Advancing  The  Cyber  Supply  Chain    Risk  Management  Toolset  

       Dr.  Sandor  Boyson,  Director,                                                                  Supply  Chain  Management  Center  

 

Welcome  To  The  Dangerous  New  World        Of  The  Cyber  Supply  Chain  

Cyber  Supply  Chain  Risk  Management  Is  An  Emerging  Discipline  

•  In  2011,  we  ran  a  focus  group  of  top  federal  IT  supply  chain  policy  makers  and  managers  at  College  Park  to  discuss  the  state  of  the  art.  

•  ParCcipants  came  from  DOD,  DHS,  NSA,  FCC  and  major  vendor  companies  such  as  Intel  and  MicrosoK.  

•  Of  the  19  parCcipants,  8  had  been  working  in  this  field  for  two  years  or  less.  

Advancing  The  Body  Of  Knowledge          

•   The  R.H.  Smith  Supply  Chain  Management  Center  has  been  conducCng  mulC-­‐year  research  for  the  NaConal  InsCtute  Of  Standards  &  Technology  (NIST).  

•  First,  we  surveyed  over  200  IT  vendors  of  all  sizes  in    about  their  management  of  cyber  risks.  -­‐47%  of  companies  reported  never  using  a  Risk  Board  or  other  execuCve  mechanism  to  manage  IT  risks.  -­‐45%  have  no  IT  risk  management  plan  at  all.  

Phase  Two  Advances  

•  …Then  our  team    built  a    Cyber  Supply  Chain  Framework    that  incorporated  our  corporate  survey  results  and  other  research.  

•   We  used  this  Framework  to  review  60  public  &  private  sector  SCRM  IniCaCves  and  evaluate  their  extent  of    coverage  of  the  end  to  end  Cyber  Supply  Chain.  

8

Cyber Supply Chain Management: A Holistic Model

Ring #1: Governance

Ring  #2:  Systems  IntegraCon/Shared  Services  

Ring  #3:  OperaCons  

Data

Networks People

Plants/ Factories

Enterprise  ApplicaCons  

IT  Hardware  

SoKware  Code  

Ring  #1  DefiniLon:  

• Supply  Chain  Champion/Orchestrator  

• Risk  Board  facilitates  extended  Enterprise  Risk  Management  Group  (e.g.  Council  of  Interests)  

• Network  Map  CreaCon  

Ring  #2  DefiniLon:  

• Stewardship  of    cyber/  physical  asset  network  map  

• Ensures  network  asset  visibility  and  real-­‐Cme  monitoring  of  processes  

• System-­‐integrator/enforcer  of  chain  of  custody  Ring  #3  DefiniLon:  

• AcCon/  Field  Layer  

• Blend  Physical  /Cyber-­‐Asset  Visibility  &  Management  

• AcCve  Quest  For  Process  Excellence  

Phase  Three  Advances  

•  Finally,  we  took  our  composite  knowledge  base  and  worked  with  NIST  to  build  a  Portal  and  formal  Capability/Maturity  Model  for  Cyber  Supply  Chain  Risk  Management…  

Cyber  SCRM  Portal  

Features  four  major  funcCons:        •  An  IniLaLves  SecLon,  featuring  upgradeable  summaries  of  

major  public  and  private  sector  ICT  SCRM  iniCaCves;      •  A  Library  SecLon,  featuring  a  spectrum  of  related  policy  

studies,  case  studies,  research  reports,  etc;      •  A  Forum  SecLon  that  enables  collaboraCon  groups  to  form  

around  specific  ICT  SCRM  topic  areas;    •  An  Enterprise  Assessment  SecLon    

IniLaLves  

Library  

Forums  

Enterprise  Assessment  

 •  A  Strategic  Readiness  Tool  that  profiles  an  enterprise’s  risk  management  

posture  and  organizaConal  development  status.        •  A  NIST  Principles/PracLces  Tool  that  drills  down  on  the  ten  major  

principles  embedded  in  NIST  IR  7622  and  asks  a  poriolio  of  operaConal  quesCons  associated  with  each  principle.  

   •  A  Cyber  Chain  Mapping  Tool  that  provides  a  rapid  method  to  build  a  

working  global  map  of  cyber  supply  chain  assets,  transacCons  and  vulnerabiliCes.  

   •  A  Results  Area  that  enables  enterprises  to  view  their    ICT  SCRM  baseline  

status  against  three  benchmarks:  a  group  of  peer  enterprises;  the  Community  Framework  Model;  and  an  ICT  SCRM  Capability/Maturity  Level.  

Strategic  Readiness  

•  Field  visits  and  extended  discussions  were  held  with:  –   the  Risk  Group  of  the  Security  Exchange  Commission;    –  the  ExecuCve  Director  of  the  Independent  Distributors  Of  Electronics  AssociaCon  (IDEA);  with    

–  the  Center  For  Advanced  Life  Cycle  Engineering  (CALCE)  University  Of  Maryland;    

–  the  Principal  of  the  Marsh  Supply  Chain  Risk  Management  PracCce,  etc.  

NIST  Principles/PracLces  

•  This  assessment  area  was  prepared  uClizing  the  NIST  IR  7622  as  well  as  previous  Smith  research  for  NIST.    

•  In  addiCon,  we  evaluated  a  variety  of  capability/maturity  models,  from  the  Supply  Chain  Council’s  SCOR  Model  to  the  Supply  Chain  Risk  Leadership  Council’s  emerging  maturity  criteria.  

Results  

Field  TesLng  The  Assessment  Tools  

•  A  support  for  our  assessment  development  acCviCes  was  the  TM  Forum,  a  twenty  five  year  old  800  member  global  organizaCon  of  telecommunicaCons  industry  providers.    

•  This  organizaCon  selecCvely  recruited  a  small  member  pool  to  validate  our  survey  instruments  and  provide  feedback.    

© 2012 TeleManagement Forum | 3

www.tmforum.org v2011.1

Copyright © 2011 TeleManagement Forum, All Rights Reserved. | 3 v2011.1

Participant BoD / Risk Audit Cmt

Chief Exec

Chief Financial

Chief Risk

Source / Procure

VP Supply Chain

CSP #1

?

CSP #2

CSP #3

= Strong = Moderate/Some = Weak/Not Available

Readiness Survey Who contributes significantly to cyber risk management policy

development?

CIO

CIO

CIO

Cyber  Chain  Map  

•  This  assessment  area  was  the  most  exploratory.    

•  It  links    a  variety  of  tools  such  as  network  planning  tools,  Google  maps  and  CVSS  Scoring  into  an  easy  to  use  mapping  exercise.  

•  The  map  shows  both  cyber  as  well  as  tradiConal  supply  chain  hubs,  nodes,  transacCons  and  vulnerabiliCes.  

Map  

Next  Steps  

•  Scaling  to  a  wider  set  of  companies  •  CreaCng  a  downloadable  desktop  version  •  CreaCng  a  mobile  app