Cyber security supply chain risk analysis 2015

Cyber security supply chain risk analysis 2015

Cyber security supply chain risk analysis 2015

Contents Management summary

4

1 Foreword

5

2 Introduction 2.1 Background 2.2 Purpose of the document 2.3 Document structure

7 7 7 8

3 Overview of cyber security supply chain risk assessment methodology 3.1 General 3.2 Implementing the risk assessment methodology 3.3 Example supply chain

9 9 10 11

4 Step 1: Define the scope 4.1 Introduction 4.2 Preparations 4.3 Activities to be undertaken 4.4 Results to be achieved

12 12 12 12 14

5 Step 2: Describe the supply chain 5.1 Introduction 5.2 Preparations 5.3 Activities to be undertaken 5.4 Results to be achieved

15 15 15 15 19

6 Step 3: Determine the impact of a disruption on the supply chain 6.1 Introduction 6.2 Preparations 6.3 Activities to be undertaken 6.4 Results to be achieved

20 20 20 20 21

7 Step 4: Establish extent of cyber threats and risks 7.1 Introduction 7.2 Preparations 7.3 Activities to be undertaken 7.4 Results to be obtained

22 22 22 22 24

8 Step 5: Define controls and prepare action plans 8.1 Introduction 8.2 Preparation 8.3 Activities to be undertaken 8.4 Results to be achieved

25 25 25 25 26

9 Annexes 9.1 Annex 1: Definitions 9.2 Annex 2: Analysis process diagram 9.3 Annex 3: Initiation document template 9.4 Annex 4: Checklist for defining the scope 9.5 Annex 5: Example CIA classification 9.6 Annex 6: Matrix for recording the results of the risk assessment 9.7 Annex 7: Template for recording the consequences of emergencies 9.8 Annex 8: Template action plan 9.9 Annex 9: Example supply chain matrix

27 27 28 29 30 31 32 33 34 35 3

Cyber security supply chain risk analysis 2015

Management summary Cyber security is a prime area where cooperation between both public and private organizations and between private organizations themselves is essential to face the increase in cyber threats. Shell and TenneT believe that in view of defining the interdependence and interconnectedness organizations in a supply chain together are in the best position to define and deploy appropriate controls and initiatives to reduce any cyber security risks themselves. Providing insight into the cyber security risk within a supply chain requires a level of commitment of all organizations involved. It is paramount that in addition to the availability of adequate resources sufficient trust exists between organizations to share sensitive information among each other. In the methodology developed and described in this paper, a layering is applied to provide insight into the risks that arise from the information processing systems and that could potentially pose a risk to the business. Risks in business processes can ultimately disrupt the continuity of the entire supply chain. To reduce the risks to the supply chain remediations may be required to the (individual) organizations that make up the supply chain. These remediations may have to be realized within the business processes or within the IT systems of these organizations.

4

Cyber security supply chain risk analysis 2015

1 Foreword This document contains a risk assessment methodology developed within the framework of a study into cyber security threats in the energy supply chain `from gas to electricity´. This study was initiated by Shell en TenneT, based on a discussion in the Cyber Security Council and in line with a recommendation in the National Cyber Security Strategy 2. The study was carried out in 2014 by Shell, Gasunie, Nuon, TenneT and Alliander, with logistic support being provided by the National Cyber Security Centre. Each of these five organisations has a role in the energy supply chain in the Netherlands. The aim of the study is twofold: • To analyse the joint cyber security outside the limits of the individual organisations and in that way identify the risks of cyber-related threats for the entire supply chain. • To make a cyber security risk assessment methodology available for supply chains, based on experience gained during the study, so that this can be used in other sectors. The participants wish to use the results of this cross-sector study to contribute towards the security of the Netherlands.

Wam Voster

Paul Bloemen

Martin Beumer

Henrie Mathijssen

Aad Dekker

Shell

Gasunie

Nuon

TenneT

Alliander

5

Cyber security supply chain risk analysis 2015

6

Cyber security supply chain risk analysis 2015

2 Introduction This document describes a flexible-deployment risk assessment methodology for investigating and making transparent the cyber security related risks within a (vital) supply chain. The methodology described in this document has been developed from a Proof of Concept that has been undertaken by Shell, TenneT and a number of other organisations in the energy sector in order to analyse the entire supply chain from gas extraction up to the ultimate point of use. The central question that forms the basis of the Proof of Concept is: where are the greatest cyber risks for this supply chain?

2.1 Background

The second National Cyber Security Strategy1 pays special attention to the vital infrastructure of the Netherlands. Shell and TenneT have joined forces to work together with other organisations from the Dutch energy sector on a “Proof of Concept (PoC)” which closely examines the protection of vital services. This is not just undertaken within one organisation but throughout the entire supply chain. This PoC focuses on one of the supply chains that is responsible for the supply of electricity in the Netherlands and covers the following process steps: • • • •

gas transport and gas distribution, electricity production, electricity transport, electricity distribution.

Whilst analysing critical processes and objects and the conducting of emergency exercises can rely on previous experiences in both the Netherlands and in the rest of the world, it is less clear how to arrive at a realistic cyber security risk assessment for critical processes in supply chains. How do we arrive at cross-company, effective improvement programmes for cyber security resilience? What is an effective role of the government in this? Larger organisations within critical sectors already have experience with risk management and improvement programmes within their own businesses, and these also offer points of reference in the area of increasing resilience with regard to cyber security risks. It is evident from these experiences that setting clear priorities and focussing on areas where the risks are the greatest (a “risk based approach”) and the implementation of effective “assurance” are fundamental for a successful policy. Broad, non-risk-driven measures do not always appear to be the best way of spending limited means and resources; certification and regulations do not always specifically result in reducing the risks and would in that way create a feeling of false security. For supply chains that are part of critical national processes there are also new aspects that have to be addressed, such as the role of the government and the need to regulate roles and responsibilities between different organisations and bodies. It is therefore important that the private sector develops and applies best practices in order to adequately protect these supply chains against the increased cyber security threats.

2.2  Purpose of the document

The organisations involved - Shell, Gasunie, Nuon, TenneT and Alliander – have already been actively seeking an effective methodology for analysing critical IT systems and cyber-related risks within a supply chain. The five organisations wish to share the methodology followed with other organisations in the energy sector. Furthermore, other (vital) sectors and other ‘supply chains’ can also use this methodology in order to analyse the risks in their supply chains. This creates a common and clear picture of the cyber security risks for supply chains in (critical) sectors. This document describes the methodology that has been developed and provides points of reference about how to conduct the cyber security risk assessment in an effective and efficient manner.

1

Nationale Cyber Security Strategie 2

7

Cyber security supply chain risk analysis 2015

2.3  Document structure

Section three provides an overview of the entire methodology, together with a description of a fictive supply chain which serves to illustrate certain steps in the methodology. Sections four up to and including eight then provide details of the five steps of the methodology, whereby assistance is provided for the performance of each step.

8

Cyber security supply chain risk analysis 2015

3 Overview of cyber security supply chain risk assessment methodology In order to identify cyber security risks within a supply chain a 5-step methodology has been developed. This section first provides a general explanation about the way in which risks in information processing systems can result in risks in the supply chain. A brief description is then provided for each step in the risk assessment methodology. Finally, a brief description is provided of a fictitious supply chain that is used to illustrate certain steps.

3.1 General

To identify the actual cyber security supply chain risks it is necessary to identify risks from the information processing systems (hereinafter referred to as: systems) and those from the business processes. In the figure below the information processing systems are shown at the very bottom for each of the organisations that form part of the supply chain to be analysed. A distinction is made in these between ‘critical’ and ‘non-critical’ systems for each of the organisations that form part of the supply chain. Critical systems mean systems that are required for the execution of the business processes required for delivering the end product from the supply chain. The same ‘critical’ and ‘non-critical’ subdivisions have also been made for the business processes. A layering has been applied to the model. The idea behind this is that system risks form a threat to the business processes. The system risks can be addressed by implementing risk-mitigating measures on the actual systems or by mitigating the risks by implementing controls in the business processes. The remaining risks from the different business processes that are involved in the supply chain ultimate result in threats for the supply chain process. If these supply chain risks are not adequately addressed

Supply chain aim

Residual risk Supply chain risk Supply chain Organisation A

Organisation B Residual risk

Residual risk

Residual risk

Process risk Critical business processes A

Process risk Non-critical business processes A

Critical business processes B

Process risk Non-critical business processes B

Residual risk

Residual risk

Residual risk

Residual risk

Residual risk

Residual risk

Information risk Critical systems A

Information risk Non-critical systems A

Information risk Critical systems B

Information risk Non-critical systems B

Information risk Critical systems N

Information risk Non-critical systems N

Process risk

Residual risk

Organisation N Residual risk

Residual risk

Process risk

Process risk

Critical business processes N

Non-critical business processes N

Figure 1: Visualisation of the risk model

9

Cyber security supply chain risk analysis 2015

this can ultimately result in the inability to supply the end product and the supply chain objective can potentially not be achieved. Depending on the chosen supply chain objective (for example the supply of electricity in the Netherlands) the inability to supply an end product from the supply chain does not necessarily result directly in an inability to achieve the supply chain objective. However, this is the case if the supply chain objective is ‘the supply of electricity from gas’. In order to reduce supply chain risks measures are required by the individual organisations that form part of the supply chain. These measures can be implemented within the business processes and within the systems. By addressing the risks within each organisation the supply chain risks can also be ultimately reduced.

3.2  Implementing the risk assessment methodology

The methodology focuses on cyber security risks in a supply chain whereby the systems (including interfaces and shared IT products and services) and business processes forming part of the supply chain are investigated. The methodology consists of five steps: 1. Define the scope 2. Describe the supply chain 3. Determine the impact of the interruption on the supply chain 4. Establish the extent of the cyber threats and risks 5. Define controls and prepare an action plan Figure 2 shows these five steps schematically, whereby for each step the required input, the activities to be executed and the ultimate result to be achieved are shown. The various steps do not all have to be run through in chronological order. If required, steps 3 and 4 can be executed in parallel.

10

Cyber security supply chain risk analysis 2015

Figure 2: Methodology steps Step 1 focuses on creating working agreements and defining the supply chain to be investigated.

Step 2 focuses on preparing a detailed description of all critical business processes, IT systems, interfaces between the IT systems, shared IT products and shared services for the delivery of the end product in the supply chain.

Step 3 focuses on the consequences for the supply chain if one of the organisations experiences an interruption as a result of which it is unable to provide its necessary contribution within the supply chain. This provides an impact assessment that is added to the risk assessment matrix. Step 4 focuses on assessing the likelihood of exposure to specific cyber threats. A risk assessment for the specific systems, interfaces and services is then made on the basis of these threats. The result of this step is an overview of the risks that are faced in the supply chain.

Step 5 focuses on the preparation of action plans by the various organisations in the supply chain if the identified risks are unacceptable. It is also jointly determined when an updated risk assessment will be required.

3.3  Example supply chain

In order to explain certain steps a fictitious “From tree to paper” supply chain is used. This concerns a simple supply chain which involves four different organisations for the production of paper. For each organisation in the supply chain the table below shows the critical processes that they undertake for the supply chain. Supply chain: From tree to paper Organisation

Critical processes for the supply chain

Supply chain process

A (Forester)

- Tree felling

Supply of raw materials

B (Paper production plant)

- Pulping - Paper pressing

Paper production

C (Transport company)

- Route planning

Paper transport

D (Wholesale)

- Stock control

Paper distribution

Annex 9 contains the completed matrix used for establishing the results from the example supply chain analysis.

11

Cyber security supply chain risk analysis 2015

4  Step 1: Define the scope Input

Process

Result

Supply chains

Define scope

Defined terms of reference

4.1 Introduction

The first step focuses on defining the supply chain to be investigated and consist of two activities. The first activity in this step is to create working agreements between the various participating organisations. After this a start can be made on the second activity, which is defining the scope of the investigation. For each activity the actions to be undertaken are described and reference points are given for the choices to be made. Input

Supply Chains

Process step

Define the Scope

Result

• Overview of the supply chain to be investigated, including the organisations to be involved • Overview of the systems to be involved • Agreement regarding the applicable preconditions • Harmonised working agreements between the participating organisations • Initiation document for conducting the analysis

4.2 Preparations

A number of preparations is required before starting with the first activity: • Understand the supply chain in which the organisation operates. By conducting a stakeholders’ analysis understanding is gained about the organisations that participate in the supply chain. • Establish why the need has arisen to analyse the cyber security risks in the chain. It is also important to establish that the following preconditions have been met: • Competition must not play a role; the legal departments of all organisations can be consulted with regard to this. • It must be possible to share information within the team. Agreements are therefore required about the way in which confidential information is to be handled. • Understanding the cyber security risks within a supply chain requires specific commitment by all organisations with regard to costs and capacity. It is important that the initiator(s) has/have sufficient resources available from within their own organisation(s) in order to be able to undertake the analysis. • Willingness to consider all ‘what if’ scenarios openly, including those for which the likelihood is regarded as being very small. At certain moments during the process, representatives from the participating organisations must be willing to bring up for discussion the extent to which they are actually in control.

4.3  Activities to be undertaken 4.3.1  Activity 1: Creating working agreements This activity starts with an initiator or several initiators who make(s) a proposal for analysing the risks in a specific supply chain. For the analysis to be carried out properly it is important there is trust between the participating organisations. Confidential information about vulnerabilities for example will be reviewed during the entire analysis. It is therefore important that from the outset attention is paid to data classification and protocols that allow confidential data to be exchanged with the other organisations in the correct manner. The recording of these agreements contributes towards a successful collaboration between the various organisations during the analysis.

12

Cyber security supply chain risk analysis 2015

Agreements are also made with regard to the preconditions that are to be implemented. When doing this, take into account any conditions that certain participating organisations set and the requirements relating to the content and form of the end result. Minutes of all agreements made are to be taken and sent for approval to all participating organisations.

4.3.2  Activity 2: Defining the scope A start can be made on defining the scope once clear working agreements have been made. The initial questions that have to be asked in order to define the scope of the analysis are: • Which supply chain is to be investigated? The supply chain to be investigated is looked at in this scope-defining activity. Several supply chains can co-exist in one sector. One organisation can play a (critical) role in several supply chains. Generally, the initiator or the initiators come from this sector and the organisations involved have sufficient understanding in order to be able to select the supply chain which, if interrupted, would have the greatest impact. • Which organisations form part of this supply chain? On the basis of the supply chain it is possible to determine which organisations play a critical role in that supply chain. It is conceivable that several organisations have the same role within the supply chain process. In that case, it is possible to involve one, a few or all organisations in the analysis. The initiator then involves the relevant organisations in the preparation for the analysis. An initiation document is also drawn up, which can be used for obtaining the required commitment from the management of the organisations. The initiation document also serves as the starting point for the next step. A template for an initiation document is contained in Annex 3. After involving the relevant organisations the exact scope is determined. During a risk analysis kick-off meeting the organisations jointly determine the depth to which the critical product or service2 is to be investigated. Is only the Business-to-Business aspect of the supply chain to be investigated or does the scope also contain the Business-to-Consumer aspect of the supply chain? Another scope aspect that arises here is when there are critical systems for the supply chain. The outcomes of this meeting are recorded and result in a defined scope for the investigation. TIPS: • When deciding on which organisations to involve, a balance must be found between representatives of all organisations in the same layer of the supply chain on the one hand and keeping the size of the team manageable on the other hand. If one organisation is selected per layer the number of participants remains more limited, as a result of which the analysis can be carried out quicker and more efficiently. If more organisations are selected per layer extra effort will be demanded when describing the supply chain. It also introduces potential extra complications with regard to competition between organisations in the same layer of the supply chain. • The representatives are to have, in any event, oversight of and influence on the security process of their organisation. This allows the representatives to make an assessment of the vulnerabilities in the critical systems of the supply chain. • The representatives are to have a certain degree of technical understanding. • Use the checklist in Annex 4 to check that the scope determination is complete. Which object must be included in the scope as a minimum? The systems that are necessary for delivering the end product must be included in the scope as a minimum. These are generally the systems that are assigned a high CIA classification. The other systems, such as financial systems, can remain excluded from the scope or assessed in a separate project.

2

This methodology can be used on both products and services. Therefore, when reference is made to a ‘product’ this can also be read as ‘service’.

13

Cyber security supply chain risk analysis 2015

4.4  Results to be achieved

The following results are achieved after completing the Step 1 activities: q Harmonised working agreements between the participating organisations. q Agreement regarding the applicable preconditions. q Understanding of the supply chain to be investigated, including the organisations to be involved. q Understanding of the systems to be involved. q Initiation document for undertaking the analysis.

14

Cyber security supply chain risk analysis 2015

5  Step 2: Describe the supply chain Input

Process

Result

Processes, information systems, interfaces and classifications

Describe supply chain

Detailed supply chain topology

5.1 Introduction

In this step of the analysis a detailed topology (overview) is created of the entire IT landscape in the supply chain and the CIA classification to be used is established. The scope established in Step 1 is used as the starting point principle for preparing the topology. Input

Processes, information systems, interfaces and classifications

Process step

Describing the supply chain

Result

• Detailed supply chain topology. • Established CIA classification for the supply chain.

5.2 Preparations

The following preparations are necessary before starting to describe the supply chain topology: • The CIA classification used for each organisation is available • The critical business processes for the supply chain are mapped for each organisation • The systems that facilitate/support these critical business processes are known for each organisation

5.3  Activities to be undertaken

In order to describe the supply chain, the (critical) processes and systems involved are to be established. In addition, the interfaces between systems of the supply chain organisations are to be identified and the shared IT products and services used in the supply chain are to be identified. The figure below provides a visualisation of a supply chain. In order to describe the supply chain the business processes that are critical for the supply chain are established for each organisation. Critical means those processes that are necessary for the actual delivery of the end product. Once the critical processes have been identified, the systems that support those business processes are included in the overview. Four different categories are used when listing the systems: Category

System

1

Company-specific systems

2

Interfaces

3

Shared ICT products

4

Shared services

Each of the organisations involved is responsible for Category 1, the company-specific systems in the overview. So-called challenge sessions can potentially be used, whereby other organisations in the supply chain keep asking whether certain systems are actually critical or, on the other hand, whether all critical systems are actually included in the overview. Interfaces between systems are divided into two categories: the interfaces between one or more internal systems and interfaces between different organisations within the supply chain. Critical

15

Cyber security supply chain risk analysis 2015

Supply chain Company A

Process Step 1

Business Process Critical

IT System Critical

Non-Critical Critical

Non-Critical

Non-Critical Interface

Company B

Process Step 2

Critical Non-Critical

Company C

Process Step 3

Critical

Process Step 4

Critical Non-Critical

Critical

Non-Critical Critical

Non-Critical

Company D

Critical

Non-Critical

Critical

Non-Critical Critical

Non-Critical Critical

Non-Critical

Non-Critical Interface

Company N

Process Step n

Critical

Critical

Non-Critical Critical

Non-Critical

Non-Critical

Consume Figure 3: Visualisation supply chain

interfaces WITHIN a single organisation are included in the overview under the company-specific systems (Category 1), while interfaces BETWEEN different organisations in the supply chain are recorded under interfaces (Category 2). In order to make shared dependencies sufficiently clear the cross-business IT products and services are examined – Categories 3 and 4 in the overview above. For shared IT products and services this may include sector-specific and/or industrial automation products. The services category covers shared data centres or (IT) service providers for example. By listing the various systems (Categories 1 to 4) it is possible to understand the vulnerabilities in the supply chain process. A CIA classification is used to assign a certain value to the degree of importance of specific systems in the supply chain process. This is a commonly used method and easy way of forming a clear picture of the importance of the systems via a harmonised CIA classification. The establishment of a harmonised CIA classification and describing the supply chain is outlined below for each activity.

5.3.1  Activity 1: Establish harmonised CIA classification Organisations generally don’t use the same methodology for classifying systems and information. This methodology uses a CIA3 classification. This classification indicates the importance of guaranteeing the Confidentiality, Integrity and Availability of the information. The higher a system classification the greater the impact for the organisation if one or more of these three aspects is compromised. Not every

3

16

Confidentiality, Integrity and Availability

Cyber security supply chain risk analysis 2015

organisation uses the same CIA classification. In order to prepare a CIA classification for the supply chain it is necessary that the CIA classifications of the participating organisations are harmonised. To obtain a harmonised CIA classification it is possible, for example, to choose a 5-point scale, whereby for each organisation it is examined how the organisation-specific CIA classification fits best into this. The chosen CIA classification uses the following scale: 1: Very Low 2: Low 3: Medium 4: High 5: Very High For each category a description has to be provided for the category. An example of this is included in Annex 5. Which scale to use? When preparing this methodology it was decided to use a 5-point scale for classification and the assessment of risks, opportunities and impacts. A 5-point scale is not necessary for using this methodology, however, the benefit of a 5-point scale compared to a 3-point scale is the possibility of distinguishing more nuances in the analysis.

TIP: • To determine the CIA classification of a system the highest value is always taken of the individual C, I and A values of the system. Example: if the Availability of a system is 1 in the event of one-week downtime and 4 for one-day downtime, value 4 is used for the Availability classification. The ultimate highest C, I and A value of the system is used for the system impact score. So, if a CIA classification is C(4), I(2), A(3) the 4 is used as the impact score.

5.3.2  Activity 2: Describe the company-specific processes and systems The second activity for making cyber security risks transparent within a supply chain is to establish for each organisation which critical processes and systems are required for delivering the product. Each individual organisation describes, for itself, which processes are involved in the supply chain. For all critical processes, too, a list is made of which systems are involved in this. This only concerns the critical systems. A system is critical if it is necessary for the operation of the supply chain. This allows each organisation to understand critical systems that are required for the operation of the supply chain. After each organisation has carried out this assessment a meeting is held during which each organisation presents the results. The purpose of this meeting is to obtain a joint overview of each other’s critical processes and systems and of the total critical processes in the supply chain. This allows a picture to be created of the structure of the entire supply chain and the company-specific systems that are involved in this. The ultimate results are recorded in a matrix containing the critical systems in the supply chain process for each organisation. The associated harmonised CIA classification is also shown for each system. An example of the matrix is included in Annex 6.

17

Cyber security supply chain risk analysis 2015

5.3.3  Activity 3: Describe the interfaces In the third activity a list is made of the interfaces that are present between the various organisations in the supply chain. This does not concern interfaces between systems within an organisation but this is about the interfaces that link systems between two or more different organisations. To produce the list it is advisable to have two organisations that follow each other in the supply chain work together to produce the list of interfaces between the two organisations. The scope covers systems that are interconnected by means of the Internet or via a dedicated connection (private network). The list records whether the interface is used for unilateral4 or bilateral5 exchange. In addition, the interfaces are classified on the basis of the shared CIA classification. This shows any discrepancies in the level of classification of the systems. If organisation A assigns a very high classification while organisation B allocates a much lower classification there is a discrepancy in the perception of the risk. These results are recorded in the matrix contained in Annex 6.

5.3.4  Activity 4: Describe common IT products After listing the critical processes, systems and interfaces within the entire supply chain, the fourth activity involves establishing the common IT products that are used. The use of identical, supplychain-specific hardware and software can introduce an additional risk into the supply chain. That is the reason why this step lists the underlying hardware and software that is used for the critical systems. These common IT products are also used for determining the cyber security threats and risks in Step 4. TIPS: • Pay extra attention to this activity if SCADA6 systems are used extensively in the supply chain. If almost all organisations in the supply chain use the same SCADA system for their supply-chainspecific systems a vulnerability in the SCADA system can have far-reaching consequences for the entire supply chain. • Depending on the previously agreed scope it can be decided to exclude software such as the Microsoft Windows operating system or the TCP/IP protocol. The reason for this is to keep the scope manageable and to maintain focus on the specific risks within the supply chain.

5.3.5  Activity 5: Describe the shared services Finally, a list is prepared of the shared IT services or service providers that are used for providing and supporting the systems and processes identified in Steps 2 to 4. The participants therefore provide insight into the individual services that are used in their section of the entire supply chain. Examples of these types of services are Internet Service Providers (ISPs), external data centres and telecom providers. Once all of the organisations in the supply chain have provided a list of the services and service providers that facilitate the critical processes for the supply chain it can be assessed whether certain services are used by more than one organisation. The use of a single service or single service provider by several organisations in the supply chain can introduce a Single Point of Failure in the supply chain. An outage at such a third party can potentially be accommodated by one organisation but when this affects several organisations in the supply chain this could lead to additional risks. These shared services are therefore included when assessing the cyber security threats and risks in Step 4.

4 5 6

18

This is used by a Category 1 system of organisation A to send information/data to organisation B. This is used to by a Category 1 system of organisation A to send information./date to organisation B, and vice versa Supervisory Control and Data Aqcuisition

Cyber security supply chain risk analysis 2015

5.4  Results to be achieved

The following results are achieved after completing the activities in the 2nd step: q An established and harmonised CIA classification that can be used for classifying the systems used in the supply chain. q A detailed topology of the supply chain, containing: -- The critical company-specific processes and systems. -- The system interfaces between the different organisations. -- The common IT products. -- The shared IT services or service providers. q The systems in the supply chain have been assigned a CIA classification.

19

Cyber security supply chain risk analysis 2015

6 Step 3: Determine the impact of a disruption on the supply chain Input

Process

Result

Detailed supply chain topology

Determine impact of disruption on supply chain

Process risks

6.1 Introduction

On the basis of various scenarios, this step investigates the impact on the supply chain if a single organisation is no longer able to provide its contribution to the supply chain. Input

Detailed supply chain topology.

Process step

Determine the impact of a disruption on the supply chain.

Result

Undertaking this step will give the following results: • An overview of potential emergency scenarios in the supply chain. • An overview of the impact on the supply chain for all identified emergency scenarios.

6.2 Preparations

The following preparations are required before starting to determine the impact: • Evaluate the extent to which sufficient knowledge is present within the analysis team in order to be able to properly assess the impact of a disruption at one of the supply chain organisations. If necessary, involve additional (business) expertise from the participating organisations for this step. • Prepare a template for recording the impact of each disruption scenario at the various supply chain organisations. An example is provided in Annex 7.

6.3  Activities to be undertaken

In order to undertake the impact assessment a scenario analysis of the potential disruptions that can occur in the supply chain is carried out in a workshop. For this purpose, for each organisation the impact on the entre supply chain is determined in the event that the organisation is unable to fully or partially provide its contribution to the supply chain. The impact for each organisation in the supply chain is always recorded for this. The result of the workshop is a list of potential emergency scenarios and a qualitative description of the impact on the supply chain.

6.3.1  Activity 1: Determine the impact for each scenario To determine the impact, the following question is asked with regard to each organisation: “What is the impact on the entire supply chain if my organisation is unable to provide the required contribution to the supply chain as a result of an emergency?” In order to determine this impact for the supply chain we start with the first organisation at the beginning of the supply chain. The impact on the next organisation or organisations in the supply chain is then analysed. The process to be run through is shown in the circle diagram below.

20

4. C

of es B nc on ue A eq at ns on Co pti 1. sru di

o di nse sr q B, up ue C, ti nc D on e on a s o f A t

Cyber security supply chain risk analysis 2015

2. C

o di nse sr q u u A pti enc on on e C at s of

of es nc t ue n a eq io ns pt D Co isru on 3. d A

In this example we start with organisation A, whereby we then analyse the impact on organisation B if organisation A is unable to provide its required contribution to the supply chain. This is then repeated for the next organisations in the chain: C and D. It is also analysed whether the emergency that started with organisation A can become worse due to potential consequential emergencies further along the supply chain. For example, this can be the case if organisation A has to stop production because organisation B is no longer able to process any raw materials. Ultimately a qualitative description of the impact on each of the organisations is produced for each scenario. Once this assessment has been completed for organisation A it is continued for organisation B, whereby the entire supply chain is once again run through until we end up back at organisation B. Once this has been undertaken for each organisation within the supply chain we have several emergency scenarios. These scenarios are best shown in an overview and provided with a brief descriptive scenario name as shown in the table below. Organisation 1

Organisation 2

Organisation 3

Scenario 2.1 Scenario 1.1 Scenario 2.2

Organisation n

Scenario 3.2 Scenario 3.1

Scenario n.1

Figure: Graphic representation of scenarios

Scenario no.

Scenario name

Impact description

1.1

Forest fire

If new raw materials cannot be supplied to organisation A within 48 hours then production stops at organisation B.

2.1

...

...

2.2 Etc.

6.4  Results to be achieved

The following results will be achieved after completing the activities in the 3rd step: q An overview of potential emergency scenarios in the supply chain q An overview of the impact on the supply chain for all identified emergency scenarios. 21

Cyber security supply chain risk analysis 2015

7  Step 4: Establish extent of cyber threats and risks Input

Process

Result

Cyber threats, security controls and supply chain topology

Establish extent of cyber threats and risks

Overview of relevant threats and supply chain risks

7.1 Introduction

This step establishes the extent to which cyber threats result in risks for the supply chain. The results obtained in the previous steps are used for this. Input

Cyber threats, security controls, supply chain topology

Process step

Establishing the extent of the cyber threats and risks

Result

Undertaking this step gives the following results: • An overview of the cyber threats to be investigated • An assessment of the likelihood that the IT systems in the supply chain will be affected by the cyber threats • An assessment of the impact of the cyber risks on the supply chain

7.2 Preparations

The following preparations are necessary before starting this step: • Adopted list of cyber threats to be investigated In order to establish the cyber threats to be investigated it is advisable to start with a standard list of threats7. A selection of the most relevant threats can then be made from this standard list. Threats that are not cyber specific, such as flooding or fire, are excluded from the scope. The further analysis can be undertaken after it is clear which cyber threats are to be investigated.

7.3  Activities to be undertaken

To establish the extent of the cyber threats an assessment is initially made of the likelihood that the selected cyber threats will actually result in disruption to the CIA of the Category 1 to 4 systems. The ‘net risk’ that is faced is examined for this, in other words, the controls already implemented are taken into account when analysing the likelihood that a cyber-threat manifests on one of the systems. After the threat level has been established a risk assessment is carried out for the various systems. This analysis is undertaken by confronting the threat levels with the harmonised CIA values of the systems in the supply chain. The outcome is an overview of risks per system. For high risks, a further assessment is made of the impact these can have on the supply chain, for which the results obtained in Step 3 are used. Each supply chain organisation undertakes this analysis for its own critical systems (Category 1). Supply chain organisations that share an interface (Category 2) jointly undertake this analysis for the relevant interface. Common IT products and services (Categories 3 and 4) that are used by the majority of the organisations should be included in the joint analysis. The individual analyses undertaken by each supply chain organisation are discussed in a group session with the other supply chain organisations. All results are ultimately processed into an overview of the risks faced within the supply chain. To obtain a visual representation of the supply chain risks it can be decided to prepare a risk heat map. The establishment of the extent of the cyber threats and the risks that arise from this for the supply chain is described in more details below. 7

22

To obtain a list of the most relevant cyber threats the ENISA threat landscape 2014 report can be used for example (https://www. enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014)

Cyber security supply chain risk analysis 2015

7.3.1  Activity 1: Estimate the extent of cyber threats For each cyber threat to be investigated (see the preparation for this step) a 5-point scale (for example Very Low (VL) to Very High (VH)) is used to indicate the level at which the threat is estimated for each IT system. This estimate takes into account the security controls already in place for the relevant system. If, for example, the likelihood of a DDoS (Distributed Denial of Service) is estimated this should take into account the controls already implemented to combat a DDoS attack. The residual likelihood of a successful DDoS attack is then ultimately entered. Impact (1-5)

Threat scenarios (1=Low, 5=Very High)

Own CIA rating

Combined CIA rating

Virus

Hacking

(D)DoS

Threat n

Category 1 (within one organisation) Organisation A (Forester)

365FarmNet

4

4

4

2

5

SAP

4

4

3

2

3

Organisation B (Paper production plant)

Simatic WinCC

4

5

4

5

4

SAP - HANA

3

4

2

3

3

Figure 4 Cyber threats in ‘From tree to paper’ supply chain

The assessment of the cyber threats is undertaken individually by each supply chain organisation for the Category 1 IT systems. The Category 2 IT systems are analysed jointly by the supply chain companies involved in the interface. Category 3 and Category 4 IT systems are prepared individually by each supply chain organisation and ultimately estimated jointly in a group meeting. Each supply chain organisation can enter their results in the matrix as shown in Annex 6.

7.3.2  Activity 2: Estimate the extent of the supply chain risks After establishing the degree to which the IT systems are vulnerable to the cyber threats an assessment is made of the risk faced. For this purpose, the highest cyber threat score (likelihood) for each IT system is confronted with the CIA value (impact) for the relevant system. The table below provides an example of how a risk estimate can be arrived at on the basis of likelihood and impact. In this example, only a very high likelihood and very high impact result in a very high risk. This can be detailed differently depending on the risk appetite of the organisations involved. Likelihood/ Impact

VL(1)

L

M

H

VH (5)

VL(1)

1

2

3

4

5

L

2

4

6

8

10

M

3

6

9

12

15

H

4

8

12

16

20

VH (5)

5

10

15

20

25

23

Cyber security supply chain risk analysis 2015

This in turn can be used for producing a risk assessment for each system with regard to the selected cyber threats established previously. All high risks are then addressed in a group session in order to assess the supply chain risks that these can result in. To do this, the supply chain risks that are identified in Step 3 are related as much as possible to the IT systems. This link defines which IT systems can cause risks for the supply chain. Impact (1-5)

Threat scenarios (1=Low, 5=Very High)

Own CIA rating

Combined CIA rating

Virus

Hacking

(D)DoS

Risk

Link to Consequence

365FarmNet

4

4

4

2

5

20

Scenario 1.1

SAP

4

4

3

2

3

12

Threat n

Category 1 (within one organisation) Organisation A (Forester)

Figure 5: ‘From tree to paper’ supply chain risks

Impact

A risk heat map can be produced in order to ensure that the risks for the entire supply chain can be seen clearly at a glance. A graph is used for this, in which the likelihood of risks is plotted on the horizontal axis and the impact of those risks is plotted on the vertical axis. The identified risks can then be plotted on the graph. It may be decided to show all risks in this way or a subset, for example the Top 10 or the most unexpected risks. VH H M L VL VL

L

M

H

VH

Likelihood

Figure 6: Risk heat map

7.4  Results to be obtained

The following results are achieved after undertaking the activities in the 4th step: q An overview of the cyber threats to be investigated. q An assessment of the likelihood that the systems in the supply chain will be affected by the q cyber threats q An assessment of the impact of the cyber risks on the supply chain. q Optional: A visualisation of the supply chain cyber risks.

24

Cyber security supply chain risk analysis 2015

8  Step 5: Define controls and prepare action plans Input

Process

Result

Supply chain risks

Determine controls and prepare Action Plans

Overview of acceptable risks and Action Plans

8.1 Introduction

This last step focuses on defining the measures to be taken and the preparation of action plans. The controls are only determined and recorded in an action plan for identified risks that are outside of the risk tolerances of a supply chain organisation. To conclude the risk assessment a new date is jointly set for the risk assessment to be updated. The most important outcomes from the assessment are also documented and shared with the participating organisations. Input

Supply chain risks

Process step

Define controls and prepare action plans

Result

Undertaking this step gives the following results: • An overview of potential emergency scenarios in the supply chain • An overview of the impact (both downstream and upstream in the supply chain) if a disruption occurs at one or more of the organisations in the supply chain.

8.2 Preparation

The following preparations are necessary before starting this step: • It is clear for each organisation what risks are outside of the risk tolerance. On the basis of the identified risks each organisation must determine independently to what extent these risks can be accepted. This can depend on several factors and should be considered individually by each organisation. As a guide, high risks are normally outside of the risk tolerance. A start can be made on defining the controls once it is clear what risks are acceptable and what risks are not acceptable.

8.3  Activities to be undertaken

For the unacceptable risks that are faced with regard to the Category 1 systems (business-specific systems) each supply chain organisation independently determines what controls can best be implemented in order to reduce the risk. For the Category 2 systems (interfaces) the relevant supply chain organisations work together on the relevant system. If risks arise from the Category 3 and 4 systems (shared IT products/services) the action plan is prepared jointly by all of the relevant organisations. After the action plans have been prepared a new date is set for updating the risk assessment. One of the participating organisations also produces a summary of the most important outcomes from the assessment and this is shared with all participants. The activities in this step are described in more detail below.

8.3.1  Activity 1: Define controls For all unacceptable risks it is first analysed what controls can be deployed to reduce the risk for each IT system. These can be controls that are technical as well as organisational. For each potential control an estimate is made of the effort required for implementing the control and its expected effectiveness. Several controls can be implemented for each risk. After the controls have been listed a decision is made on what controls can be implemented.

25

Cyber security supply chain risk analysis 2015

The best way of selecting the controls to be implemented is to select those controls, based on the relationship between the result and the effort for a specific control, that can potentially reduce the risks to an acceptable risk level in the most effective and efficient way possible. Depending on the IT system category to which the risk relates, one or more of the supply chain organisations should work together on defining the controls.

8.3.2  Activity 2: Prepare action plan Each organisation prepares an action plan after each organisation has established what controls are required for reducing the unacceptable risks. For each control, this action plan states who is responsible for implementing it, what actions are required and the time frame within which the control is to be implemented. The action plan thus provides an overview of all actions required for reducing the risks to within the organisation’s risk tolerance. Annex 8 contains a template for preparing an action plan.

8.3.3  Activity 3: Complete risk assessment To complete the cyber security supply chain risk assessment a new date is set for updating the assessment. This ensures that the supply chain organisations continue to work together on managing the risks in the supply chain. Any improvements that are implemented, for example as a result of the action plans, can be included during the re-evaluation. It is recommended that a re-evaluation is carried out at least once every two years. Finally, the most important results from the supply chain risk assessment are adopted in a group session, for which it is recommended that one of the supply chain organisations takes the lead for reporting the adopted results.

8.4  Results to be achieved

The following results are achieved after undertaking the 5th step: q An overview of the acceptable and unacceptable risks for each organisation. q If applicable: an action plan for each organisation. q A date on which the supply chain risk assessment will be updated. q A report (for example a presentation) of the most important results from the supply chain risk q assessment.

26

Cyber security supply chain risk analysis 2015

9 Annexes 9.1  Annex 1 Definitions (Information) system: An information system is a coherent data processing functionality for managing or supporting one or more business processes. Explanation: Amongst other things, an information system consists of hardware, basic software, communication facilities, applications, databases, technical facilities, procedures and people Confidentiality: The degree to which the access to and use of the data is restricted to the correct persons. Confidentiality has the following characteristics: • Exclusivity: can be information be protected against unauthorised access? • Privacy: is personal data being handled correctly? Integrity: The degree to which the data reflects reality. Integrity has the following characteristics: • Correctness: is the information correct and is it displayed correctly? • Completeness: is the information complete? • Validity: is the information valid? • Authenticity: is the source of the information received correct? • Indisputability: did the sender of the information actually send the information? • Accuracy: the degree of detail and completion of the information. • Verifiability: to what extent can the information be verified? Availability: The degree to which information is available at the correct moment for the users. Availability has the following characteristics: • Timeliness: can the information be supplied at the moment it is required? • Continuity: can the information also be supplied in the future? • Robustness: is the information able to withstand disruptions. Supply chain: Logistic chain from raw material extraction to delivery of end product to the end consumer.

27

Cyber security supply chain risk analysis 2015

9.2  Annex 2. Analysis process diagram

Cyber security supply chain risk analysis

28

Input

Process

Result

Supply chains

Define scope

Defined terms of reference

Input

Process

Result

Processes, information systems, interfaces and classifications

Describe supply chain

Detailed supply chain topology

Input

Process

Result

Detailed supply chain process topology

Determine impact of disruption on supply chain

Process risks

Input

Process

Result

Cyber threats, security controls and supply chain topology

Establish extent of cyber threats and risks

Overview of relevant threats and supply chain risks

Input

Process

Result

Supply chain risks

Determine controls and prepare Action Plans

Overview of acceptable risks and Action Plans

Cyber security supply chain risk analysis 2015

9.3  Annex 3: Initiation document template

Project Initiation Document Introduction



Purpose of this document

The purpose of this document is to identify and describe the most important elements of the project. This is with the aim of understanding, recording and agreeing the expectations of all organisations and any other stakeholders involved in the project before the project starts.

Background



Aims and required outcome



Preconditions & Assumptions



Scope & Deliverables



Approach



Organisation

Project plan and costs

Stakeholders



Project risks and dependencies



29

Cyber security supply chain risk analysis 2015

9.4  Annex 4: Checklist for defining the scope q

q

q

q q q q

30

The scope of the risk assessment is clearly defined whereby it is clear: -- Which supply chain is to be analysed -- Which organisations should be involved in the analysis -- Which objects are to be included in the analysis: i) The IT systems and interfaces directly involved in delivering the product / service ii) The critical IT systems that support the product / the service and the underpinning (production) process iii) The business processes that are closely associated with the selected process iv) The Shared IT systems v) The Shared services -- Whether the financial handling of the product to be investigated is to be involved in the analysis What outcome(s) is/are intended: i) Clearly identified risks ii) Taking jointly coordinated follow-up actions, for example improvement points or agreeing an action plan iii) Changes/improvements in the process followed Met welke geografische afbakening rekening wordt gehouden? i) Local ii) Regional iii) National iv) International What standards are to be used within the relevant sectors? (i.e. ISO 27000) What previous studies will provide relevant information for the current risk assessment? What specific legislation is applicable to the supply chain to be investigated? Working agreements are recorded in an initiation document and approved by all organisations involved

Cyber security supply chain risk analysis 2015

9.5  Annex 5: Example CIA classification Example CIA classification table Very low

An information security incident causing loss of confidentiality, integrity, availability or traceability of the information in the information asset could not cause any or negligible damage to the organisation.

Low

An information security incident causing loss of confidentiality, integrity, availability or traceability of the information in the information asset could not cause any significant damage to the organisation.

Medium

Information security incidents with the information asset could cause damage to the organisation, but within the limits of normal business risk. The negative impact can be managed within normal operating budget using standard procedures and capacity.

High

The negative effect of an information security incident could cause significant damage to the organisation. The potential damage would exceed normal business risk and normal operating budget. Specific incident or crisis management would be needed to manage an incident.

Very High

The potential damage of an information security incident with the information in the information asset could seriously threaten business continuity. The damage would have a significant negative impact on financial results on corporate level or the position of (board) executives could be at stake.

31

32

A2

A1

B3

B2

Nn

A-B

A-C

B-C

B-D

n-m

See Components, services tab

Category 4 (shared services)

See Components, services tab

Category 3 (shared products for this industry)

A1

From

C4

C3

C2

C1

B4

B3

B2

B1

A4

A3

A2

A1

A-B

Category 2 (System interface)

C

B

A

Category 1 (within one organisation)

Mm

D3

C4

C1

B1

B1

To

Own CIA rating

Impact (1-5) Combined CIA rating Virus

Hacking

(D)DoS

Threat n

Threat scenarios (1=Low, 5=Very High) Risk

Link to Consequence

Cyber security supply chain risk analysis 2015

9.6  Annex 6: Matrix for recording the results of the risk assessment

Cyber security supply chain risk analysis 2015

9.7  Annex 7: Template for recording the consequences of emergencies

Scenario 1.1

1 2 3 4 5

Emergency description

Description of consequence on organisation B of emergency at organisation A

Description of consequence on organisation C of emergency at organisation A

Description of consequence on organisation D of emergency at organisation A

Description of consequence on organisation A of emergency at organisations B, C and D

33

Cyber security supply chain risk analysis 2015

9.8  Annex 8: Template action plan Action plan: Organisation A No

Risk

Controls

Priority

Action owner







System 1 1



2

System 2 4

5

34

Timeframe

365Farmnet

SAP - HANA

SAP - HANA

SCExpert

Nn

A-B

B-C

B-D

C-D

n-m

See Components, services tab for further details

Category 4 (shared services)

See Components, services tab for further details

Mm

JDA retail planning

JDA retail planning

SCExpert

SAP - HANA

SAP - HANA

Telecom provider Vodafone

CISCO ASA 5500-X

Category 3 (shared products for this industry)

SAP

To

4

Bypos Point of sale (POS) system

From

4

5

JDA Transportation Manager

JDA retail planning

4

3

SAP - HANA

SCExpert

4

4

SAP

Simatic WinCC

4

365FarmNet

A-B

Category 2 (System interface)

Organisation D (Wholesaler)

Organisation C (Transport company)

Organisation B (Paper production plant)

Organisation A (Forester)

Category 1 (within one organisation)

Own CIA rating

Impact (1-5)

4

4

4

3

3

5

4

4

4

5

4

4

5

4

4

Combined CIA rating

2

1

2

2

2

2

2

1

1

2

2

2

4

3

4

Virus

2

1

2

2

2

2

2

1

4

2

2

3

5

2

2

Hacking

2

4

4

3

2

2

2

1

1

2

2

3

4

3

5

(D)DoS

Threat scenarios (1=Low, 5=Very High) Threat n

8

16

16

9

6

10

8

4

16

10

8

12

25

12

20

Risk

Scenario 1.1

Scenario 4.1

Scenario 4.2

Scenario 2.1

Scenario 1.1

Link to Consequence

Cyber security supply chain risk analysis 2015

9.9  Annex 9: Example supply chain matrix

35

Cyber security supply chain risk analysis 2015

36

Colophon Editors-in-chief Wam Voster (Royal Dutch Shell), Jeffrey de Bruijn (Power or 4) Research from Royal Dutch Shell, Nederlandse Gasunie, Nuon, TenneT, Alliander With support of Dutch National Cyber Security Centre Disclaimer You are free to share, reproduce, distribute and forward this research via any medium or format, edit, change and adopt contents of the work for research purposes

First press, January 2016.