructure Protection) rules which address the security of cyber assets “essential to the reliable operation of the electric grid” • CIP first released in 2008, the latest ones were approved by FERC in 2013 (v5) – enforceable by April 2016, some in 2017 • Code of Federal Regulations (law) which is applicable to all Energy is Title 10 CFR (“Energy”). But no laws about cybersecurity except for Chapter 1. • Chapter 1 of that are rules set forth by the Nuclear Regulatory Commission. Section 73 covers “physical protection of plant and resources”; 73.54 covers the information systems part of that https://www.law.cornell.edu/cfr/text/10/73.54 - • Nuclear Energy Institute 08-09, April 2010 Cyber Security Plan for Nuclear Power Reactors with heavy reference to 10 CFR 73.54
- 14. NEW GUIDELINES TO FOLLOW – ENERGY 14 • “The Energy Department released guidance to help the energy sector establish cybersecurity risk management programs” (energy.gov) • This was: • The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) of February 2014. “Developed by the Department of Energy and contributors…and other government agencies” (jointly published with DHS) “to help critical infrastructure organizations evaluate and potentially improve their cybersecurity practices. As this section demonstrates, using the C2M2 also provides a means for any energy sector organization to implement the NIST Cybersecurity Framework.” • Nuclear: • Follow NEI 08-09
- 15. DEPARTMENT OF ENERGY “ES-C2M2” 15 Provides: “an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.” • One component = “Supply Chain or External Dependencies Management” (EDM) covers: • Asset Management (catalogue, prioritize) • Business Environment (roles defined and ranked) • Dependencies and critical functions for delivery of critical services and product are established Now you have a list of External Dependencies…
- 16. ES-C2M2 16 External dependencies must be managed contractually: a.) vendor responsibilities (reference specific standards: RM-1c) b.) auditing rights and monitoring; c.) sharing of cybersecurity “threat information”; d.) reporting of cyber incidents; e.) must adhere to a defined risk assessment process
- 17. ES-C2M2 DESCRIPTION OF RISK 17 • Security of products varies widely • How was SW developed? What code input? • Counterfeit HW or malware injection • RFPs don’t specify detailed security or QA • Utility branches granted leeway in procurement Not to forget: security capabilities of organizations varies widely
- 18. NEI -8-09 CYBERSECURITY PLAN FOR NUCLEAR 18 11.2 SUPPLY CHAIN PROTECTION “This security control protects against supply chain threats by employing the following measures…to maintain the integrity of the CDAs that are acquired: 1. Establishment of trusted distribution paths, 2. Validation of vendors, and 3. Requirement of tamper proof products or tamper evident seals on acquired products.” (NEI April 2010)
- 19. CYBERSECURITY PLAN BASED ON NEI 08-09: GOALS 19 Procure CDA products and software from vendors who practice good cyber security and are capable of implementing NEI 08-09, Rev. 6 controls Negotiate with vendors to ensure their environment and products are secure Develop a program to ensure that products received are secure * * Author: Barbara Weber Sheffield Scientific, LLC Senior Cyber Security Consultant Barbara.Weber@SheffieldScientific.com
- 20. EXPECTATIONS OF CDA SUPPLIERS 20 Should be operating at the same level of security as the plant itself: • Establish a secure developing and operating environment • Verify staff is trustworthy • Verify they are managing their suppliers • They are obligated to patch vulnerabilities in products or services provided • All received products are hardened • Access Control is managed Note: 10 CFR 74.53 comparable to NQA-1 Author: Barbara Weber Sheffield Scientific, LLC Senior Cyber Security Consultant Barbara.Weber@SheffieldScientific.com
- 21. TO BEGIN THE PROCESS… 21 • Perform an evaluation (mini-risk assessment/risk analysis) on top priority suppliers • Identify security gaps • Evaluate partnership versus their security weaknesses: What upgrades possible? What auditing rights? What level of priority? What cost? • Periodically audit and reevaluate
- 22. SUPPLY CHAIN SHOULD COMPLY TO WHAT LEVEL? 22 • Many aspects of supply chain management are their own mature specialties with expertise, tools, processes – ie, software assurance or the receiving/testing of goods. These need to be integrated at the level which makes sense • Is it better to use a supplier who already have adequate security in place? • Cybersecurity challenges grow so much faster than guideline adoption by regulatory agencies (so far)
- 23. THE “IDEAL” SUPPLY CHAIN SECURITY POSTURE 23 Locating the best information depends upon goals Are organization goals to find: • Easiest to implement? Fastest? Cheapest? Best? • Easiest to get stakeholders to agree to? Do we search: • Compliance • Guiding principles (not compliance yet) • Search by terms • Search by agency Most important: compliance Next level: best security practices
- 24. FINAL RECOMMENDATIONS 24 Ensure that “supply chain risk” (all external dependencies) are identified and included in your organization’s risk assessments Determine the needs/desires of stakeholders in your organization regarding supply chain risk • Choose between NEI compliance or ES- C2-E2 • Identify the best source documents • Identify supporting documents (like NIST SP 800-161) Follow the process Repeat! (all suppliers, annually)
- 25. KASPERSKY LAB PROVIDES BEST INTHE INDUSTRY PROTECTION* 25 0% 20% 40% 60% 80% 100% 20 40 60 80 100 N of independent tests/reviews ScoreofTOP3places Kaspersky Lab Bitdefender Sophos G DATA Symantec F-Secure Intel Security (McAfee) Trend Micro Avira Avast BullGuard AVG ESET AhnLab Microsoft Panda Security In 2014 Kaspersky Lab products participated in 93 independent tests and reviews. Our products were awarded 51 firsts and received 66 top-three finishes. * Notes: • According to summary results of independent tests in 2014 for corporate, consumer and mobile products. • Summary includes tests conducted by the following independent test labs and magazines: Test labs: AV-Comparatives, AV-Test, Dennis Technology Labs, MRG Effitas, NSS Labs, PC Security Labs, VirusBulletin • The size of the bubble reflects the number of 1st places achieved. ThreatTrack (VIPRE) Qihoo 360 Kingsoft Tencent 1st places – 51 Participation in 93 tests/reviews TOP 3 = 71%
- 26. THANK YOU! QUESTIONS? Cynthia James – cynthia.james@kaspersky.com Kaspersky Lab Technology Alliances & Business Development
Hinweis der Redaktion
- At Kaspersky Lab, in the Technical Alliances group, we often develop cyber security material to suit the special needs of our partners. This presentation was created by request from OPSWAT – a US-based organization which provides scanning and security products for the Energy industry. They requested a presentation which would cover challenges for cyber-securing the supply chain, including compliance regulations and guidance (which currently exists for Nuclear and Electric).
- Today we will take a look at how cybercriminals go about mapping supply chains and we’ll talk about the challenges inherent in securing any supply chain. Then we’ll discuss what resources are available in terms of guidance and the laws which currently exist in this area. Finally we’ll cover the ideal cybersecurity posture for an organization and the most important elements to consider when putting a plan in place to improve cybersecurity in this critical area.
- This is an example of a supply chain for a secure energy facility. A determined attacker will develop just this type of map in order to select the easiest entry point. We can see that it’s not just our direct suppliers we need to be concerned with, but the suppliers to those suppliers (example: a company providing hardware components for products we purchase from a trusted reseller). Also, we should be concerned with providers of even basic services like facilities management if they have access to the building and/or they are granted network access (perhaps to submit invoices). These organizations may not even know they have been compromised or that the devices they have connected to your network are infected. A common tactic would be to launching a phishing attack against links in the chain which have much lower security standards than the secure energy facility. Threats can also come from within the supply chain itself when a malicious insider gets involved. When considering the breadth of your supply chain, don’t neglect connections with customers. One reason I like the nomenclature of “External Dependencies Management” (EDM, a phrase coined by DHS and Dept of Energy in their ES-C2– M2 document we will discuss later) is that it describes this entire picture, including post-supply connections such as those to customers. These links can also be compromised when they are bidirectional.
- Cybercriminals will conduct reconnaissance on key targets to determine who we are connected to and who is connected to us. This will establish a set of potential entry points which are easier to hack than attempting to enter through a highly secure network. When we advertise jobs the company is trying to fill, the more specific we are with regard to requirements, the clearer it becomes as to what hardware, software or systems the company runs on. This provides explicit targets for cybercriminals. The same information often shows up in employee or ex-employee profiles, company blogs, and RFQs. Sometimes suppliers publicize the nature of their relationship with a secure facility, making themselves (or their suppliers) targets as well. In the case where a cybercriminal “gets lucky” and only realizes after hacking a supplier that there is a connection from that organization to a secure facility, they have the option of selling that access on an underground market where everything has a price and can be put up for bid. A more specialized cybercriminal will then take over where the opportunistic one left off.
- It always helps to raise awareness within the company of the fact cybercriminals are seeking information to assist them in developing more successful attack plans. Where it’s possible for HR or employees to use more generic terms to describe the systems they work with, that would be better for the company (it can help to provide employees with suggestions). Assigning someone the task of receiving google alerts when your company name is mentioned or subscribing to a service which crawls websites looking for company branding can alert you to instances where suppliers are tempted to use your name. Getting stakeholders like the executive team on board is also critical – it makes them less likely to discuss specifics of internal systems in their public conversations (press quotes, panel discussions, etc.). One teaching tool which has proven effective is to develop a reconnaissance profile entirely from external sources to demonstrate the ease with which it can be done. Most organizations cannot legally restrict what employees post about their jobs (the government being a notable exception), but helping employees understand which of their behaviors entail risks to the company still may make them think twice before they post.
- This image is courtesy of the NIST Special Publication 800-161. It is a useful reminder that although many organizations are waking up to the implications of an insecure supply chain, many of those suppliers have their suppliers who have their suppliers. At some point a supplier’s supplier’s supplier may very well be a single individual working out of a home office using a non-secured wi-fi router. What this means is that a very industrious cybercriminal may well succeed in developing a map which leads them to the ultimate prize: compromising the secure facility. Unfortunately we live in an incredibly connected world now, so even when suppliers along the way are relatively diligent, all it takes is one infected device which gains access the right network and a criminal potentially has access. All of this also brings up the challenge of leverage: how much power do we have to get suppliers to comply to our security requests or demands? This is a question which operates at every other level in the chain as well. Even if our suppliers follow good standards, do they have the ability to demand that their suppliers will do the same? The closer we look, the more complex the supply chain threat gets.
- We covered specific attacks in some detail in the previous Kaspersky-OPSWAT webinar, Top Five Cyber Security Challenges for the Energy Industry in 2015. Here we are just touching on the tactics which are increasingly used to gain entry through the supply chain. HAVEX was malware which was successfully injected into software updates which were commonly used by Industrial Control Systems. The infection point was the software company delivering the updates and they did not know they had been infected until alerted by anti-cybercrime companies. IceFog originally targeted Western companies but the entry points were Asian manufacturing suppliers. The next version of IceFog directly targeted US Oil and Gas in the US using a Java exploit (in fact Kaspersky notified at least three such oil and gas companies in the US directly that they were infected). So-called “watering hole attacks” are a type of supply chain focused attack where adversaries establish websites or information sources which many of their targets use, and then attempt to “poison” that “watering hole” by infecting it with malware. In such a fashion, everyone visiting the site has a chance of becoming infected. (The chance of infection is of course increased if the criminals already know exactly what vulnerable software is being used by visitors.)
- Once we have decided to somehow foist stronger security practices upon our suppliers, we need to consider how likely it is that they can or will comply. Will they even accurately disclose their current practices? Will they disclose vulnerabilities across the board or only practices relating to the product we source from them? Would they submit to annual audits or any other form of checking? Most of these questions go to the matter of leverage – how much influence we can exert over a given supplier. If a supplier is small and we are their largest customer, we will have influence. But then the question is whether they have the resources to run a more secure facility. If they do, will prices increase? With larger organizations you may have less leverage but more confidence: a global supplier, for example, may already complies to relatively clear security standards. There’s no magic answer here: as with all of cybersecurity it’s only a matter of the best choice among all the tradeoffs which must be made: larger companies are more interesting targets for cybercriminals so they are attacked more vigorously and more often. Smaller companies are targeted less but also have fewer protections. We have more leverage with small companies but larger companies are more able to comply.
- When communicating about cybercrime it’s presumptuous to assume we share the same vocabulary. In fact, a paper by Nadya Bartol of the Utilities Telecomm Council in 2014 tells us that the term “cybersecurity” only came into common usage in about 2009. She also took inventory of all the then-existing terms for “supply chain”. There were at least six which were (and still are) widely used. One of the reasons completely different vocabulary evolved is that vertical industry sectors have gone about solving cybersecurity differently and independently for years. What makes this so significant? For two reasons: first, it’s hard to do the research to determine what security guidelines best fit your organization if only looking for “supply chain” so try the other terms as well. Second, we need to be aware of the fact that each supplier we talk to may be part of a different sector which uses different terminology to explain, track and solve supply chain problems. We should endeavor to be understood: to ensure that we share terms and have a common vocabulary with regard to compliance.
- So don’t forget to ask your supply chain partners what their preferred terminology is. Also, when seeking out internet resources - there are many excellent public repositories with helpful guidance like NIST – but it’s useful to know the terms they favor. Personally I love the term “EDM”, coined by the US government (Department of Energy and the Department of Homeland Security in their co-published document) because it includes every potential vulnerability including bi-directional relationships like those with customers. Any external relationship which can be used as a lever to penetrate the organization should be considered when attempting to “harden” the supply chain against threats. Whatever term you favor, the bi-directional nature of many supply relationships should be considered when assessing risk: they may be providing you with a product or service, but you may be granting them access to your systems, information about your activities, and other data which could be stolen and abused.
- So again, securing the supply chain involves communicating across suppliers and across sectors. But even within sectors there can be variation regarding the common risk and cybersecurity nomenclature which will be used. For example, if you expect to be notified when suppliers experience “security incidents” which might affect the product you receive from them, you must define “incident” (by level of severity, type of incident, affected data or services, etc.) before determining reporting requirements (which may vary depending on the type or severity of the incident). It also helps to be clear when communicating your objective: perhaps you believe a supplier can help you by reporting an attack. For example, if there is an incident where Supplier A is attacked and you have reason to believe you are the ultimate target, you might wish to warn others in your supply chain. But in order to know about the attack, you’ll have to get suppliers to agree to share information which may expose them to liability. Such trust takes time to develop, and usually involves a mutual sharing of threat data and breach experience. With regard to these and other security needs, the key is to be sure that the entities on both sides – the one requesting compliance and the one acquiescing – are applying terminology the same way. Ideally there will be public domain documents which can be referred to as the source of agreed-upon definitions.
- The US government is very concerned about the security of Critical Infrastructure, otherwise known as CI. Although there are 16 CI sectors, only a handful are currently subject to regulation. Within the Energy sector, only electric utilities and nuclear are currently regulated (as of July 2015). Regulations carry penalties with them of course; “guidance” is offered in the hopes organizations will see the value and comply voluntarily. However, what is considered guidance today often turns into policy tomorrow and then regulation after that. The US Nuclear Regulatory Committee pushes regulation and guidance through their policy organization, Nuclear Energy Institute (NEI). The Federal Energy Regulatory Commission (FERC) uses NERC (the North American Electric Reliability Corporation). We will discuss NEI rules in a moment. FERC rules became effective in 2014 with mandatory compliance of some regulations by 2016 and others by 2017.
- This slide is self-explanatory except to say that it’s often worthwhile to check the exact wording which is considered the source statute for a regulation to see if it truly is specific enough to be enforceable.
- This document is a useful tool in terms of helping the Electricity sector implement the NIST Cybersecurity Framework. This document uses the term EDM (External Dependencies Management) which stresses the importance of looking at the potential risk of all inbound and outbound relationships, regardless of whether we consider them to be “suppliers” or not.
- The ES-C2M2 provides excellent guidance. Here is an example of the EDM component, which provides the basic steps of starting supply chain security management. It begins with listing suppliers and then ranking them in terms of priority and then again in terms of known vulnerabilities. Risk is not just related to how easily suppliers can be penetrated and infected but also what risk it represents if their product stops flowing due to a security breach. It’s also critical to identify any entities to whom products or services are delivered.
- In order to accomplish true compliance – with full accountability – we must move beyond “good will” and “best faith efforts”, although good intentions are a good place to start. Ideally, the security responsibility of suppliers is specified by contract, to include at least this basic information. Not to forget it’s important to have clarity around what types of incidents must be shared and also to define whether that data (or an anonymized version of it) can then be shared with others (perhaps in the same supply chain) to help them guard against the same threats.
- There are too many different security standards to count. This is one of the great challenges of the cybersecurity field: it has evolved extremely quickly (as fields of study go) so there are many different tools, rules, standards people use. Since security always involves a set of tradeoffs – usability versus security, efficiency versus security, etc. – there maybe be competing products which fit different industries better. Some of the appropriate questions to ask about products received by your organization (to query suppliers with) include: what security protocols were followed in the development process and what opportunities exist for any type of malware injection. Two industry wide issues called out in the ES-C2M2 are also the fact that first, most RFPs still don’t specify what type of security should be included or integrated into products or during product development, nor do they define ideal security QA practices. Second, in Energy, branch offices are often given too much leeway in terms of procurement – often engaging with smaller suppliers who are more likely to be vulnerable. In such a case, the branch itself becomes a target as a way to get into the main office. We have seen cybercriminals target smaller companies after being acquired because they know security is likely to be more lax in the smaller one, and once they get in they can move upstream to the larger corporation.
- “CDAs” in NEI terminology are “critical digital assets”. In fact, the terminology used previously was “critical cyber assets” – a cool term, but they realized that they are just as concerned with data when it is at rest. These words are taken directly from NEI ‘s 9-09 document published in April of 2010. You can see that there is a lack of specificity in these rules. This highlights one of the biggest problems in cybersecurity: the more specifically a problem is solved or mandated to be solved – with technology or products – the more likely it will lag behind newer, better solutions. Also, any industry who dictates the use of specific technology is begging to be hacked. When a hacker knows that, say, all 2000 highly-valued sector organizations are using a certain hardware/software configuration, they already know what their ROI will be if they can find the vulnerabilities within that configuration.
- This is a new concept: the idea of demanding that suppliers comply to a similar level of security as the receivers of their products do. It’s a great idea but challenging in practice. Once again the vagueness with regard to specifics means NEI is expecting attempts to be made in this area, and for processes to be put into place. They expect these conversations to occur and be on-going with suppliers, but they are not mandating a specific format. At least not yet. By the way, I’d like to acknowledge Barbara Weber for her help – she is a consultant to North American nuclear companies – she is extremely knowledgeable on the topic and provided me with information on this and the next slide.
- This slide is self-explanatory – these are NEI expectations in more detail, courtesy of Barb. Of course if every level of the supply chain were to comply we would finally have in-depth, end-to-end supply chain security.
- These are the basic steps required to secure a supply chain.
- Because the improvement of cybersecurity is a never-ending process but we have limited resources, we have to make choices about how far to take it. For many categories of products there are mature processes which govern security measures. Obviously there need to be limits on these so that they don’t incur unreasonable cost. It’s worth asking though whether it makes better sense from a risk perspective to select a supplier who is already security-compliant than to coax existing suppliers into better practices. Also, if strong cybersecurity is your goal, you should be ahead of compliance requirements since regulations always lag behind what is known to be good security practice.
- Very often executive stakeholders will say to the IT team after an industry breach becomes known, “make sure this doesn’t happen to us!”. But such a request is practically meaningless without understanding how much budget will be allocated to ensure that result. Perfect security is not impossible – it’s as easy as building a castle with a moat and letting no one in or out - it’s just unworkable for a thriving, competitive organization. Where executives or company stakeholders agree on priorities, it’s useful to understand what they really want: something which is quick to implementation? The best solution? Or minimum compliance? Whatever the answer, the same level of diligence should be applied to suppliers. A cursory survey of supply chain threats which face your organization may help management prioritize cybersecurity risk assessments for them. What we know for certain is that money is unlikely to be applied to threats people are unaware of.
- Self-explanatory.
- In this graphic, the size of the bubbles are the number of first place finishes among independent organizations who tested anti-malware in 2014. You can see that the Kaspersky bubble is the biggest. We’re quite proud of this result, because if you understand the tests, one will be looking at thoroughness – which sometimes mean a heavy product which slows a system down – and another will look at speed, which often means a smaller footprint. Kaspersky did the best job of balancing all requirements to beat out every other anti-malware company in the world.