Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library


Lessons in External Dependency and Supply Chain Risk Management

  • Watch

  • Abstract

    In this webinar, John Haller and Matthew Butkovic of the CERT Division of the Software Engineering Institute will discuss real-world incidents, including recent industrial control system attacks and incidents affecting Department of Defense capabilities, and the lessons that organizations should take away. The session will focus on the lifecycle of supply chain relationships and introduce concepts to help organizations manage them more effectively.

    Managing the risks of depending on external entities and supply chains to support critical services has increasingly become an area of concern for both the federal government and private critical infrastructure organizations. External dependencies may consist of business partners that your organization relies on, cloud services such as data processing, or storage facilities. Or these dependencies may take the form of reliance on public infrastructure such as transportation or the electrical grid.

    The webinar speakers, John and Matthew, will discuss the HAVEX malware attacks on industrial control system vendors, which were reported to the security community in June 2014.  For supply chain risk management, a key lesson from the HAVEX case is the importance of having a process to identify and prioritize external dependencies. The speakers will also explore and discuss methods for addressing this problem in a realistic, reliable way.

    Also covered in the webinar are the lessons for third-party risk management that organizations should take away from recent attacks on DoD-affiliated transportation contractors. The speakers will explain how to correctly scope and build security programs around key, organizationally critical services.

    The speakers will discuss how your organization can learn from these incidents, including best practices around forming relationships with external entities and managing the relationship over time to support your organization's incident management and situational awareness processes. The webinar closes with a recap of key supply chain risk management capabilities and an update to CERT research into the state of these capabilities across U.S. critical infrastructure sectors.

  • Slides
  • Transcript

About the Speaker

  • John Haller

    John Haller is an information and infrastructure security analyst with the Resilient Enterprise Management team in the CERT Program at the Software Engineering Institute, Carnegie Mellon University. Prior to joining CERT, John served as a Special Agent for the United States Postal Service Office of the Inspector General. John also worked for the U.S. Postal Inspection Service, researching online criminal behavior, conducting internet-based investigations, and supporting the development of information systems-based products internationally. A U.S. Army veteran, John is a member of the Pennsylvania bar. He obtained his J.D. and Master of Public and International Affairs from the University of Pittsburgh.

  • Matthew  J. Butkovic

    Matthew Butkovic is an Information and Infrastructure Analyst within the Resilient Enterprise Management Team of the CERT Program at Carnegie Mellon University's Software Engineering Institute. As a member of the team he performs information and critical infrastructure protection research and develops methods, tools, and techniques for resilient enterprise management. Butkovic has more than 15 years of managerial and technical experience in information technology (particularly information systems security, process design and audit) across the banking and manufacturing sectors. Prior to joining CERT in 2010, Butkovic was leading information security and business continuity efforts for a Fortune 500 manufacturing organization. He holds a BA from the University of Pittsburgh. Butkovic is a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).