PRESIDENTIAL POLICY DIRECTIVE/PPD-21 The Nation's critical infrastructure provides the essential services that underpin American society. The PPD21 Directive establishes national policy on critical infrastructure security and resilience, and is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure. The PPD-21 Directive refines / clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, and enhances overall coordination and collaboration. Strategic Imperatives to Strengthen Critical Infrastructure Refine and clarify Functional relationships across Federal Government 2 Enable effective information exchange Implement an integration and analysis function Critical Infrastructure What Is Critical Infrastructure? Critical infrastructure is comprised of 16 major sectors, and is the backbone of our nation's economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family. Critical infrastructure is the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. 3 Critical Infrastructure Sectors – Overview Chemical Sector: Composed of 5 main segments Basic Chemicals * Specialty Chemicals * Agricultural Chemicals * Pharmaceuticals * Consumer Products Commercial Facilities: Composed of 8 Subsectors Public Assembly * Sports Leagues * Gaming * Lodging * Outdoor Events * Entertainment / Media * Real Estate * Retails Critical Manufacturing: Comprised of 4 core manufacturing industries Machinery * Primary Metal * Electrical Equipment / Appliance / Component * Transportation Equipment Dams Defense Industrial Base: Components are: Companies – Domestic Entities * Companies – Foreign Entities * Production Assets in Various Countries Emergency Services: Nation’s first line of defense Natural Threats * Cyber Related Threats * Workforce Threats * Manmade Threats Energy Sector: Uniquely critical by providing an enabling function across all critical infrastructure sectors Natural Gas * Petroleum * Electricity 4 Financial Services: Because cyber threats are a significant concern to this sector, the Treasury Department works closely with the US-CERT to indentify the latest threats to cyber infrastructure and disseminates threat information within the sector. Critical Infrastructure Sectors – Overview Food and Agriculture: Critical dependencies with many sectors, but particularly with: Water / Wastewater Systems * Transportation Systems * Energy * Pharmaceuticals * Financial Services, Chemical, and Dam Government Facilities: Includes buildings located in the US and overseas owned / leased by federal, state, local and tribal governments. Buildings * Education Facilities * National Monuments Healthcare / Public Health : Protects all sectors of the economy from hazards such as terrorism, infectious diseases, etc. Symbiotic sectors: Communications * Emergency * Energy * Food / Ag * Info Technology * Transportation * Water / Wastewater Information Technology: The heart of the nation’s security, economy, public health and safety sectors Nuclear Reactors, Materials and Waste: Components are: Nuclear Fuel Cycle Facilities * Nuclear Power Plants * Radioactive Materials * Non-Power Reactors * Decommissioned Nuclear Power Reactors * Manufacturers of Nuclear Reactors / Components * Transportation, Storage, and Disposal of Nuclear / Radioactive Waste Transportation System: Seven key subsectors: Aviation * Highway Infrastructure * Motor Carrier * Maritime * Mass Transit * Passenger Rail * Pipeline Systems * Freight Rail * Postal / Shipping 5 Water / Wastewater: Vulnerabilities are contamination with deadly agents and physical attacks (cyber / chemical) Communications: Underlying to all operations of all businesses, public safety organizations, and government. Critical Infrastructure - Summary All 16 Sectors are dependent and interconnected, tied together. A successful threat and attack to any one of them would be severely detrimental to the well being and fabric of the United States. In the world of Information Technology, where are the holes, the vulnerabilities? How do we as CISOs, CSO’s and IT Security specialists, detect, prevent security compromises and prove that our networks, end point products, and infrastructure are really secure? 6 What Has Changed The risk of cyber and terrorist attacks against our critical infrastructures has never been higher. Trusted Sources – how do we decide who / what is a trusted source? How do we quantify / qualify “trusted”? Supply Chain Security – closer scrutiny components and how / where our products are developed and manufactured. Public perception and awareness of vulnerabilities and demand for reassurance that products / services / online websites are safe and secured. Cost of Doing Business has increased: - The CIO and Compliance Offices: No longer a luxury, but the cost of doing business in a global economy. * Key Skills: SIRT, Auditor, Software Security Architects, Ethical Hacker * Small Businesses not able to fund such an office can outsource to 3rd parties - Cybersecurity Programs are critical - Cost of businesses who have been compromised to fix the infrastructure issues and lost revenue from reduced consumer spend from breeches. These costs are eventually passed to consumers. Border Security in the US is highly vulnerable to infiltration, and breeches are at an all time high which, in turn, places our critical infrastructures at increased risk for terrorist and cyber attacks. One attack can cripple our entire nation and it’s economy with a domino effect. Health and medical records are the new “hot commodity” of cyber attacks, even more valuable than credit card information. Once the health care information is stolen, this information is used to obtain pharmaceuticals, commit Medicare fraud and other crimes. Increased use of ‘cloud’ services for business and personal use, which are very vulnerable to cyber crimes. Businesses often focus on the convenience and low cost of cloud services, but not enough focus on the potential for compromise to security and data breeches. 8 Security Landscape (Customer Concerns): FUTURE: 12 – 18 MONTHS OUT PAST: 12 MONTHS AGO Malware Back Doors Spyware Holes in BIOS Trust Worthy Personnel Screening Critical Infrastructure Cyber Security Framework PRESENT: 2014 Supply Chain (Touch Points) Manufacturing / Assembly / Delivery Product Security (SIRT) Security Incident Response Team Software Development – Where? Design / Dev / Test / Authenticate & Validate 9 Internet of Things Liability Shift The current cybersecurity attacks and breaches have highlighted the need for corporate responsibilities for compliance and security within their cybersecurity networks and IT infrastructures. The legal books are being “rewritten” with new laws and new cases resulting from these attacks. Failure for CISO, CIO and CEO’s to address these pressing cyber security issues, will result in the liability falling back to them as corporate executives. Merchants that accept credit cards for payment, but do not have Chip and PIN available to consumers by October 2015 will be held completely liable for breaches. Reference: http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/ On June 10th, 2014 the Security and Exchange Commissioner noted that a "…cyber attack may not have a direct material adverse impact on the company itself, but that a loss of customers" , and to consider updating the SEC Cyber Security Guidance for breach disclosure and fines to businesses that suffer breaches. He strongly encouraged companies board of director's to take active roles in their risk management programs and apply frameworks like NIST Cyber Security Framework. Reference: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946 Reference: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm James Comey, Director of the Federal Bureau of Investigation (FBI), said last November that “resources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.” Reference: http://www.hsgac.senate.gov/hearings/threats-to-the-homeland 10 Not if, but WHEN…. The U.S. per record cost for a data breach averages $194 Home Depot Breach 5 months & > 60 million credit cards stolen Target Data Breach > 40 million credit cards stolen Home Depot Malicious software in point of sale systems Cost = Unknown Target Breach Malicious software in point of sale systems Cost = 148 million State of South Carolina 16 million records stolen South Carolina Department of Revenue Cost = ~36.6 million Business and banks are not the only targets of cyber crime. Health care records are are rapidly becoming the new “hot commodity” and target of hackers. Between April – June 2014, hackers penetrated Community Health Systems resulting in 4.5 million health care records stolen. 11 JP Morgan Chase 76 million households and 7 million business affected JP Morgan Chase Breach penetrated internal working systems in the bank Cost = Unknown Fidelity Investments Attacked by the same group as JP Morgan Chase, but hackers were unable to penetrate any of the security on their network systems Network Infrastructure and Security Over the course of the year Network Infrastructure and Security has become even more important as cyber criminals become more aggressive and specific in their targets and attacks. Hardening network infrastructure is key to building immunity and resistance to the attacks Weakness in network infrastructure results in high risk of cyber exploitation. Our nation’s critical infrastructures depend on the ‘wellness’ of their associated IT networks. Perception was that any cyber attacks were / would be from external sources breaking through firewalls, etc.. , The Target security breach outlined that focus must also be on hardening network infrastructure internally to avoid compromise from within. - Device Integrity - Secure Management - Secure Protocol Standards / Strong Cryptography - Secure Logging - Stringent regulations on BYOD programs (and use of thumb drives) 12 What’s on the CIO’s (CISO) Mind Mobility Cloud (Vendor Management) Business Enablement Threat Intelligence / Vetting Compliance Insider Threat Data Theft Targeted Attackers / APT Spear Phishing Attack Preparation and Response (Incident Response Plans) Advanced Malware Hactivist 13 Supply Chain Management Secure Supply Chain Management: Hardware System(s) Root of Trust • • • • • • Firmware Bundled Software Baseboard CPU Memory Hard Drive HSM Storage • • • • • BIOS UEFI BMC TMM Drivers (e.g. Audio, Video) • Operating System (e.g. Windows 7, Windows 8) • Internally Developed Software • 3rd Party Key Questions for IT Industry Vendors: Do you have a secure supply chain management program? (e.g. What is it based on?) Does your program address hardware, firmware, and software that is packaged on the system? What embedded software do you have on your devices? How do you ensure that the firmware and software on your device had not been altered? Does your code get reviewed externally for security vulnerabilities? How do you ensure that unauthorized code is not inserted? How do you ensure that counterfeit parts are not in your products? 14 Attacks Targeting Supply Chain “Bad BIOS” and “Bad USB” highly publicized issues in firmware allowing a malicious attacker to gain low level access to systems. July 7th, 2014 – ZombieZero hit hardware scanners of large shipping and logistics companies. Suspected hardware supply chain management was the avenue of attack. July 22nd, 2010 - Dell PowerEdge Motherboards Ship with Malware (Spybot Worm) Source: http://www.zdnet.com/dell-poweredge-motherboards-ship-with-malware-3040089615/ June 16th, 2014 – Android smartphone shipped with spyware Source: https://blog.gdatasoftware.com/blog/article/android-smartphone-shipped-with-spyware.html A U.S. power plant was taken off line for three weeks when a computer virus attacked a turbine control system. The virus was introduced when a technician unknowingly inserted an infected USB computer drive into the network. Source: http://www.theage.com.au/it-pro/government-it/malicious-virus-shuttered-power-plant-us-government20130116-2cuox.html 15 Analysis of End Point – Laptop Component Sourcing Component Lenovo TP T440 HP E840 Dell Latitude 7440 CPU / Chipset / vPro LCD FPR Sensor Smart Card Reader Touchpad Memory HDD WLAN Card Ethernet TPM Super I/O Embedded Controller Intel Multiple; Asia Validity; China Alcor; China Synapatics; China Multiple; Asia Multiple; Asia Intel; China Intel; China ST Micro; China Toshiba; China Microchip; Taiwan Intel LG; China Validity; China Alcor; China Synaptics; China Ramaxel; China Hitachi; Thailand Intel; China Intel; China Infineon; Asia SMSC; Taiwan N/A Intel LG; China Broadcom / China O2Micro; China Alps; China Micron; Korea Seagate; Korea Altheros; China Intel; China Atmel; Asia SMSC; Taiwan SMSC; Taiwan Assumption: HP and Dell, like Lenovo, have multiple sources 16 What Lies Ahead: A Call to Action Assess and communicate security risks – adopt a uniform framework such as the NIST standards, and perform regular compliance assessments. Better articulate risks and audit findings with business stakeholders – Perform routine reporting of cybersecurity threats to build support for security initiatives. Explore creative paths to improve cybersecurity effectiveness within your organizations using the current federated governance models – create cybersecurity competency centers or pursue a shared services model. Focus on audit and continuous monitoring of third party compliance – Focus on communicating cybersecurity policies and practices to partners. More thorough vetting and screening process for vendors and employees who have access to sensitive information or technology. Closer scrutiny on internal “IT hygiene” practices. Validation for supply chain “touchpoints” Location of software code development - Independent validation and verification of software code development / root of trust 17 Framework Introduction Presidential Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity” - Calls for development of a voluntary cybersecurity Framework that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. - Developed in collaboration with industry - Provides guidance to an organization on managing cybersecurity risk. 18 2014 LENOVO INTERNAL. ALL RIGHTS RESERVED. Framework Overview Framework is a risk-based approach to managing cybersecurity risk Composed of three parts: - Framework Core: A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure - Framework Implementation Tiers: Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. - Framework Profile: Represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. 19 2014 LENOVO INTERNAL. ALL RIGHTS RESERVED. Framework Core – Four Elements Functions – to organize basic cybersecurity activities at their highest level 1. Identify – Develop organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities. 2. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. 3. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. 4. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. 5. Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Categories – subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Subcategories – further divide a Category into specific outcomes of technical and/or management activities Informative References – specific sections of standards, guidelines and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. 20 2014 LENOVO INTERNAL. ALL RIGHTS RESERVED. Critical Infrastructure – Time to Comply Supply Chain: How secure is your end product from point A (origination) to the point of delivery (Z)? Unified Capabilities: Approved Products List (UC APL) - Unified Capabilities Approved Products List (UC APL) is a consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification, which is used by the US military, and managed by the Defense Information Systems Agency. NIST - FIPS 140 – 2 (Cryptology): Federal Information Processing Standards (FIPS) 140-2 the standard for equipment used in US government IT applications & environments. This is a US standard, but for civilian agencies. Common Criteria: Common Criteria are the civilian focused international standards that have been adopted by 26 member countries for security requirements for information technology products in both government and private sector use. This is a globally applicable standard. Use of Government approved NIST & NSA test labs, 7 outside Ft. Meade, MD & NSA. 22 Critical Infrastructure – Proof of Security Products Networks Infrastructure Cloud Data Use of external cybersecurity standards, regulations, frameworks, and guidance. 23 Questions? Jerry Fralick – Chief Security Officer Think Business Group Lenovo USA 1009 Think Place Morrisville, NC 27560 919-257-6172 gfralick@lenovo.com 24