Securing the Supply Chain - Protecting the Lowest Common Denominator Commercial in Confidence 1 The supply chain – Confidentiality, Integrity and Availability? The supply chain integrates supply and demand management within and across organisations • Sourcing and procurement • Conversion • Logistics management • Coordination and collaboration with channel partners – suppliers, intermediaries, third-party service providers, and customers.. Supply Chain Management is an integrating function with primary responsibility for: – Linking major business functions and business processes within and across companies into a cohesive and highperforming business model – Driving coordination of processes and activities with and across marketing, sales, product design, finance and information technology. Security – Emerging Global and Local regulations. • UK: MOD-led CSMM and compliance to standards across the entire supply chain • United States: Importer Security Filing and additional provisions of the Certified Cargo Screening Program Corporate Responsibility Commercial in Confidence – 2013 Savar building collapse with more than 1,100 victims 2 A view from the UK The nature of cyber threat means the supply chain is [also] liable to attack and its vulnerability being, potentially, a ‘weak link’ access to MoD systems. Risk mitigation actions might include sharing threat intelligence, providing ‘best practice’ guidance and improving identity and access management. Government policy is to encourage the use of SMEs in the defence supply chain. These companies may require additional support to accelerate their cyber-security maturity. http://www.publications.parliament.uk/pa/cm201012/cmselect/cmdfence/writev/1881/1881.pdf Commercial in Confidence 3 Cyber Attacks and the Supply Chain Cyber attacks and technology failures are posing new and growing dangers to business supply chains worldwide, according to a new report by a global risk assessment and reinsurance firm, Marsh. http://www.usanfranonline.com/online-education-information/ Supply Management reports The Business Continuity Institute's 2012 report, Supply Chain Resilience, backs up Marsh's statement - with more than half of the companies that took part in the report (52 per cent) saying that they had been affected by the threat of cyber attack. http://www.bvdinfo.com/industrynews/procurement-and-risk-management/cyber-attacks-could-threaten-business-supply-chains/801646102 According to de Crespigny, 40 percent of the data-security breaches experienced by organizations arise from attacks on their suppliers. Criminals are increasingly realizing that “this is a channel they can attack.” http://www.supplychainbrain.com/content/blogs/think-tank/blog/article/why-cybersecurity-is-a-supply-chain-problem/ The RSA takedown is probably the most public example of this, where the commonly held belief is that RSA were merely a security supplier to more interesting (defence industry) targets. http://www.publications.parliament.uk/pa/cm201012/cmselect/cmdfence/writev/1881/1881.pdf And……. “ I do not hold ‘secrets’ so why should I spend money for protection I do not need” Commercial in Confidence 4 Cyber Threat – Some ‘Truisms’ A dangerous world of complexity and evolving cyber threat The short term trends in cyber threat require solutions to meet: – Further nation state cyber revelations – new nation states gear up – Professionalisation of a cyber attack industry – accessible and pervasive – Increased attacks against the supply chain – points of weakest resistance – Deployment of ‘adaptive security architectures’ – the need to monitor – Cyber crime becomes mobile-enabled – increasing application level attacks Each of these drive a need for a better solution to meet those changing needs for us to securely share information – whoever we are * https://www.baesystemsdetica.com/news/bae-systems-detica-releases-top-5-predictions-for-cyber-security-threats-in/ Commercial in Confidence 5 A MOD-UK Industry perspective Voice mail eMail Messaging Fax Voice IM Person to Person Conversation Web Conferenci ng Multimodal Video Web Secure Information File Transfer Reliable Data Stream Application Messaging Application to Application Remote Procedure Call Sharing Task & Workflow Mgt. Terminal Microsoft Windows Application Access Person to Application Group Coordination Calendar & Scheduling Application Portal Document Sharing Discussion Forum Document Repository Collaborative Authoring (Wiki) Commercial in Confidence 6 The nature of the challenge to the A&D community…… The absolute need to help organisations control the movement of high value data assets between networks based upon: – Classification of the data - ‘National’, Export Control, IPR – The clearance of those sending and receiving – The content of the data – The regulations governing the movement of that data The business drivers behind secure supply chain enablement: – Meet the Cyber Security requirements for reducing the risk associated with Advanced Persistent Threats (APT) – Reduce the operational risk of data loss with exchanging sensitive information – Enhance security levels to meet operational and regulatory requirements – Cut operational and infrastructure costs – Increase the operational benefit of sharing data without being a barrier Commercial in Confidence 7 What are not now Adequate Defences? The appliance that protects all – they are not strong enough Defences that only sit at the network level – the attacks are increasing at the application level An enterprise security suite – one size does not fit all where data has higher value Security products that do not defend themselves – that is where I would target my attack Solutions difficult to integrate – they need to support the current business processes Those that limit interoperability - the opportunity to stove-pipe systems is still with us! ………………… and the one absolute certainty! Commercial in Confidence 8 When to do something different COTS Network Products: Firewalls IDS / IPS Routers Malware appliances NAC Endpoint security Security Position • Business Drivers: • Higher assurance information protection • Demanding accreditation • Breach avoidance not mitigation • Safety regulation • Collaboration efficiency in sharing data • Characteristics: Risk Threshold No Assurance Low Assurance • Strong boundary protection • Defined sender/recipient relationships • Self defending platforms • Integrated management • Deep content inspection and verification High Assurance Commercial in Confidence 9 TSCP – the basis for taking the ‘right’ approach SEv1 gives us secure email – – The right trust model – PKI based certification – The right protection – encryption – The right level of integrity – digital signatures SEv2 gives us additional layers of trusted assurance – – The right data – labeling – The right release – inspection of encrypted content ILH gives is the right approach to valuing the data – National protective markings – Export control release – Protection of Intellectual Property Focussed on the community that fronts up to APT-attack where the prizes are the richest Commercial in Confidence 10 UKCeB SEEOTI Environment Commercial in Confidence 11 A solution bringing commoditised service offerings to A&D Commercial in Confidence 12 UKCeB CWE Project Environment Commercial in Confidence 13 The UKCeB combined CWE and SEEOTI approach Commercial in Confidence 14 The Value TSCP-based solutions help organisations control the movement of high value supply chain data assets between networks based upon: – Classification of the data – The Clearance of those sending and receiving – The content of the data – The regulations governing the movement of that data Assured security platform that delivers security to control information flows: – Implementation architecture supporting accreditation – Policy based control and management – Clearance and classification verification – PKI enabled Certificate verification – Content verification – Delivery and notification control – Audit, account and alerting to support security operations (SyOps) Commercial in Confidence 15 Key Defence Contacts in Deep-Secure Robin King Colin Nash CEO Business Development Manager Telephone: +44 (0)1684 21 7061 Telephone: +44 (0) 1684 217062 Email: robin.king@deep-secure.com Email: colin.nash@deep-secure.com Deep-Secure Limited 1 Nimrod House, Sandy’s Road Malvern, Worcestershire, WR14 1JJ +44 (0)1684 217070 www.deep-secure.com Deep-Secure is a Member of: Commercial in Confidence 16