Cyber Supply Chain Risk Management Portal Dr. Sandor Boyson, Director, Supply Chain Management Center& Holly Mann, Chief InformaBon Officer R.H. Smith School Of Business The Cyber Supply Chain Challenge •  Accelera3ng globaliza3on •  Only 20% of all computer and outsourcing of both chips are made in the U.S. so:ware & IT hardware •  Counterfeits are flooding our federal IT systems •  In 2010, a Florida company (Vision Tech) sold 60,000 counterfeit integrated circuits from Asia that went into DOD missile programs, DHS radia3on detectors and DOT high speed trains The Malicious Threat •  Criminal organiza3ons and foreign intelligence services are targe3ng the supply chain •  In 2007, hard drives produced in Thailand by an American firm had “report back mechanisms” embedded in them by a foreign intelligence service. •  These hard drives were sent to DOD, copied all the classified files stored on them, and transmiVed the files via the internet back to the foreign intelligence service. Need For A New Assurance Model •  In the late 1990s, the globaliza3on, outsourcing and fragmenta3on of produc3on accelerated the development of an integrated corporate management process: supply chain risk management. •  Today, the same factors in ICT produc3on are driving the growth of cyber supply chain risk management. Cyber-­‐SCRM Is An Emerging Discipline •  Cyber-­‐ SCRM combines enterprise risk management, supply chain management and cybersecurity into a fusion discipline. •  This discipline is aimed at gaining visibility and control over the end to end opera3ons (facili3es, people and processes) that integrate hardware, so:ware and network connec3vity into systems. Cyber-SCRM: A Holistic Model
Ring #1 Governance: Ring #3: Opera3ons Networks
• Supply Chain Champion/Orchestrator People
• Risk Board facilitates extended Enterprise Risk Management Group (e.g. Council of Interests) Ring #2: Systems Integra3on/Shared Services • Network Map Crea3on
Plants/
Factories
Data
Ring #2 Systems integraBon: • Stewardship of cyber/ physical asset network map Ring #1:
Governance
• Ensures network asset visibility and real-­‐
3me monitoring of processes • System-­‐integrator/enforcer of chain of custody
Ring #3 OperaBons: IT Hardware Enterprise Applica3ons So:ware Code 6
• Ac3on/ Field Layer • Blend Physical /Cyber-­‐Asset Visibility & Management • Ac3ve Quest For Process Excellence
Corporate Uptake Of Cyber- SCRM Is Slow
In our NIST-­‐sponsored ICT SCRM Vendor Survey, we found that on the strategic side of risk management: –  47.6% of our sample of 200 companies never uses a Risk Board or other execu3ve mechanisms to govern risk; –  -­‐46.1% never uses a shared Risk Registry, an online database of IT supply chain risks; –  49.4% never uses an integrated IT supply chain risk management dashboard; and 44.9% say they never use a supply chain risk management plan." (ibid, p.
20) –  Most companies do not use automated business rules and sensor-­‐driven responses, e.g. they cannot sense and respond to risks in real 3me. 7
Community Cyber-­‐SCRM IniBaBves Have A Lot of Gaps •  Our team built a Cyber Supply Chain Framework that incorporated our corporate survey results and other research. •  We used this Framework to review 60 public & private sector SCRM Ini3a3ves and evaluate their extent of coverage of the end to end Cyber Supply Chain. Findings
•  The graph above shows a clear clustering of efforts around the internally-­‐oriented systems development and supplier-­‐
oriented sourcing func3ons. •  At the high end of the defense in depth axis, there appear to be extensive gaps in ini3a3ves’ coverage of Risk Governance. •  In fact, deficiencies in coverage of the enterprise risk management func3on also prevent the coordina3on of adequate defense in breadth measures across the extended supply chain. 11
Building A Cyber SCRM Capability/Maturity Model •  Recently, we took our composite knowledge base and under NIST sponsorship built a Portal and a formal Capability/Maturity Enterprise Assessment Tool Set for Cyber Supply Chain Risk Management… Summary Of Cyber-­‐SCRM Portal Features The E-­‐Mail Sent Out By NIST to its User Community On April 28,2014: “The first of its kind Cyber Risk Management Portal and its pornolio of state of the art enterprise assessment and network mapping tools is now complete and ready for user tes3ng. Sponsored by the NaBonal InsBtute Of Standards & Technology (NIST) and developed over four years by the University Of Maryland in consulta3on with industry leaders, this highly secure community portal will enable your organiza3on to anonymously benchmark itself against the very latest IT and Supply Chain Risk Management standards and prac3ces. Enterprise Risk Assessment Tool based on the President's Execu3ve Cyber Security Framework that factors in your organiza3on's governance, network design and systems management prac3ces. Supply Chain Assessment Tool based on latest NIST guidelines and prac3ces that evaluates your organiza3on's strategic control over its end to end IT supply chain and uses advanced algorithms to plot your organiza3on's capability/maturity posi3on. Mapping Tool to determine the vulnerability of key hubs and nodes in your IT supply chain Insurance Risk Analysis Tool, developed in partnership with Willis Insurance, one of the largest insurance brokers in the world, that enables your publically-­‐traded organiza3on to benchmark itself against a database of cyber security breaches by industry. Easy to Use ExecuBve Dashboard to display and access assessment results. News feeds and alerts rela3ve to cyber security Please go to: hVp://cyberchain.rhsmith.umd.edu and register for an account.” Conclusions •  Cyber SCRM is an important new branch of ERM & SCRM. •  It is an aVempt to gain strategic management control over the rapidly globalizing cyber chain. •  It can help compensate for deficiencies in purely technical approaches to security and assurance. •  New management tools are under development and will impact the field.