Supply chain risks related to ICT sectors may include insertion of counterfeits, malicious software and hardware, unauthorized production, tampering, theft, or poor manufacturing and development practices in the ICT supply chain (NIST 2015).
Supply chain literature summarizes the following main categories of risks:
demand, delay, disruption, inventory, manufacturing and breakdown, physical plant capacity, supply, system, sovereign, transportation risk (Tummala and Schoenherr, 2011). Literature categorizes also those risks into four levels: extreme or very high, high, low, and very low based on four factors: consequence or impact type, conse- quence severity, risk occurrence frequency, and predictability.
A recent cyber security supply chain standard is developed by: North American Electric
Supply risk mitigation strategies can take different categories also such as:
demand management, supply management, product management, and information management (Blos et al. 2009). More specifically, supply risk mitigation can con- sider one of the following generic risk mitigation strategies: risk postponement, selective, transfer, avoidance, etc.
Reliability Corporation (NERC) based on an initiative from Federal Energy Regulatory Commission (FERC) agency in department of energy (FERC order No. 829).
FERC Order No. 829 directed the electric reliability organization to develop standards that address supply chain risk management for industrial control system hardware, software, and computing and networking services.
The current NERC draft (August 10, 2017) contains three components within Critical Infrastructure Protection (CIP: http://www.nerc.com/pa/Stand/Pages/
CIPStandards.aspx) standard:
• Supply chain risk management Reliability Standards CIP-013-1 (Cyber Security—Supply Chain Risk Management).
• CIP-005-6 (Cyber Security—Electronic Security Perimeter(s)).
• CIP-010-3 (Cyber Security—Configuration Change Management and Vulnerability).
The current standard is not comprehensive and it excludes: Electronic Access Control and Monitoring Systems (EACMS), \5\ Physical Access Control Systems (PACS), and Protected Cyber Assets (PCAs), with the exception of the modifica- tions in proposed Reliability Standard CIP-005-6, which apply to PCAs (https://
www.gpo.gov/fdsys/pkg/FR-2018-01-25/html/2018-01247.htm).
K0154: Knowledge of Supply Chain Risk Management Standards, Processes…
BES Cyber Asset
This is a new term used by NERC in (CIP V5 standard) shifting from identifying Critical Cyber Assets to identifying BES Cyber Systems or Assets. In NERC glos- sary, BES Cyber Asset (BCA), is defined as: “A Cyber Asset that if rendered unavail- able, degraded, or misused would, within 15 min of its required operation, mis-operation, or non-operation, adversely impact one or more facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System”
(Fig. 2.3).
BES cyber systems are classified into three categories: high, medium, and low impact. Focus is on high and medium impact systems. One sub-system with high or
Version 4 Cyber Assets Version 5 Cyber Assets
BES Cyber System
CCA CCA
Associated Protected Cyber
Assets Non-Critical Cyber Asset
Within an ESP
Associated Electronic and Physical Access
Control and Monitoring
System CIP-005-4 R1.5 and
CIP-006-4 R2
Fig. 2.3 BES cyber systems (NERC: CIP-002-5.1 standard)
15
medium impact will cause the whole system to be considered also as high or medium. Currently, cut-off is set to yearly power generation of 1500MW as the low- est for a system to be considered in the low impact category.
US National Institute of Standards and Technology (NIST) developed and insti- tuted supply chain risk management (SCRM) framework: NIST 800-161, 2015, (https://csrc.nist.gov/publications/detail/sp/800-161), (https://csrc.nist.gov/
Projects/Supply-Chain-Risk-Management). The framework extends earlier similar or related efforts including:
• FIPS 199, Standards for Security Categorization of Federal Information and Information Systems.
• NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments.
• NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems.
• NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System.
• NIST 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
• NIST SP 800-53A Revision 4, Guide for Assessing the Security Controls in Federal Information Systems and Organizations.
• Department of Defense and Department of Homeland Security Software Assurance Acquisition Working Group, Software Assurance in Acquisition:
Mitigating Risks to the Enterprise.
• National Defense Industrial Association (NDIA), Engineering for System Assurance [NDIA].
• International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 15288—System Life Cycle Processes [ISO/IEC 15288].
• ISO/IEC 27036—Information Technology—Security Techniques—Information Security for Supplier Relationships [ISO/IEC 27036].
• The Open Group’s Open Trusted Technology Provider™ Standard (O-TTPS), Version 1.0, Mitigating Maliciously Tainted and Counterfeit Products [O-TTPS].
• Software Assurance Forum for Excellence in Code (SAFECode) Software Integrity Framework, [SAFECode 2] and Software Integrity Best Practices [SAFECode 1].
NIST SCRM focusing on the following main goals (Pillars of ICT SCRM):
• Resilience: Ensuring that ICT supply chain will provide required ICT products and services under stress or failure circumstances.
• Quality: Reducing vulnerabilities that may limit the intended functions of a com- ponent, lead to component failure, or provide possibilities for exploitation.
• Security: Provides basic CIA (confidentiality, integrity, and availability) when it comes to the different supply chain activities, services, and members or partners.
• Integrity: Ensuring that the ICT products and services are immune from tamper- ing or alteration. Additionally, SRCM should ensure that the ICT products and
K0154: Knowledge of Supply Chain Risk Management Standards, Processes…
services will perform according to acquirer specifications and without additional unwanted functionality.
• Sustainability and compliance.
• It also focuses on four SCRM strategies: (1) incident management, (2) supplier business continuity planning (BCP), (3) manufacturing and test resilience, and (4) product resilience
ISO/IEC 20243 and 27036
ISO/IEC 20243: Open Trusted Technology Provider Standard (O-TTPS)—
Mitigating the Risk of Tainted and Counterfeit Products and the Assessment Procedures for 20243 (latest versions, 2015 and 2018). (https://www.iso.org/stan- dard/74399.html, https://publications.opengroup.org/x1607). The O-TTPS certifi- cation program identifies organizations that conform to ISO/IEC 20243.
ISO/IEC 20243 is a process-based standard that focuses on reducing the risk of counterfeit in commercial-off-the-shelf (COTS) products and their supply chains requirements for suppliers throughout their products’ lifecycles. The standard con- tains processes and practices for ICT providers. The standard focuses on product integrity and supply chain security.
ISO/IEC 27036 addresses the general security requirements in suppliers’ rela- tionships in any procurement, security guidelines for ICT, and cloud supply chain security. The standard is structured with ISO/IEC 15288: System and Software Engineering, Lifecycle Processes. The standard is also mapped to ISO/IEC 27002.