supply chain cybersecurity - lockheed martin · – lockheed martin external website for supply...
Post on 30-Apr-2020
10 Views
Preview:
TRANSCRIPT
© 2015 Lockheed Martin. All Rights Reserved.
Carlos BivinsDebbie StuckeyLockheed MartinCorporate Information Security
Supply Chain Cybersecurity
August 7, 2017
2© 2017 Lockheed Martin. All Rights Reserved.
Agenda:
• Threat brief • Common Vulnerabilities and “Quick Wins”• Lockheed Martin Supply Chain Cybersecurity Strategy• Industry collaboration • Lockheed Martin’s Risk-based Approach• Lockheed Martin’s expectations of suppliers• DFARS changes• Supplier experience• General support and Help sites
3© 2017 Lockheed Martin. All Rights Reserved.
Video Introduction
The Director of National Intelligence has identified Supply Chain cyber risk as a threat to the National Security of the United States and
released this video highlighting supply chain cyber risk.
Office of the Director of National Intelligence’s National Counterintelligence Video: Supply Chain Risk Managementhttps://www.youtube.com/watch?v=oj5iD0D7JsY&feature=youtu.be
Office of the Director of National Intelligence’s National Counterintelligence release of Supply Chain Risk Management Video release statement:https://www.dni.gov/index.php/newsroom/press-releases/215-press-releases-2016/1405-new-video-highlights-foreign-risks-to-private-sector-supply-chains
4© 2017 Lockheed Martin. All Rights Reserved.
Understanding the Cyber Threat Scope
Nation States
Hactivists
Anonymous
Espionage (IP Theft)
Espionage (Intel)
Disruptive (DDoS)
Destructive
Spear Phishing
Web Server
Watering Hole
Social MediaMobile
Supplier
Perimeter
Joint Venture
Mobility
Core Network
Cloud
2017
Platform
2005
SpearPhishing
Nation State
CoreNetwork Espionage
RogueNations
Criminal
Financial
5© 2017 Lockheed Martin. All Rights Reserved.
Common Supply Chain Cyber Vulnerabilities
Spear Phishing
Credential Harvesting
Perimeter Exploitation
Common Adversarial Attack
Vectors
Common Supply Chain Vulnerabilities
Lack of Security Education / Awareness
Lack of multi-factor authentication
Lack of vulnerability scanningLack of multi-factor authentication
6© 2017 Lockheed Martin. All Rights Reserved.
“Quick Wins”
Spear Phishing
Credential Harvesting
Perimeter Exploitation
Common Adversarial Attack
Vectors“Quick Wins” Mitigations
TechnicalEmail Filtering
Category “none” blocking
Minimize Desktop Admins
Multifactor Authentication
Eliminate “End of Life” Internet facing systems
ProcessProperly marked / distributed data
Training and Awareness
Restrict Information Flow Down
Shared Intelligence(Industry/Govt)
7© 2017 Lockheed Martin. All Rights Reserved.
Supply Chain Cyber Initiative Strategy
Supplier Cyber
Security
Understand Posture
(Questionnaires & Validations)
Build Awareness
Reduce Risk
End Goal
Compliance w/ Cyber DFARS
Broad cyber risk assessment, awareness and education
Risk-based cyber mitigation actions
Supplier Threat awareness and Monitoring… Self-Reporting to LM/DoD
Collaboration
Supply Chain
Cyber Security
Program Management
Engineering
Move Defenses “Up Stream”
8© 2017 Lockheed Martin. All Rights Reserved.
Industry Collaboration & Supplier Engagement
• LM chairs the Supply Chain Cybersecurity Working Group
• Exostar hosts cybersecurity questionnaires
• Common supplier expectations
• Supplier inputs once, results shared across multiple primes
Cybersecurity Questionnaire• 180 questions
• APT and risk focus
• Developed by Exostar partners
• Based on standards: Center for Internet Security top Critical Security Controls
NIST 800-171 Questionnaire• 110 questions
• Compliance for Covered Defense Info (CDI) as defined in DFARS 252.204 - 7012
• Regulatory compliance by 12/31/2017
Understand Supplier Posture
COLLABORATIVE APPROACH
9© 2017 Lockheed Martin. All Rights Reserved.
No questionnaires required based
on supplier TPM
certification
Critical Security Controls Questionnaire
ANDNIST Questionnaire
Critical Security Controls
Questionnaire
Supply Chain CyberSupplier Self-Assessments
Lower Risk Higher Risk
No Sensitive Info
LM Critical Info
LMPI / TPPI DoD Regulatory Information (e.g., CDI)
Information Protection Risk
Supplier Questionnaires
10© 2017 Lockheed Martin. All Rights Reserved.
Supply Chain CyberEnterprise Risk-Based Actions
Lower Risk Higher Risk
No Sensitive Info
LM Critical Info
LMPI / TPPI (no CDI or Critical Info.)
DoD Regulatory Information (e.g., CDI)
Information Protection Risk
Corporate Information Security (CIS) Actions
Ensure supplier TPM certification is updated if sensitive info / CDI is confirmed
Virtual Validations
Audits and Deep Dives
Active Monitoring & Testing
Confirm supplier’s IT controls are in place
as stated and collaborate on best
practices
Review/validate supplier questionnaire
comprehension & responses
LM active technical testing and/or reviews of supplier environments
(e.g., Netflow analysis)
Broad to Program-Specific Cyber Security Education/Awareness
11© 2017 Lockheed Martin. All Rights Reserved.
Supplier Experience
12© 2017 Lockheed Martin. All Rights Reserved.
Lockheed Martin’s Expectations of our Suppliers
• Assess internal cybersecurity maturity using Exostar questionnaire(s)– Handling Sensitive Information
• Complete the Cybersecurity Questionnaire (180 questions)• Result: ~40 page report with Rating/Scores and links to recommendations• Define a remediation plan and work to close on open items
– Handling Covered Defense Information (CDI) as defined by DFARS• Be aware of applicable DFARS clauses in LM CorpDocs• Flow DFARS requirements to sub-tier suppliers• Complete the NIST 800-171 Questionnaire (110 questions)• Be compliant by December 31, 2017• 30 Day notification to DoD CIO and LMC of non compliant NIST controls• Report cyber incidents within 72 hours to DoD CIO and LMC
13© 2017 Lockheed Martin. All Rights Reserved.
Exostar Cybersecurity Questionnaire
14© 2017 Lockheed Martin. All Rights Reserved.
Exostar NIST Questionnaire
15© 2017 Lockheed Martin. All Rights Reserved.
Supply Chain Resources• Supplier Accessible Support Sites
– Lockheed Martin External website for Supply Chain Cyber• http://www.lockheedmartin.com/us/suppliers/cybersecurity.html
– Exostar PIM Cybersecurity Questionnaire and Supplier Process FAQs• http://www.myexostar.com/pim/cq/• http://www.myexostar.com/PIM/NQ/
• Lockheed Martin internal Support Sites– Internal CIS Cyber Questionnaire migration support site (under construction)
• https://ebs.global.lmco.com/cyber/suppliers/• Go Live Kit (“Support” / Migration Go Live Kit)• LM Buyer FAQ (Main page, FAQs)• Exostar process (Main page, FAQs) • Cybersecurity and NIST 800-171 Questionnaire information – Main page • DFARS Overview (Main page, “Support”)
– Internal GSCO Website for Cyber • https://eo-sharepoint.external.lmco.com/sites/eu-
GSCO/CustomPages/Secure_Supply_Chain.aspx
16© 2017 Lockheed Martin. All Rights Reserved.
Supplier Takeaway
• As an A&D supplier you are a target of our adversaries• Lockheed Martin is working with suppliers:
– To understand their cybersecurity posture– To bring a heightened sense of cybersecurity awareness
• Suppliers are responsible – To complete the Cyber Security Questionnaire– To complete the DFARS/NIST 800-171 Questionnaire if applicable – To improve their cybersecurity posture as necessary– To be compliant with NIST 800-171 by December 31, 2017 (if applicable)
18© 2017 Lockheed Martin. All Rights Reserved.
Sensitive Information (ref CRX-015)
Sensitive Information – Information in any or all of these categories: Personal Information, Export Controlled Information, Lockheed Martin Proprietary Information, and Third Party Proprietary Information.
Information – Data in written, pictorial, electronic, audio, oral, or other form.
Supplier must complete 180-question CybersecurityQuestionnaire If Receiving / Storing Sensitive Information
19© 2017 Lockheed Martin. All Rights Reserved.
Covered Defense Information (CDI) Scope• Controlled Technical Information – Technical data or computer software with military
or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure or dissemination.
• Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
• Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations, and munitions list; license applications; and sensitive nuclear technology information.
• Other information – Any other information marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information)
Supplier must complete NIST 110-question Questionnaire If Receiving / Storing CDI
20© 2017 Lockheed Martin. All Rights Reserved.
Adversary Threats
Identified Threats in the DIB: 1. Spear Phishing – Spear Phishing is a method by which attackers
(organized perpetrators out for financial gain, trade secrets or national security information) target specific individuals or organizations seeking unauthorized access to data.
2. Credential Harvesting – Credential harvesting uses social engineering techniques to obtain legitimate user ID’s (and passwords) allowing access to a network. Techniques include an attacker sending an email with a link to a spoofed website that looks legitimate, or a person posing as an authoritative resource (e.g. help desk) to fraudulently obtain a user’s logon id or password.
3. Unsecure Perimeter Infrastructure – An unsecure Perimeter Infrastructure means there are limited / misconfigured security devices at the outer boundary of a network. An unsecure perimeter allows nefarious actors to easily enter the network and create havoc/damage.
21© 2017 Lockheed Martin. All Rights Reserved.
Quick Hit Mitigations (Technical)
22© 2017 Lockheed Martin. All Rights Reserved.
Quick Hit Mitigations (Non-Technical)
top related