Abstract Details

<< Back to Schedule

10/13/2015  |   10:00 AM - 10:45 AM   |  Pacific II

Trust but Manage; Real-Life Lessons in Controlling Supply Chain Risk

The CERT Division of the Software Engineering Institute will discuss incidents relevant to supply chain risk management - including attacks on industrial control systems and Department of Defense transportation capabilities - and the lessons that organizations should take away. This session will focus on the lifecycle of supply chain relationships, and how your organization can comprehensively manage external dependency risks through a sustained, requirements driven approach. The first incident is the HAVEX malware attacks on industrial control systems vendors, reported to the security community in June 2014. The HAVEX attackers compromised software installers on vendor websites in order to infect victims with a Remote Access Trojan and – it is believed - conduct intelligence gathering on energy companies. A key lesson from this incident is the importance of having a process to identify and prioritize external dependencies. The second incident is a series of attacks on DOD contractors and other entities supporting TRANSCOM, the United States Military Transportation Command. These were detailed in a September 2014 report by the Senate Armed Services Committee. The Committee concluded that foreign attackers successfully completed twenty separate intrusions, while the DOD component itself was aware of only two of these intrusions. A key takeaway from this incident is that, while contracts and agreements are very important, they are only one component to protecting an organization from supply chain risk. To help organizations manage these concerns, we will discuss a requirements-based method to identify and prioritize the supply chain and external dependencies that support an organization’s use of software. We will also review ways to measure an organization’s capability in this area. Along the way we will discuss lessons learned from our extensive experience assessing cybersecurity in critical infrastructure, and what organizations can do to sustain cybersecurity in times of rapid change and uncertainty.

This presentation has not yet been uploaded.

No handouts have been uploaded.

John Haller (Primary Presenter), Software Engineering Institute, jhaller@cert.org;
John Haller is a member of the technical staff on the Cybersecurity Assurance team within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University. Haller performs research on critical infrastructure protection, focusing on methods, tools and techniques for managing external dependency and third party risk. Prior to joining CERT in 2010, Haller was analyzing cybercrime attacks and conducting cyber-security assessment activities for the U.S. Postal Inspection Service. Haller is a CISSP and a GIAC Certified Incident Handler. An Army veteran, he received his Juris Doctor from the University of Pittsburgh in 2007.

Matthew Butkovic (Co-Presenter), Software Engineering Institute , mjb101@cert.org;
Matthew Butkovic is a Technical Manager – Cybersecurity Assurance in the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Butkovic performs critical infrastructure protection research and develops methods, tools, and techniques for evaluating capabilities and managing risk. Butkovic has more than 15 years of managerial and technical experience in information technology (particularly information systems security, process design, and audit) across the banking and manufacturing sectors. Prior to joining CERT in 2010, Butkovic was leading information security and business continuity efforts for a Fortune 500 manufacturing organization. Butkovic is a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

2013 Sponsors: IEEE and IEEE Computer Society