1. Gerald Fralick, CSO − October 16, 2014 How Secure is Our Nation’s Infrastructure: A Year in Review and What Lies Ahead

2. 2 PRESIDENTIAL POLICY DIRECTIVE/PPD-21  The Nation's critical infrastructure provides the essential services that underpin American society. The PPD- 21 Directive establishes national policy on critical infrastructure security and resilience, and is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure.  The PPD-21 Directive refines / clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, and enhances overall coordination and collaboration. Enable effective information exchange Refine and clarify Functional relationships across Federal Government Implement an integration and analysis function Strategic Imperatives to Strengthen Critical Infrastructure

3. 3 Critical Infrastructure What Is Critical Infrastructure?  Critical infrastructure is comprised of 16 major sectors, and is the backbone of our nation's economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.  Critical infrastructure is the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

4. 4 Critical Infrastructure Sectors – Overview  Chemical Sector: Composed of 5 main segments Basic Chemicals * Specialty Chemicals * Agricultural Chemicals * Pharmaceuticals * Consumer Products  Commercial Facilities: Composed of 8 Subsectors Public Assembly * Sports Leagues * Gaming * Lodging * Outdoor Events * Entertainment / Media * Real Estate * Retails  Critical Manufacturing: Comprised of 4 core manufacturing industries Machinery * Primary Metal * Electrical Equipment / Appliance / Component * Transportation Equipment  Dams  Defense Industrial Base: Components are: Companies – Domestic Entities * Companies – Foreign Entities * Production Assets in Various Countries  Emergency Services: Nation’s first line of defense Natural Threats * Cyber Related Threats * Workforce Threats * Manmade Threats  Energy Sector: Uniquely critical by providing an enabling function across all critical infrastructure sectors Natural Gas * Petroleum * Electricity  Financial Services: Because cyber threats are a significant concern to this sector, the Treasury Department works closely with the US-CERT to indentify the latest threats to cyber infrastructure and disseminates threat information within the sector.

5. 5 Critical Infrastructure Sectors – Overview  Food and Agriculture: Critical dependencies with many sectors, but particularly with: Water / Wastewater Systems * Transportation Systems * Energy * Pharmaceuticals * Financial Services, Chemical, and Dam  Government Facilities: Includes buildings located in the US and overseas owned / leased by federal, state, local and tribal governments. Buildings * Education Facilities * National Monuments  Healthcare / Public Health : Protects all sectors of the economy from hazards such as terrorism, infectious diseases, etc. Symbiotic sectors: Communications * Emergency * Energy * Food / Ag * Info Technology * Transportation * Water / Wastewater  Information Technology: The heart of the nation’s security, economy, public health and safety sectors  Nuclear Reactors, Materials and Waste: Components are: Nuclear Fuel Cycle Facilities * Nuclear Power Plants * Radioactive Materials * Non-Power Reactors * Decommissioned Nuclear Power Reactors * Manufacturers of Nuclear Reactors / Components * Transportation, Storage, and Disposal of Nuclear / Radioactive Waste  Transportation System: Seven key subsectors: Aviation * Highway Infrastructure * Motor Carrier * Maritime * Mass Transit * Passenger Rail * Pipeline Systems * Freight Rail * Postal / Shipping  Water / Wastewater: Vulnerabilities are contamination with deadly agents and physical attacks (cyber / chemical)  Communications: Underlying to all operations of all businesses, public safety organizations, and government.

6. 6 Critical Infrastructure - Summary  All 16 Sectors are dependent and interconnected, tied together.  A successful threat and attack to any one of them would be severely detrimental to the well being and fabric of the United States.  In the world of Information Technology, where are the holes, the vulnerabilities?  How do we as CISOs, CSO’s and IT Security specialists, detect, prevent security compromises and prove that our networks, end point products, and infrastructure are really secure?

7. The Year In Review: What Has Changed

8. 8  Trusted Sources – how do we decide who / what is a trusted source? How do we quantify / qualify “trusted”?  Supply Chain Security – closer scrutiny components and how / where our products are developed and manufactured.  Public perception and awareness of vulnerabilities and demand for reassurance that products / services / online websites are safe and secured.  Cost of Doing Business has increased: - The CIO and Compliance Offices: No longer a luxury, but the cost of doing business in a global economy. * Key Skills: SIRT, Auditor, Software Security Architects, Ethical Hacker * Small Businesses not able to fund such an office can outsource to 3 rd parties - Cybersecurity Programs are critical - Cost of businesses who have been compromised to fix the infrastructure issues and lost revenue from reduced consumer spend from breeches. These costs are eventually passed to consumers.  Border Security in the US is highly vulnerable to infiltration, and breeches are at an all time high which, in turn, places our critical infrastructures at increased risk for terrorist and cyber attacks. One attack can cripple our entire nation and it’s economy with a domino effect.  Health and medical records are the new “hot commodity” of cyber attacks, even more valuable than credit card information. Once the health care information is stolen, this information is used to obtain pharmaceuticals, commit Medicare fraud and other crimes.  Increased use of ‘cloud’ services for business and personal use, which are very vulnerable to cyber crimes. Businesses often focus on the convenience and low cost of cloud services, but not enough focus on the potential for compromise to security and data breeches. What Has Changed The risk of cyber and terrorist attacks against our critical infrastructures has never been higher.

9. 9 Security Landscape (Customer Concerns): PAST: 12 MONTHS AGO FUTURE: 12 – 18 MONTHS OUT  Malware  Back Doors  Spyware  Holes in BIOS  Trust Worthy  Personnel Screening  Critical Infrastructure  Cyber Security Framework PRESENT: 2014  Supply Chain (Touch Points) Manufacturing / Assembly / Delivery  Product Security (SIRT) Security Incident Response Team  Software Development – Where? Design / Dev / Test / Authenticate & Validate  Internet of Things

10. 10 Liability Shift  Merchants that accept credit cards for payment, but do not have Chip and PIN available to consumers by October 2015 will be held completely liable for breaches. Reference: http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/  On June 10th, 2014 the Security and Exchange Commissioner noted that a "…cyber attack may not have a direct material adverse impact on the company itself, but that a loss of customers", and to consider updating the SEC Cyber Security Guidance for breach disclosure and fines to businesses that suffer breaches. He strongly encouraged companies board of director's to take active roles in their risk management programs and apply frameworks like NIST Cyber Security Framework. Reference: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946http://www.sec.gov/News/Speech/Detail/Speech/1370542057946 Reference: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htmhttp://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm  James Comey, Director of the Federal Bureau of Investigation (FBI), said last November that “resources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.” Reference: http://www.hsgac.senate.gov/hearings/threats-to-the-homelandhttp://www.hsgac.senate.gov/hearings/threats-to-the-homeland The current cybersecurity attacks and breaches have highlighted the need for corporate responsibilities for compliance and security within their cybersecurity networks and IT infrastructures. The legal books are being “rewritten” with new laws and new cases resulting from these attacks. Failure for CISO, CIO and CEO’s to address these pressing cyber security issues, will result in the liability falling back to them as corporate executives.

11. 11 Not if, but WHEN…. Target Breach Malicious software in point of sale systems Cost = 148 million Target Breach Malicious software in point of sale systems Cost = 148 million Home Depot Malicious software in point of sale systems Cost = Unknown Home Depot Malicious software in point of sale systems Cost = Unknown South Carolina Department of Revenue Cost = ~36.6 million South Carolina Department of Revenue Cost = ~36.6 million The U.S. per record cost for a data breach averages $194 Target Data Breach > 40 million credit cards stolen Target Data Breach > 40 million credit cards stolen State of South Carolina 16 million records stolen State of South Carolina 16 million records stolen Home Depot Breach 5 months & > 60 million credit cards stolen Home Depot Breach 5 months & > 60 million credit cards stolen Fidelity Investments Attacked by the same group as JP Morgan Chase, but hackers were unable to penetrate any of the security on their network systems JP Morgan Chase 76 million households and 7 million business affected JP Morgan Chase 76 million households and 7 million business affected JP Morgan Chase Breach penetrated internal working systems in the bank Cost = Unknown JP Morgan Chase Breach penetrated internal working systems in the bank Cost = Unknown  Business and banks are not the only targets of cyber crime. Health care records are are rapidly becoming the new “hot commodity” and target of hackers. Between April – June 2014, hackers penetrated Community Health Systems resulting in 4.5 million health care records stolen.

12. 12 Over the course of the year Network Infrastructure and Security has become even more important as cyber criminals become more aggressive and specific in their targets and attacks. Hardening network infrastructure is key to building immunity and resistance to the attacks  Weakness in network infrastructure results in high risk of cyber exploitation. Our nation’s critical infrastructures depend on the ‘wellness’ of their associated IT networks.  Perception was that any cyber attacks were / would be from external sources breaking through firewalls, etc.., The Target security breach outlined that focus must also be on hardening network infrastructure internally to avoid compromise from within. - Device Integrity - Secure Management - Secure Protocol Standards / Strong Cryptography - Secure Logging - Stringent regulations on BYOD programs (and use of thumb drives) Network Infrastructure and Security

13. 13  Mobility  Business Enablement  Compliance  Data Theft  Spear Phishing  Advanced Malware  Hactivist  Mobility  Business Enablement  Compliance  Data Theft  Spear Phishing  Advanced Malware  Hactivist  Cloud (Vendor Management)  Threat Intelligence / Vetting  Insider Threat  Targeted Attackers / APT  Attack Preparation and Response (Incident Response Plans)  Cloud (Vendor Management)  Threat Intelligence / Vetting  Insider Threat  Targeted Attackers / APT  Attack Preparation and Response (Incident Response Plans) What’s on the CIO’s (CISO) Mind

14. 14 Secure Supply Chain Management: Key Questions for IT Industry Vendors: Do you have a secure supply chain management program? (e.g. What is it based on?) Does your program address hardware, firmware, and software that is packaged on the system? What embedded software do you have on your devices? How do you ensure that the firmware and software on your device had not been altered? Does your code get reviewed externally for security vulnerabilities? How do you ensure that unauthorized code is not inserted? How do you ensure that counterfeit parts are not in your products? Supply Chain Management Hardware Baseboard CPU Memory Hard Drive HSM Storage Firmware BIOS UEFI BMC TMM Drivers (e.g. Audio, Video) Bundled Software Operating System (e.g. Windows 7, Windows 8) Internally Developed Software 3 rd Party System(s) Root of Trust

15. 15  “Bad BIOS” and “Bad USB” highly publicized issues in firmware allowing a malicious attacker to gain low level access to systems.  July 7 th, 2014 – ZombieZero hit hardware scanners of large shipping and logistics companies. Suspected hardware supply chain management was the avenue of attack.  July 22 nd, 2010 - Dell PowerEdge Motherboards Ship with Malware (Spybot Worm) Source: http://www.zdnet.com/dell-poweredge-motherboards-ship-with-malware-3040089615 / http://www.zdnet.com/dell-poweredge-motherboards-ship-with-malware-3040089615 /  June 16 th, 2014 – Android smartphone shipped with spyware Source: https://blog.gdatasoftware.com/blog/article/android-smartphone-shipped-with-spyware.html https://blog.gdatasoftware.com/blog/article/android-smartphone-shipped-with-spyware.html  A U.S. power plant was taken off line for three weeks when a computer virus attacked a turbine control system. The virus was introduced when a technician unknowingly inserted an infected USB computer drive into the network. Source: http://www.theage.com.au/it-pro/government-it/malicious-virus-shuttered-power-plant-us-government- 20130116-2cuox.html http://www.theage.com.au/it-pro/government-it/malicious-virus-shuttered-power-plant-us-government- 20130116-2cuox.html Attacks Targeting Supply Chain

16. 16 Analysis of End Point – Laptop Component Sourcing ComponentLenovo TP T440HP E840Dell Latitude 7440 CPU / Chipset / vProIntel LCD Multiple; AsiaLG; China FPR SensorValidity; China Broadcom / China Smart Card ReaderAlcor; China O2Micro; China TouchpadSynapatics; ChinaSynaptics; ChinaAlps; China MemoryMultiple; AsiaRamaxel; ChinaMicron; Korea HDDMultiple; AsiaHitachi; ThailandSeagate; Korea WLAN CardIntel; China Altheros; China EthernetIntel; China TPMST Micro; ChinaInfineon; AsiaAtmel; Asia Super I/OToshiba; ChinaSMSC; Taiwan Embedded ControllerMicrochip; TaiwanN/ASMSC; Taiwan  Assumption: HP and Dell, like Lenovo, have multiple sources

17. 17 What Lies Ahead: A Call to Action  Assess and communicate security risks – adopt a uniform framework such as the NIST standards, and perform regular compliance assessments.  Better articulate risks and audit findings with business stakeholders – Perform routine reporting of cybersecurity threats to build support for security initiatives.  Explore creative paths to improve cybersecurity effectiveness within your organizations using the current federated governance models – create cybersecurity competency centers or pursue a shared services model.  Focus on audit and continuous monitoring of third party compliance – Focus on communicating cybersecurity policies and practices to partners.  More thorough vetting and screening process for vendors and employees who have access to sensitive information or technology. Closer scrutiny on internal “IT hygiene” practices.  Validation for supply chain “touchpoints”  Location of software code development - Independent validation and verification of software code development / root of trust

18. 18  Presidential Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity” - Calls for development of a voluntary cybersecurity Framework that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. - Developed in collaboration with industry - Provides guidance to an organization on managing cybersecurity risk. Framework Introduction 2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.

19. 19  Framework is a risk-based approach to managing cybersecurity risk  Composed of three parts: - Framework Core: A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure - Framework Implementation Tiers: Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. - Framework Profile: Represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Framework Overview 2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.

20. 20  Functions – to organize basic cybersecurity activities at their highest level 1.Identify – Develop organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities. 2.Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. 3.Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. 4.Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. 5.Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.  Categories – subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.  Subcategories – further divide a Category into specific outcomes of technical and/or management activities  Informative References – specific sections of standards, guidelines and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. Framework Core – Four Elements 2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.

21. What Lies Ahead: A Call to Action

22. 22 Critical Infrastructure – Time to Comply  Supply Chain: How secure is your end product from point A (origination) to the point of delivery (Z)?  Unified Capabilities: Approved Products List (UC APL) - Unified Capabilities Approved Products List (UC APL) is a consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification, which is used by the US military, and managed by the Defense Information Systems Agency.  NIST - FIPS 140 – 2 (Cryptology): Federal Information Processing Standards (FIPS) 140-2 the standard for equipment used in US government IT applications & environments. This is a US standard, but for civilian agencies.  Common Criteria: Common Criteria are the civilian focused international standards that have been adopted by 26 member countries for security requirements for information technology products in both government and private sector use. This is a globally applicable standard.  Use of Government approved NIST & NSA test labs, 7 outside Ft. Meade, MD & NSA.

23. 23 Critical Infrastructure – Proof of Security  Products  Networks  Infrastructure  Cloud  Data  Use of external cybersecurity standards, regulations, frameworks, and guidance.

24. 24 Questions? Jerry Fralick – Chief Security Officer Think Business Group Lenovo USA 1009 Think Place Morrisville, NC 27560 919-257-6172 gfralick@lenovo.com