Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains

Assuring the Security of the Supply ChainDesigning best practices for cybersecurity in supply chains

Ollie Whitehouse, Technical Director

Agenda

Supply Chains and the Cyber Challenge

Regulatory (FCA) Outsourcing Requirements

Historic Approaches

Models for the Future – our maturity model2

3

Supply chains…

• Software: common-off-the-shelf (COTS) and proprietary

• Equipment: the routers, servers, tablets, phones, storage, multi function devices, the doors, conditional access devices, building management system etc.

• Services: business process outsourcing, data processing, IaaS, PaaS, SaaS, people, other generic terms like data feeds, cloud and managed service etc.

4

Supply chains…

5

Supply chains cyber risk ..

6

Supplier tiers..

Tiers of suppliers.... need to focus on tier 1 and 2 initially ..

the tier a supplier exists inwill be dictated by the business criticality of the what they supply

7

Supplier tiers..

Tiers of suppliers have tiers of suppliers

it is an exponential problem creatinginadvertent centralized hot pockets of data or function for certain roles (legal, HR etc.) or sector niches

8

Supply chains cyber risk ..

9

Suffice to say

Suppliers are increasingly operatingbusiness critical functions

10

Today it is a challenge for customers

Suppliers today need to show good will in order to support supply chain cyber maturity programs..

Legacy contractual cover is typically weak beyond compliance against standards such as ISO27001..

Cost of contract renegotiating is typically high..

If a supplier is unique or niche then commercial leverage evaporates..

11

FCA outsourcing regulatory requirements

• Senior Management Arrangements, Systems and Controls

• SYSC 8.1: General outsourcing requirements

• SYSC 13.7.9: Geographic location considerations

• Threshold Conditions

• COND 2.4: Appropriate resources

• COND 2.5: Suitability..

.. then there is the DPA etc…

Handbookhttp://fshandbook.info/FS/

http://fshandbook.info/FS/

http://fshandbook.info/FS/

12

FCA outsourcing regulatory reality

At the time of authorisation, a firm’s regulated activities must be supported by IT services which are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our (the FCA’s) objectives.

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf

https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf


13



The firm must have undertaken sufficient preparatory work to provide reasonable assurance that each OSP will deliver its services effectively, resiliently and securely.



14



The firm has established appropriate arrangements for the on-going oversight of its OSPs and the management of any associated risks such that the firm meets all its regulatory requirements.



15



Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities. It cannot delegate any part of its responsibility to a third party.



16

FCA protection considerations




17





18





19





20





21

Current approach to the supply chain

today only the most mature

22

This is not enough…

Resilience

23

What does cyber resilience mean?

We will have incidents both of internal and external origin

we will contend with accidents and malicious acts

we will face an evolving set of threats requiring agility

We will build services for the business which are appropriately secure and resilient

… which frustrate threat actors and reduce likelihood of accidents

… which minimize the impact of any incident whilst being useable

We will be in a position to detect incidents in a timely fashion

… whilst being able to answer who, what, when and how … and then recover

24

How we deal with risk today• Elements / Tenants: CIA and Parkerian Hexad etc.

• Models / Indexes: custom or off the shelf.

• Taxonomies / Frameworks: FAIR, NIST RMF, OCTAVE, TARA, EBIOS, ISO/IEC 13335-2, SP800-30 etc.

• Standards / Regulation: ISO/IEC 27001, PCI, FCA/PRA, SOC-1, SOX etc.

• Maturity Models: recognizing risk isn’t static nor do we need to be perfect

• Audit: tell us the gaps against regulation, standards, taxonomies etc.

25

How we deal with risk today

C AIthis priority is good for your sensitive data

C = confidentiality, I = integrity or A = availability

26


CA Ithis priority is good for your buildings management system

27


N I Cthis priority is good for high frequency trading

A

N = nonrepudiation

28

Biggest challenges today are still

• Where will my organizations data or the ability to significantly impact my business end up (logically and physically)?

• Who will have access to it?

• What is my suppliers ability to protect themselves in the first instance?

• What is their ability to detect an incident, respond and notify me?

• How cyber resilient is my supplier?

29

A maturity model for the supply chain

Immature Early Starter Progressive Semi-Mature Mature

Cyber security strategy

Approach to risk management

Contractual cover / supplier relationship

Standards and validation

Overall cyber resilience

Reactive

Ad-hoc

None

Cyber Essentials

None

Regulatory (customer) driven

Conformance and audit driven

Minimal cyber security requirements

Cyber Essentials +ISO 27001

Ability to defend against some attacks

Regulatory, customer and maybe peer driven

Audit and proactive

Allows independent cyber security review

CE+, ISO plus paper validation

Ability to defend and detect common

incidents

Regulatory, customer, peer & threat driven

Audit, proactive with dynamic risk models

Independent validation / information

shared

CE+, ISO, paper & tech validation

Ability to defend, detect and respond to most

incidents

Regulatory, peer, customer, threat and

intelligence driven

.. plus continual validation of risk

models

… plus requires pro-active notification of

incidents

CE+, ISO, paper, tech & end-to-end ongoing

validation

Ability to defend, detect, respond and

gain intelligence

Impl

emen

tatio

n

NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management

30

CBEST in this context

As a critical supplier to the UK economy of an economic function it validates

• Level of threat awareness of the supplier i.e. tier 1 institution

• Their ability to protect their estate in the first instance

• Their ability to detect an incident, respond and notify in the second

• The end-to-end technical and soft defence countermeasure effectiveness including from vectors such as the Internet and trusted partners etc.

31

So where is the best supply chain today?

Immature Early Starter Progressive Semi-Mature Mature

Cyber security strategy

Approach to risk management

Contractual cover / supplier relationship

Standards and validation

Overall cyber resilience

Reactive

Ad-hoc

None

Cyber Essentials

None

Regulatory (customer) driven

Conformance and audit driven

Minimal cyber security requirements

Cyber Essentials +ISO 27001

Ability to defend against some attacks

Regulatory, customer and maybe peer driven

Audit and proactive

Allows independent cyber security review

CE+, ISO plus paper validation

Ability to defend and detect common

incidents

Regulatory, customer, peer & threat driven

Audit, proactive with dynamic risk models

Independent validation / information

shared

CE+, ISO, paper & tech validation

Ability to defend, detect and respond to most

incidents

Regulatory, peer, customer, threat and

intelligence driven

.. plus continual validation of risk

models

… plus requires pro-active notification of

incidents

CE+, ISO, paper, tech & end-to-end ongoing

validation

Ability to defend, detect, respond and

gain intelligence

Impl

emen

tatio

n

NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management

32

Closing… CBEST is mature

But we can expect it to be trickle down in terms of what is looked at in the supply chain…

33

Further reading / viewing…

http://www.slideshare.net/OllieWhitehouse/red-teaming-and-the-supply-chainhttps://www.nccgroup.trust/uk/our-research/cyber-red-teaming-business-critical-systems-while-managing-operational-risk/

http://www.slideshare.net/OllieWhitehouse/red-teaming-and-the-supply-chain

https://www.nccgroup.trust/uk/our-research/cyber-red-teaming-business-critical-systems-while-managing-operational-risk/



34

How we help our customers …

Red Team Assessments

STAR and CBEST

Phishing Assessments

Cyber Incident Response

Cyber Defence Operations

Regulatory Advice

Cyber Resilience

Risk & Governance

Supply Chain Assurance

Operational Support

35

Final thought…

Maturity is happening globally in financial services…

Israeli Cyber Defense Management directive , March 2015

Prescriptive in comparison including 24x7x365 SOCs, incident rooms, mandatory reporting of cyber incidents etc…

http://www.bankisrael.gov.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf?AspxAutoDetectCookieSupport=1

http://www.bankisrael.gov.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf?AspxAutoDetectCookieSupport=1

36

EuropeManchester - Head Office

Amsterdam

Cambridge

Copenhagen

Cheltenham

Edinburgh

Glasgow

Leatherhead

London

Luxembourg

Munich

Zurich

AustraliaSydney

North AmericaAtlanta

Austin

Chicago

New York

San Francisco

Seattle

Sunnyvale

Ollie [email protected]

Technology

Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains