Supplier Vigilance: A Critical Layer of Defense Lockheed Martin Information Security 1
Supply Chain Cyber Security Lockheed Martin October 23, 2013 Debbie Stuckey Waide Jones, CISSP 2
Synopsis Lockheed Martin security specialists Waide Jones and Debbie Stuckey will review the cyber security threat landscape and how it is affecting business. The speakers will discuss Lockheed Martin s efforts to manage the risk of sharing sensitive information with suppliers. They will review the importance of having an active cyber risk management program to include someone that is awake at the wheel to build and manage the program. 3
Agenda Cyber Threat Landscape Current and Future Legislation Lockheed Martin s Cyber Threat Approach Suggestions for Current Suppliers Resources for Suppliers looking to do business with Lockheed Martin or in the industry in general 4
Cyber Landscape? True or False - the cyber threats that my company faces are similar to the ones faced by Lockheed Martin and the Defense industry. True A&D is a Targeted Industry Companies of All Sizes Impact: Financial, Reputational, Loss of IP, Mission Disruption 5
Threat Major upswing in Cyber attacks Evolution from individual actors performing single attacks.to well funded military wave style attacks on information systems Industrial Espionage Nation Building Prime Contractors were the Initial target. Actors have shifted efforts to suppliers. 6
2014 Evolving Threats & Impacts Increasing potential impact Confidentiality Data theft Availability Denial of Service Integrity Destructive Increasingly Unstable Threats apt broadbased insider hacktivists rogue actors Increasingly Complex Ecosystem LM Core & Perimeter International Supply Chain Cloud & Mobile Media Coverage, Reputation Budget Pressure & Legislative Uncertainty 7
Gen 3 Gen 2 Gen 1 Advanced Persistent Threats Coordinated, trained Robust infrastructure Campaign-scale intrusions Objective: exfiltrate data Email Spoofing Parking lot entry vector Fake sites that look real Extranet server compromise Man-in-the- Mailbox Lateral movement Real websites with malware LM credentials stolen from suppliers Hyperlinks; wolf in sheep s clothing Factory floor; onboard systems Widespread watering holes Extranet server compromise; Denial of service Compromised 2-factor credentials 8
Legislation Executive Order 13636 Improving Critical Infrastructure Cyber Security Develops a technology-neutral voluntary cybersecurity framework, incentivizes the adoption of, Increases cyber threat information sharing Presidential Policy Directive (PPD 21) - Critical Infrastructure Security and Resilience - Advances a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure. Domestic and International Data Breach Legislation requiring suppliers and service providers to notify of cyber security issues and breaches in privacy 9
Did You Know?? Lockheed Martin s approach to working with suppliers on cyber security includes what elements? A- Working with suppliers to understand their cyber security posture B-Working to ensure our supply chain is aware of the cyber D threats facing our industry and companies C-Working with suppliers to reduce cyber risk to acceptable levels D All of the Above 10
Overall Strategy Objectives Understand Posture Build Awareness Reduce Risk Annual Aircraft Deliveries Known Supplier Security Posture Supplier Security Validation Supplier Threat Awareness Supplier Security Capability Uplift Move Defenses Upstream 11
Approach to Cyber Risk Management Cyber Security Questionnaire added to all full profiles in Exostar 28 cyber security posture questions Policy/Awareness Staffing System Maintenance/Controls Monitoring and Response Remote Access Suppliers responses used to help Lockheed Martin manage risk Provide weakness indicators to suppliers 12
Our Shared Responsibility Suppliers complete the Cyber Security Questionnaire in Exostar profile Ask once, share model Supplier Exostar Administrator has rights No responses to questions indicate a concern in supplier s ability to protect sensitive information Answers are secured and treated as proprietary Instructions on LM Supplier Cyber Security Webpage http://www.lockheedmartin.com/us/suppliers/cyber-security/posture.html 13
Reduce Risk Focus on Critical Information Questionnaire results serve as cyber risk input Validation/Deep Dive with key suppliers Integrated into programs/ business capture standard risk management processes Input for Program/Capture Technical Team 14
Two-way Communication Supplier Memos Supplier Cyber Security Webpage Ready Room Video Frequently Asked Questions (FAQ) Briefings http://www.lockheedmartin.com/us/suppliers/cyber-security.html http://www.lockheedmartin.com/us/suppliers/cyber-security.html 15
What can you do? 16
Educate Employees 1. Department of Homeland Security Dedicated Small Business Site for Cyber Risk Planning 2. United States CERT Distributable Materials for Education and Awareness 3. Stay Safe Online Tips and regularly updated info for businesses 17
Active Cyber Risk Management Institute an active Cyber Security Risk Management Program Someone Awake at the Wheel Threat and Risk appropriate Adversary doesn t care if you are small Care about the data they need Get involved in an information sharing forum InfraGard Information Sharing and Analysis Center (ISAC) Defense Security Information Exchange (DSIE) Lots of great resources available 18
Summary Threat / Target We are a targeted industry and you are a target Lockheed Martin is working with suppliers to enhance their ability to protect sensitive information Review Lockheed Martin Supplier Cyber page http://www.lockheedmartin.com/us/suppliers/cybersecurity.html Review Supplier Cyber FAQ http://myexostar.com/workarea/showcontent.aspx?id=2550 For existing Lockheed Martin Suppliers Complete the Cyber Security Questionnaire in your Exostar profile Someone awake at the wheel Understand and appropriately manage cyber risk as a component of overall business risk 19
20