Secure Maintenance and Supply Chain

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary,
00:00
of course, I'm your instructor, Brad Rhodes.
00:00
Let's jump into secure maintenance
00:00
>> and the supply chain.
00:00
>> In this lesson, we're going to
00:00
talk about the pillars of supply chain risk management.
00:00
We're going to talk briefly
00:00
about supply chain visibility,
00:00
very important for SCs to understand.
00:00
Then we're going to talk about secure
00:00
maintenance and how that fits.
00:00
There are four parts to supply chain risk management,
00:00
and they're shown here on the diagram on
00:00
the slide. We'll start at the top.
00:00
Integrity, pretty straightforward.
00:00
Can you trust that somebody's maintaining
00:00
control of the parts or supplies that you're
00:00
getting throughout the course of delivery?
00:00
Everybody here is probably familiar with
00:00
Amazon or some e-commerce website.
00:00
They provide you a tracking number.
00:00
You know when it gets boxed up,
00:00
you know when it leaves the facility,
00:00
you know when it's on the plane,
00:00
it's on the truck and then it ends up at your house.
00:00
That's truly integrity.
00:00
It's that custody is what I want you to remember there.
00:00
The next one there is resilience.
00:00
Think about natural disasters.
00:00
If you have a supply chain that is reliant upon
00:00
overseas construction
00:00
of say components. Guess what happens?
00:00
Well, if there's a major typhoon in say the Philippines,
00:00
and that's where your main supplier is, well,
00:00
if they can't survive or take a hit from that typhoon,
00:00
then you're not going to be
00:00
able to meet your supply requirements.
00:00
Next, we have is quality and quality is a tough one
00:00
because you have both quality
00:00
and manufacturing and delivery.
00:00
What we're dealing with here is
00:00
in other places outside of say,
00:00
the United States, there may be
00:00
questions about is the manufacturing up to snap?
00:00
Is it being made or built to the quality that
00:00
we expect to receive from a parts perspective?
00:00
We work with the quality,
00:00
we figure out the quality piece by
00:00
actually doing regular inspections,
00:00
by testing the components.
00:00
If there are physical component,
00:00
even software, we can check and test all of that stuff.
00:00
Quality is one of those things you have to pay
00:00
attention to when you're talking about supply chain risk.
00:00
Finally, the last one is
00:00
security and that one's pretty obvious.
00:00
If your supplier stay overseas in a country that is
00:00
subject to frequent terrorists
00:00
and insurgency, you name it.
00:00
You have to take into account all of those.
00:00
As an ISI, you may not be
00:00
responsible for specifically all of this,
00:00
but you need to understand the impacts
00:00
of these areas when you are working on
00:00
overall risk management when it comes to supply chain
00:00
for the components for your systems of interest.
00:00
Next, we have supply chain visibility,
00:00
and this one is a fun one.
00:00
You see on our chart here
00:00
the gentleman with the binoculars, well,
00:00
he's looking out to see as far as
00:00
he can see what the supplier is actually doing.
00:00
Really what this diagram is meant to show is that
00:00
the more complex the supply chain,
00:00
the less visibility you
00:00
have as an organization at the far end.
00:00
Just three levels deep,
00:00
it is really hard to understand
00:00
if the suppliers, suppliers,
00:00
suppliers that you're buying from is
00:00
maybe a less than savory character or
00:00
organization that is maybe putting
00:00
in a backdoor into a component that you're procuring.
00:00
You don't necessarily know
00:00
that or realize that because you
00:00
can't see it and so as a recommendation,
00:00
as an ISI, you definitely want to make sure that
00:00
you understand how deep your supply chain is.
00:00
You want to understand
00:00
the interconnections of your supply chain.
00:00
Then you want to validate if there's
00:00
those external service providers, they might be okay.
00:00
But if you don't actually check it,
00:00
you are probably going to be
00:00
missing something and potentially expose
00:00
your organization or potentially your customers
00:00
to a breach or vulnerability.
00:00
The last thing we want to talk about here is
00:00
secure maintenance and there's really three areas.
00:00
There's the proactive stuff that we can do.
00:00
There is the reactive stuff.
00:00
Then there's this stuff in the middle which allows us to
00:00
understand where we sit when it comes to maintenance.
00:00
First off, let's think about
00:00
proactive, patch your stuff.
00:00
If a vendor says you should
00:00
patch something, you probably should.
00:00
If you custom-build something, well, guess what?
00:00
You own your own zero-days, but you
00:00
should probably patch that as well.
00:00
But let's talk about
00:00
the vendor recommendations here for a second.
00:00
We've talked a lot about
00:00
supply chain or about supply chain management.
00:00
We've talked a lot about
00:00
change management in our contexts.
00:00
Well, this is a change management thing,
00:00
not a supply chain thing.
00:00
In change management, you may have
00:00
to make a vendor recommended patch,
00:00
but you don't just do it.
00:00
In a change management,
00:00
configuration manage, capability,
00:00
system, product, whatever, you're going to
00:00
have to check and validate that that change can be made.
00:00
As an ISI you have to understand
00:00
that secure maintenance in terms of patching,
00:00
might be something that breaks
00:00
the system and so you've got to
00:00
engage and utilize that change management process.
00:00
When we talk about the emergency,
00:00
that's our repair of something that's broken and that's
00:00
typically looked at it in terms of objectives.
00:00
Recovery time objective is how long can you be offline?
00:00
Recovery point objective is how much data can you lose?
00:00
Hopefully, all of that is wrapped into
00:00
business continuity planning and
00:00
disaster recovery documents that your organization has.
00:00
If you don't have those or you don't know those,
00:00
your organization is at
00:00
risk and an emergency because you have no idea.
00:00
Especially if, let's say you're using external services,
00:00
how to hold them to account in
00:00
a service level agreement and
00:00
SLA when it comes to an emergency.
00:00
Then there's the middle one,
00:00
which is vulnerability assessments.
00:00
We've talked about vulnerabilities
00:00
previously in this course,
00:00
but vulnerability assessments allow
00:00
us to determine a couple of things.
00:00
One, they can allow us to
00:00
see where we are
00:00
potentially are broken or could be broken.
00:00
We can do that passively or actively.
00:00
That means we can actually scan in
00:00
the active sense or we can listen in the passive sense.
00:00
I would caution you as an AC be aware of
00:00
active scanning for vulnerabilities
00:00
depending on your environment.
00:00
If you have a lot of industrial control system,
00:00
SCADA systems, IoT,
00:00
potentially, even some of
00:00
the basic electrical equipment
00:00
controlling things like Aceback.
00:00
If you run the wrong
00:00
vulnerability scanner in an active mode,
00:00
you could probably send enough voltage
00:00
down the line to actually damage the system.
00:00
You got to be really careful of that
00:00
and IS that's on you to know.
00:00
Then of course, vulnerability assessments
00:00
help us to understand system dependencies.
00:00
That's really important because
00:00
we know that our systems today,
00:00
regardless of how they are across,
00:00
say the defense in depth,
00:00
are incredibly dependent on other systems capabilities,
00:00
power, HVAC, lighting, all of those things.
00:00
You have to understand those dependencies and
00:00
those connectivities when you're
00:00
doing your vulnerability assessments.
00:00
In secure maintenance, we're thinking about patching,
00:00
vulnerability assessments, and emergency repair.
00:00
In this video, we covered the pillars
00:00
of supply chain risk management
00:00
and those are things you need to understand.
00:00
We've talked about supply chain visibility.
00:00
The more complex your supply chain is
00:00
the less visibility you
00:00
actually have at what's happening on the distance.
00:00
Then of course, secure maintenance.
00:00
If you take anything away from there,
00:00
patch your systems, but do it in the change management,
00:00
configuration, control process that you
00:00
have in your organization. We'll see you next time.
Up Next