IoT and Supply Chain Risk Management

Slides:

Advertisements

Similar presentations

Enhancing Integrity in Public Procurement OECD Recommendation and Toolbox Elodie Beth Administrator Integrity Public Governance and Territorial Development.

Advertisements

Orlando, FL April 7 – 10, 2013 Document Lifecycle Strategies Delivering savings & efficiencies across your campus.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Corporate Responsibility and Third Party Relationships GSK and Contract Manufacturers James Hagan Vice President Corporate Environment, Health & Safety.

Strategies for Innovation Sourcing 30 August 2007 Paul McGowan Center for Innovative Technology Herndon, VA / Strategies.

Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc

CNCI-SCRM STANDARDIZATION Discussion Globalization Task Force OASD-NII / DoD CIO Unclassified / FOUO.

Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.

CAMPUS LAN DESIGN GUIDE Design Considerations for the High-Performance Campus LAN.

Shekhar Dasgupta Managing Director Oracle India Ltd. November 4 th, 2003 Public Private Partnership e-Governance Summit, IT.COM.

© 2016 Global Market Insights, Inc. USA. All Rights Reserved IoT in Retail Market to exceed $30bn by 2024: Global Market Insights Inc.

SDN & NFV Driving Additional Value into Managed Services.

Developing Smart Cities – Technology and Security

© 2016 Global Market Insights, Inc. USA. All Rights Reserved IoT in Manufacturing Market grow at 20% CAGR from 2017 to 2024: Global.

Society for Maintenance and Reliability Professionals (SMRP)

Customer Experience: Create a digitally led customer experience

Proposed Updates to the Framework for Improving Critical Infrastructure Cybersecurity (Draft Version 1.1) March 2017

Privacy and Public Policy Implications of IoT

Remarks by Dr Mawaki Chango Kara University DigiLexis Consulting

Physical Security Governance Model

Collaborative Innovation Communities: Bringing the Best Together

Information Systems By Kundang K Juman, Ir. MMSI

ALEX RUNNER Jason Rosselot Sedar labarre Will Farrell Johnson Controls

Cybersecurity - What’s Next? June 2017

Amity School of Business BBA, Semester - II E - Commerce Arpan Sinha

SCC Supplier Performance Management (SPM) Training

ATIS Priorities and Initiatives Susan Miller, President & CEO, ATIS

“Everyone can access”.

Eric Smith Assistant Administrator Logistics Management Directorate

California Cybersecurity Integration Center (Cal-CSIC)

ASSET - Automotive Software cyber SEcuriTy

Internet2 Update CSG at Yale University May 2017

NIST Cybersecurity Framework

Speaker’s Name, SAP Month 00, 2017

BUSINESS DRIVEN TECHNOLOGY

National Mining University

The National Initiative for Cybersecurity Education (NICE) AFCEA International Cyber Education, Research, and Training Symposium January 17, 2018 Bill.

Yarden Avishai, Justin Heeren, Asaf Kanari, Melody Qiao Team 16

Standards for success in city IT and construction projects

© 2016 Global Market Insights, Inc. USA. All Rights Reserved Industrial Control Systems Security Market to reach $7bn by 2024: Global.

Mobile Satellite Services Market

Creating & Sharing Value with Network Activity & Threat Correlation

Internet of Things Vulnerabilities

Fatma Sena Karal Irem Engin

The Brookings Institution

How Can the Telecoms Industry Lead the Drive to a Greener Society

Consumer Empowerment through Education

John M. Felker Director, NCCIC.

Securing the Internet of Things: Key Insights and Best Practices Across the Industry Theresa Bui Revon IoT Cloud Strategy.

Smart Cities Uroš Merljak.

Securing the Threats of Tomorrow, Today.

Artificial Intelligence in Manufacturing

Powerful Partnerships with Industry Leaders

ATIS Priorities and Initiatives Susan Miller, President & CEO, ATIS

Managed Content Services

© 2016 Global Market Insights, Inc. USA. All Rights Reserved Fuel Cell Market size worth $25.5bn by 2024 Low Power Wide Area Network.

The Impact of Digitization on Global Alignment of Product Safety Regulations ICPHSO International Symposium November 12, 2018.

Third-party risk management (TPRM)

Reinhard Scholl, GTSC-7 Chairman

KEY INITIATIVE Shared Services Function Management

Trust by Design: The Internet of Things

MODULE 11: Creating a TSMO Program Plan

Alliance for Telecommunications Industry Solutions (ATIS) Update

IoT: Privacy and Security

GreenFleet, Murrayfield Stadium, 12th April 2019 Paul Hansen, Head of Devolved Administrations & Partnerships, CCS Grant Montgomery, Category Manager,

Local Authorities and Sustainable Energy

Water’s Digital Future Jablanka Uzelac, Managing Director

Access to data requirementS

October is National Cybersecurity Awareness Month

Presentation transcript:

IoT and Supply Chain Risk Management MBS-F01 IoT and Supply Chain Risk Management Daniel Kroese Associate Director, National Risk Management Center Cybersecurity and Infrastructure Security Agency DHS @dgkroese

Setting the Stage Cybersecurity Supply Chain Risk Management (C-SCRM) has emerged as a central issue in cybersecurity and infrastructure protection issues. The severity of the threat landscape is real and becoming more widely understood. Tens of billions (and growing) connected devices globally and enhanced IoT connectivity through 5G will only increase the need for organizations to better understand their digital footprint and associated IoT risks. DHS – through the Cybersecurity and Infrastructure Security Agency – leads the national effort to defend our critical infrastructure against the threats of today while working with partners to secure against the evolving risks of tomorrow. Cybersecurity Supply Chain Risk Management, features prominently in this mission.

Recent Developments 2019 is shaping up to the “year of supply chain.” The enactment in late 2018 of the Federal Acquisition Supply Chain Security Act is significant. The ICT Supply Chain Risk Management Task Force sponsored by CISA brings together 40 of the largest players in the IT and Communications Sectors and 20 supply chain leaders across the federal government.

The Power of Federal Procurement Some market moving ability – annual government IT spend close to $100 billion per year. Reputational benefits for IoT manufacturers to maintain productive partnerships with the federal government. The power of setting a visible “North Star” can lead to voluntary change in behavior without additional requirements – e.g. Kaspersky Labs Binding Operational Directive (BOD) issued in September 2017 was followed by private sector entities not mandated by the scope of the BOD.

IoT Examples HVAC Smart TV Connected Car A modern heating and cooling system uses digital technology for both sensor and control functions; thermostats are no longer operated by coil-metal thermometers and physical switches. Smart TV Currently, most televisions for sale contain “smart” functionality and include applications for various video content providers and often provide interactive functionality including microphones and cameras. Connected Car Vehicles 1) interact with surrounding technology and physical environment, 2) connect with driver or passenger devices to perform functions, and 3) collect information via sensors to communicate back to a central organization (e.g. fleet management).

IoT versus ICT For IoT, focus on the “thing” For example, a connected car would be considered IoT while the components that enable the connectivity are ICT. Many IoT and ICT risks are similar. However, some of the risks introduced by IoT devices, systems, and services differ from ICT - .e.g. the specific challenges associated with connecting IoT to operational and legacy systems.

Potential IoT Vulnerabilities Important IoT technology security considerations include: Poor design (use of plaintext and hard-coded passwords). Coding flaws (buffer overflows and command injection). Inconsistent patching of software.

The IoT Threat Distributed Denial of Service (DDoS) Data Manipulation and Privacy Leakage Third Party Access and Control

The IoT Buyers Guide Joint effort between DHS, IT SCC, and IT GCC Core audience is the acquisition team at federal agencies Recommended framework is non-binding and voluntary

IoT Acquisition Lifecycle Assess Need Purpose identification and connectivity determination Analyze & Select Acquisition planning and requirements development Obtain Solicitation development and contract award Deploy and Support Contract administration and closeout Continually monitor and manage risks throughout the lifecycle

Acquisition Lifecycle – Key Threshold Issues Mission: For what purpose is the IoT technology being procured? Network/System: Is the IoT technology intended to be connected? Information Sharing: Is the IoT technology collecting sensor data that is sent elsewhere? Operating Risk: Is the IoT technology controlling physical items as part of its functionality?

IoT Technology Issues Type and Control of Connectivity Third Party Services and Data Management Patching General Vendor Cybersecurity Practices Security of Devices, Systems, Services, and Communications

Applying this Framework for Smarter IoT Acquisition Understanding IoT cybersecurity concerns across the entire acquisition lifecycle is paramount. The entire Acquisition Team should have access to and knowledge of risk-informed, decision-making methods when procuring, deploying, using, and sustaining IoT. Apply a risk management lens to supply chain analysis.