ISA At Work In The Manufacturing Sector
The National Association of Manufacturers (NAM) is an advocacy group headquartered in Washington, D.C., United States, with 10 additional offices across the country. It is the nation’s largest manufacturing industrial trade association, representing 11,000 small and large manufacturing companies in every industrial sector and in all 50 states.
Securing the Electronics Hardware Supply Chain
Faced with a different set of potential adversaries, ISA’s aerospace and defense manufacturing members initiated a unique supply chain program in collaboration with the Carnegie Mellon University that focused on securing electronics hardware and firmware from supply chain intrusions. These manufacturing companies recognized that while inserting malicious hardware and firmware into the supply chain would be more time-consuming and costly, some of their adversaries (i.e., nation-states) have a bottomless account and are “in it for the long game.” These companies further recognized that while such an injection attack may only succeed once, if the compromise was in a SCADA or weapons system, the results could be catastrophic.
So starting in 2006, ISA and CMU ISA launched the industry’s first integrated supply chain program analyzing the complex problems of managing the IT supply chain on a global basis to assure the security of hardware products and services. In 2008, ISA released its resulting supply chain framework document, which was subsequently cited in President Obama’s signature document on cyber security: “The Cyberspace Policy Review” (2009).
A series of nationwide workshops followed, helping to create a clear, specific and detailed set of instructions for managing the IT supply chain in a secure, but economic, fashion. 60+ pages in length, these instructions (or guidelines) will be released shortly on ISA’s website following Board approval.
Combating The Advanced Persistent Threat (APT) in the Manufacturing Industry
Over the past few years, ISA’s manufacturing members noticed a shift in attack tactics, with adversaries now targeting these members’ smaller partners utilizing more sophisticated, APT-style attacks. To combat this shift, Jeff Brown of Raytheon, Tom Kelly of Boeing, and Rick Howard of Verisign stood up the ISA APT program in 2011 to leverage the industry’s expertise and develop a set of publishable, cost-effective best practices that these smaller partner companies can use to help mitigate against such attacks.
With NAM’s collaboration, ISA has recently field tested this document with its target audience: manufacturers with either zero on-staff IT professionals, 1-10 IT professionals, and greater than 10 IT professionals. This program is currently ongoing, with a publication expected in Q4 2012.
FINANCIAL MANAGEMENT OF CYBER RISK – GAINING A MANUFACTURER’S PERSPECTIVE
Starting in 2006, the ISA began its program on the Financial Management of Cyber Risk. Three highly acclaimed publications later, ISA has now entered its fourth phase of this program, seeking to analyze and benchmark enterprise risk management in three specific sectors, Aerospace and Defense, IT, and Financial Services, with specific reference to the effect of the SEC’s recent advisory on considering cyber security as a material risk.
This fourth phase kicked off in late June 2012 with the first of a series of workshops. Held at the National Association of Manufacturers in Washington, D.C., and in collaboration with ISA channel partner the Aerospace Industries Association, this first workshop examined the enterprise risk management practices of several leading aerospace and defense firms. Two other workshops are scheduled for late summer in Silicon Valley, California, and in late fall in New York City.