PRESIDENTIAL POLICY DIRECTIVE/PPD-21
 The Nation's critical infrastructure provides the essential services that underpin American society. The PPD21 Directive establishes national policy on critical infrastructure security and resilience, and is a
shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and
private owners and operators of critical infrastructure.
 The PPD-21 Directive refines / clarifies the critical infrastructure-related functions, roles, and responsibilities
across the Federal Government, and enhances overall coordination and collaboration.
Strategic Imperatives to Strengthen Critical Infrastructure
Refine and clarify
Functional
relationships
across Federal
Government
2
Enable effective
information
exchange
Implement an
integration and
analysis function
Critical Infrastructure
What Is Critical Infrastructure?
 Critical infrastructure is comprised of 16 major sectors, and is the backbone of our nation's
economy, security and health. We know it as the power we use in our homes, the water we drink,
the transportation that moves us, and the communication systems we rely on to stay in touch with
friends and family.
 Critical infrastructure is the assets, systems, and networks, whether physical or virtual, so vital to the
United States that their incapacitation or destruction would have a debilitating effect on security,
national economic security, national public health or safety, or any combination thereof.
3
Critical Infrastructure Sectors – Overview

Chemical Sector: Composed of 5 main segments
Basic Chemicals * Specialty Chemicals * Agricultural Chemicals * Pharmaceuticals * Consumer Products

Commercial Facilities: Composed of 8 Subsectors
Public Assembly * Sports Leagues * Gaming * Lodging * Outdoor Events * Entertainment / Media * Real Estate * Retails

Critical Manufacturing: Comprised of 4 core manufacturing industries
Machinery * Primary Metal * Electrical Equipment / Appliance / Component * Transportation Equipment

Dams

Defense Industrial Base: Components are:
Companies – Domestic Entities * Companies – Foreign Entities * Production Assets in Various Countries

Emergency Services: Nation’s first line of defense
Natural Threats * Cyber Related Threats * Workforce Threats * Manmade Threats

Energy Sector: Uniquely critical by providing an enabling function across all critical infrastructure sectors
Natural Gas * Petroleum * Electricity

4
Financial Services: Because cyber threats are a significant concern to this sector, the Treasury Department works closely
with the US-CERT to indentify the latest threats to cyber infrastructure and disseminates threat information within the sector.
Critical Infrastructure Sectors – Overview

Food and Agriculture: Critical dependencies with many sectors, but particularly with:
Water / Wastewater Systems * Transportation Systems * Energy * Pharmaceuticals * Financial Services, Chemical, and Dam

Government Facilities: Includes buildings located in the US and overseas owned / leased by federal, state, local and tribal
governments. Buildings * Education Facilities * National Monuments

Healthcare / Public Health : Protects all sectors of the economy from hazards such as terrorism, infectious diseases, etc.
Symbiotic sectors: Communications * Emergency * Energy * Food / Ag * Info Technology * Transportation * Water / Wastewater

Information Technology: The heart of the nation’s security, economy, public health and safety sectors

Nuclear Reactors, Materials and Waste: Components are: Nuclear Fuel Cycle Facilities * Nuclear Power Plants * Radioactive Materials
* Non-Power Reactors * Decommissioned Nuclear Power Reactors * Manufacturers of Nuclear Reactors / Components *
Transportation, Storage, and Disposal of Nuclear / Radioactive Waste

Transportation System: Seven key subsectors: Aviation * Highway Infrastructure * Motor Carrier * Maritime * Mass Transit *
Passenger Rail * Pipeline Systems * Freight Rail * Postal / Shipping
5

Water / Wastewater: Vulnerabilities are contamination with deadly agents and physical attacks (cyber / chemical)

Communications: Underlying to all operations of all businesses, public safety organizations, and government.
Critical Infrastructure - Summary
 All 16 Sectors are dependent and interconnected, tied together.
 A successful threat and attack to any one of them would be severely detrimental to the well being
and fabric of the United States.
 In the world of Information Technology, where are the holes, the vulnerabilities?
 How do we as CISOs, CSO’s and IT Security specialists, detect, prevent security compromises and
prove that our networks, end point products, and infrastructure are really secure?
6
What Has Changed
The risk of cyber and terrorist attacks against our critical infrastructures has never been higher.
 Trusted Sources – how do we decide who / what is a trusted source? How do we quantify / qualify “trusted”?
 Supply Chain Security – closer scrutiny components and how / where our products are developed and manufactured.
 Public perception and awareness of vulnerabilities and demand for reassurance that products / services / online websites are safe and secured.
 Cost of Doing Business has increased:
- The CIO and Compliance Offices: No longer a luxury, but the cost of doing business in a global economy.
* Key Skills: SIRT, Auditor, Software Security Architects, Ethical Hacker
* Small Businesses not able to fund such an office can outsource to 3rd parties
- Cybersecurity Programs are critical
- Cost of businesses who have been compromised to fix the infrastructure issues and lost
revenue from reduced consumer spend from breeches. These costs are eventually passed to consumers.
 Border Security in the US is highly vulnerable to infiltration, and breeches are at an all time high which, in turn, places our critical
infrastructures at increased risk for terrorist and cyber attacks. One attack can cripple our entire nation and it’s economy with a domino effect.
 Health and medical records are the new “hot commodity” of cyber attacks, even more valuable than credit card information. Once the health
care information is stolen, this information is used to obtain pharmaceuticals, commit Medicare fraud and other crimes.
 Increased use of ‘cloud’ services for business and personal use, which are very vulnerable to cyber crimes. Businesses often focus on the
convenience and low cost of cloud services, but not enough focus on the potential for compromise to security and data breeches.
8
Security Landscape (Customer Concerns):
FUTURE: 12 – 18 MONTHS OUT
PAST: 12 MONTHS AGO








Malware
Back Doors
Spyware
Holes in BIOS
Trust Worthy
Personnel Screening
Critical Infrastructure
Cyber Security Framework
PRESENT: 2014

Supply Chain (Touch Points)
Manufacturing / Assembly / Delivery

Product Security
(SIRT) Security Incident Response Team

Software Development – Where?
Design / Dev / Test / Authenticate & Validate

9
Internet of Things
Liability Shift
The current cybersecurity attacks and breaches have highlighted the need for corporate responsibilities for compliance and
security within their cybersecurity networks and IT infrastructures. The legal books are being “rewritten” with new laws and
new cases resulting from these attacks.
Failure for CISO, CIO and CEO’s to address these pressing cyber security issues, will result in the liability falling back to them
as corporate executives.
 Merchants that accept credit cards for payment, but do not have Chip and PIN available to consumers by October 2015 will be
held completely liable for breaches.
Reference: http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/
 On June 10th, 2014 the Security and Exchange Commissioner noted that a "…cyber attack may not have a direct material
adverse impact on the company itself, but that a loss of customers" , and to consider updating the SEC Cyber Security Guidance
for breach disclosure and fines to businesses that suffer breaches. He strongly encouraged companies board of director's to
take active roles in their risk management programs and apply frameworks like NIST Cyber Security Framework.
Reference: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946
Reference: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
 James Comey, Director of the Federal Bureau of Investigation (FBI), said last November that “resources devoted to cyber-based
threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.”
Reference: http://www.hsgac.senate.gov/hearings/threats-to-the-homeland
10
Not if, but WHEN….
The U.S. per record cost for a data breach averages $194
Home Depot
Breach
5 months & > 60
million credit cards
stolen
Target Data
Breach
> 40 million credit
cards stolen
Home Depot
Malicious software in
point of sale systems
Cost = Unknown
Target Breach
Malicious software in
point of sale systems
Cost = 148 million
State of South
Carolina
16 million records
stolen
South Carolina
Department of
Revenue
Cost = ~36.6 million
 Business and banks are not the only targets of cyber crime. Health care records are
are rapidly becoming the new “hot commodity” and target of hackers. Between April –
June 2014, hackers penetrated Community Health Systems resulting in 4.5 million
health care records stolen.
11
JP Morgan Chase
76 million
households and 7
million business
affected
JP Morgan Chase
Breach penetrated
internal working
systems in the bank
Cost = Unknown
Fidelity Investments
Attacked by the same group as
JP Morgan Chase, but hackers
were unable to penetrate any
of the security on their network
systems
Network Infrastructure and Security
Over the course of the year Network Infrastructure and Security has become even more important as
cyber criminals become more aggressive and specific in their targets and attacks. Hardening network
infrastructure is key to building immunity and resistance to the attacks
 Weakness in network infrastructure results in high risk of cyber exploitation. Our nation’s critical infrastructures
depend on the ‘wellness’ of their associated IT networks.
 Perception was that any cyber attacks were / would be from external sources breaking through firewalls, etc.. ,
The Target security breach outlined that focus must also be on hardening network infrastructure internally to
avoid compromise from within.
- Device Integrity
- Secure Management
- Secure Protocol Standards / Strong Cryptography
- Secure Logging
- Stringent regulations on BYOD programs (and use of thumb drives)
12
What’s on the CIO’s (CISO) Mind
 Mobility
 Cloud (Vendor Management)
 Business Enablement
 Threat Intelligence / Vetting
 Compliance
 Insider Threat
 Data Theft
 Targeted Attackers / APT
 Spear Phishing
 Attack Preparation and Response
(Incident Response Plans)
 Advanced Malware
 Hactivist
13
Supply Chain Management
Secure Supply Chain Management:
Hardware
System(s)
Root of
Trust
•
•
•
•
•
•
Firmware
Bundled
Software
Baseboard
CPU
Memory
Hard Drive
HSM
Storage
•
•
•
•
•
BIOS
UEFI
BMC
TMM
Drivers (e.g. Audio,
Video)
• Operating System (e.g.
Windows 7, Windows 8)
• Internally Developed
Software
• 3rd Party
Key Questions for IT Industry Vendors:
 Do you have a secure supply chain management
program? (e.g. What is it based on?)
 Does your program address hardware, firmware, and
software that is packaged on the system?
 What embedded software do you have on your
devices?
 How do you ensure that the firmware and software on
your device had not been altered?
 Does your code get reviewed externally for security
vulnerabilities?
 How do you ensure that unauthorized code is not
inserted?
 How do you ensure that counterfeit parts are not in
your products?
14
Attacks Targeting Supply Chain
 “Bad BIOS” and “Bad USB” highly publicized issues in firmware allowing a malicious
attacker to gain low level access to systems.
 July 7th, 2014 – ZombieZero hit hardware scanners of large shipping and logistics
companies. Suspected hardware supply chain management was the avenue of attack.
 July 22nd, 2010 - Dell PowerEdge Motherboards Ship with Malware (Spybot Worm)
Source: http://www.zdnet.com/dell-poweredge-motherboards-ship-with-malware-3040089615/
 June 16th, 2014 – Android smartphone shipped with spyware
Source: https://blog.gdatasoftware.com/blog/article/android-smartphone-shipped-with-spyware.html
 A U.S. power plant was taken off line for three weeks when a computer virus attacked a
turbine control system. The virus was introduced when a technician unknowingly inserted
an infected USB computer drive into the network.
Source: http://www.theage.com.au/it-pro/government-it/malicious-virus-shuttered-power-plant-us-government20130116-2cuox.html
15
Analysis of End Point – Laptop Component Sourcing
Component
Lenovo TP T440
HP E840
Dell Latitude 7440
CPU / Chipset / vPro
LCD
FPR Sensor
Smart Card Reader
Touchpad
Memory
HDD
WLAN Card
Ethernet
TPM
Super I/O
Embedded Controller
Intel
Multiple; Asia
Validity; China
Alcor; China
Synapatics; China
Multiple; Asia
Multiple; Asia
Intel; China
Intel; China
ST Micro; China
Toshiba; China
Microchip; Taiwan
Intel
LG; China
Validity; China
Alcor; China
Synaptics; China
Ramaxel; China
Hitachi; Thailand
Intel; China
Intel; China
Infineon; Asia
SMSC; Taiwan
N/A
Intel
LG; China
Broadcom / China
O2Micro; China
Alps; China
Micron; Korea
Seagate; Korea
Altheros; China
Intel; China
Atmel; Asia
SMSC; Taiwan
SMSC; Taiwan
 Assumption: HP and Dell, like Lenovo, have multiple sources
16
What Lies Ahead: A Call to Action
 Assess and communicate security risks – adopt a uniform framework such as the NIST standards, and perform regular
compliance assessments.
 Better articulate risks and audit findings with business stakeholders – Perform routine reporting of cybersecurity threats to
build support for security initiatives.
 Explore creative paths to improve cybersecurity effectiveness within your organizations using the current federated
governance models – create cybersecurity competency centers or pursue a shared services model.
 Focus on audit and continuous monitoring of third party compliance – Focus on communicating cybersecurity policies and
practices to partners.
 More thorough vetting and screening process for vendors and employees who have access to sensitive information or
technology. Closer scrutiny on internal “IT hygiene” practices.
 Validation for supply chain “touchpoints”
 Location of software code development
- Independent validation and verification of software code development / root of trust
17
Framework Introduction
 Presidential Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity”
- Calls for development of a voluntary cybersecurity Framework that provides a “prioritized,
flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity
risk for those processes, information, and systems directly involved in the delivery of critical
infrastructure services.
- Developed in collaboration with industry
- Provides guidance to an organization on managing cybersecurity risk.
18
2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.
Framework Overview
 Framework is a risk-based approach to managing cybersecurity risk
 Composed of three parts:
- Framework Core: A set of cybersecurity activities, desired outcomes, and applicable references
that are common across critical infrastructure
- Framework Implementation Tiers: Provide context on how an organization views cybersecurity
risk and the processes in place to manage that risk.
- Framework Profile: Represents the outcomes based on business needs that an organization has
selected from the Framework Categories and Subcategories. The alignment of standards,
guidelines, and practices to the Framework Core in a particular implementation scenario.
19
2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.
Framework Core – Four Elements
 Functions – to organize basic cybersecurity activities at their highest level
1.
Identify – Develop organizational understanding to manage cybersecurity risk to systems, assets, data and
capabilities.
2.
Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
3.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
4.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
5.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any
capabilities or services that were impaired due to a cybersecurity event.
 Categories – subdivisions of a Function into groups of cybersecurity outcomes closely tied to
programmatic needs and particular activities.
 Subcategories – further divide a Category into specific outcomes of technical and/or management
activities
 Informative References – specific sections of standards, guidelines and practices common among
critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each
Subcategory.
20
2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.
Critical Infrastructure – Time to Comply
 Supply Chain:
How secure is your end product from point A (origination) to the point of delivery (Z)?
 Unified Capabilities:
Approved Products List (UC APL) - Unified Capabilities Approved Products List (UC APL) is a
consolidated list of products that have completed Interoperability (IO) and Information Assurance
(IA) certification, which is used by the US military, and managed by the Defense Information
Systems Agency.
 NIST - FIPS 140 – 2 (Cryptology):
Federal Information Processing Standards (FIPS) 140-2 the standard for equipment used in US
government IT applications & environments. This is a US standard, but for civilian agencies.
 Common Criteria:
Common Criteria are the civilian focused international standards that have been adopted by 26
member countries for security requirements for information technology products in both government
and private sector use. This is a globally applicable standard.
 Use of Government approved NIST & NSA test labs, 7 outside Ft. Meade, MD & NSA.
22
Critical Infrastructure – Proof of Security
 Products
 Networks
 Infrastructure
 Cloud
 Data
 Use of external cybersecurity standards, regulations, frameworks, and guidance.
23
Questions?
Jerry Fralick – Chief Security Officer
Think Business Group
Lenovo USA
1009 Think Place
Morrisville, NC 27560
919-257-6172
gfralick@lenovo.com
24