Overview |
概要 |
|
The cyber supply chain is defined as follows: |
cyber供应链被定义如下: |
|
The entire set of key actors involved with/using cyber infrastructure: system end-users, policy makers, acquisition specialists, system integrators, network providers, and software/hardware suppliers. The organizational and process-level interactions between these constituencies are used to plan, build, manage, maintain, and defend the cyber infrastructure.” |
介入与或使用cyber基础设施的整个套关键演员: 系统终端用户、政策制订者、承购专家、系统集成商、网络提供者和软件或硬件供应商。 这些顾客之间的组织和过程级互作用用于计划,建立,处理,维护和保卫cyber基础设施”。 |
|
While most cybersecurity incidents are attributable to online attacks, countless examples used insecure cyber supply chains, introducing new types of risks, threats, vulnerabilities, and even cyber-attacks. For example: |
当多数cybersecurity事件是可归属的到网上攻击时,不计其数的例子使用了不安全的cyber供应链,介绍风险,威胁,弱点的新型和甚而cyber攻击。 例如: |
|
In 2008, the FBI seized $76 million of counterfeit Cisco equipment. According to an FBI presentation, the fake Cisco routers, switches, and cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S. Air Force, the U.S. Federal Aviation Administration, and even the FBI itself. One slide referred to the counterfeit Cisco equipment as a “critical infrastructure threat.” |
2008年, FBI占领了$76百万假劣Cisco设备。 根据FBI介绍,假Cisco路由器、开关和卡片被卖了到美国。 海军,美国。 海军陆战队。,美国。 空军,美国。 联邦航空管理局和甚而FBI。 一张幻灯片提到了假劣Cisco设备作为“重要基础设施威胁”。 |
|
Security researchers who analyzed the 2010 Stuxnet attack on Iranian nuclear facilities believe that malware used to infect programmable logic controllers (PLCs) and modify Siemens Step 7 software was likely carried into the facilities by third-party contractors working with the Iranian government. These third-party contractors were identified, attacked, and compromised and then unknowingly transported Stuxnet into the Iranian nuclear facilities, most likely through the use of USB thumb drives. |
分析对伊朗核设施的2010年Stuxnet攻击的安全研究员相信用于的malware传染可编程序的逻辑控制器(PLCs)和修改西门子第7步软件可能运载了入设施由第三方承包商与伊朗政府一起使用。 这些第三方承包商辨认,被攻击的和妥协的然后不知道被运输的Stuxnet入伊朗核设施,很可能通过对USB拇指驱动的用途。 |
|
In 2012, the Chairman and Ranking Member of the House Intelligence Committee, Mike Rogers (R-MI) and C.A. Dutch Ruppersberger (D-MD), released a report recommending that U.S. companies avoid using telecommunications equipment manufactured by Chinese telecommunications companies Huawei and ZTE. The report highlighted U.S. critical infrastructure interconnectivity and went on to warn of the heightened threat of cyber-espionage and predatory disruption or destruction of U.S. networks if U.S-based telecommunications networks were built by companies with known ties to the Chinese state, a country known to “aggressively steal valuable trade secrets and other sensitive data from American companies.” |
2012年,议院情报委员会的主席和等第成员,麦克・罗杰斯(R-MI)和C.A。 荷兰Ruppersberger (D-MD),被发布报告推荐那美国。 公司使用中国电信公司制造的电信设备避免Huawei和ZTE。 报告突出了美国。 重要基础设施interconnectivity和警告cyber间谍活动被升高的威胁和美国的掠食性中断或者破坏。 网络,如果基于美国的电信网由公司建立与知道的领带对中国状态,知道的国家“进取地窃取可贵的商业秘密和其他敏感数据从美国公司”。 |
|
According to documents leaked by Edward Snowden, the National Security Agency (NSA) intercepted networking equipment built in the United States, added backdoors for remote access capabilities, and then shipped these devices to their recipients abroad. When the hacked networking equipment was deployed online, it was programmed to phone home to NSA-controlled servers. "In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure," said Glenn Greenwald, a reporter at the Guardian at the time. Greenwald further quoted the leaked NSA report: "This call back provided us (i.e., NSA) with access to further exploit the device and survey the network." |
根据爱德华・漏的文件Snowden,国家安全代办处(NSA)拦截了在美国修造的网络设备,增加的backdoors为远程存取能力,然后运输了这些设备对他们的接收者海外。 当被乱砍的网络设备在网上部署了,它被编程打电话在家到NSA受控服务器。 “在一个最近案件,在几数月以后通过供应链子禁止被种入的烽火台叫回到NSA隐蔽基础设施”,当时一位记者说Glenn Greenwald,在监护人。 Greenwald更加进一步引述了漏的NSA报告: “这个电话提供我们(即, NSA)以通入进一步利用设备和勘测网络”。 |
|
The 2013 data breach at U.S. retailer Target exposed the personal and credit card data of more than 110 million consumers. Security researchers believe that this attack began with a spear phishing attack on a Target HVAC contractor, Fazio Mechanical, of Sharpsburg, PA. Cyber-attackers used an e-mail message to compromise a PC at Fazio Mechanical a few months before the attack and then downloaded password-stealing malware onto the system. The perpetrator then used legitimate Fazio credentials to log onto the Target network and ultimately carry out the attack. |
2013数据突破口在美国。 贩商目标暴露了超过110百万个消费者个人和信用卡数据。 安全研究员相信这次攻击从对目标HVAC承包商的一次矛phishing的攻击开始了, Fazio机械, Sharpsburg, PA。 Cyber攻击者使用一个电子邮件妥协个人计算机在Fazio机械几个月在攻击之前然后下载了密码窃取malware系统。 采伐目标网络和最后执行攻击的犯人然后使用的合法的Fazio证件。 |
|
While cyber supply chain security incidents like these threaten businesses and consumers alike, any type of cyber-attack on critical infrastructure organizations could result in massive societal disruption threatening national security. These concerns are exacerbated by numerous events such as: |
当cyber供应链安全事件象这些时威胁企业和消费者,任何类型在重要基础设施组织cyber攻击可能导致威胁国家安全的巨型的社会中断。 这些关心由许多事件恶化例如: |
|
The Siberian gas pipeline explosion of 1982. In 1982, CIA agents learned of a Russian plot to steal western technologies for updating its outdated gas pipeline system. Armed with this knowledge, the CIA intervened with a covert operation. Unbeknownst to Soviet agents, software stolen in France was actually booby-trapped by the CIA and programmed to create havoc in a series of pumps, values, and turbines and increase pressure across the entire pipeline. Once installed, the malicious software caused a massive explosion. Leaked government documents referred to this event as, “the most monumental non-nuclear explosion ever seen from space,” in the summer of 1982. |
西伯利亚气体管道爆炸1982年。 1982年,中央情报局特工得知俄国剧情窃取西部技术为更新它过时的气体管道系统。 用这知识武装, CIA干预了以一次掩护作战。 Unbeknownst对苏联代理,在法国窃取的软件由CIA实际上设陷井并且被编程创造浩劫参加一系列泵浦、价值和涡轮和增量压力横跨整个管道。 一旦安装,恶意软件导致了巨型的爆炸。 漏的政府文件提到了这个事件和, “从空间看的最巨大的非核爆炸”,在1982年的夏天。 |
|
The Aurora test of 2007. In 2007, Idaho National Labs ran an experiment called Aurora. The experiment simulated a cyber-attack and used a computer program to rapidly open and close a diesel generator’s circuit breakers so they were out-of-phase from the rest of the electric grid. In a now famous video, this remote attack caused a 2.25 megawatt diesel generator to bounce, shake, smoke, and eventually blow up. The entire process took less than three minutes, but researchers believe that a true cyber-attack could have destroyed the generator in less time. This experiment proved that a knowledgeable cyber-adversary could cause massive disruptions to the U.S. power grid. Furthermore, a diesel generator like the one destroyed in this experiment could take months to build, ship, and replace, meaning that a cyber-attack like Aurora could have long-term national security implications. |
极光测试2007年。 2007年,爱达荷国家实验室跑了称Aurora的实验。 实验模仿了cyber攻击并且使用计算机程序迅速地开始并且关闭柴油发电器的开关,因此他们从电栅格的其余是out-of-phase。 在现在著名录影,这次遥远的攻击造成一台2.25兆瓦柴油发电器弹起,震动,抽烟和最终鼓起。 整个过程需要了少于三分钟,但研究员相信真实在较少时间cyber攻击可能毁坏了发电器。 这个实验证明,一个博学的cyber敌人可能导致大规模瓦解对美国。 功率网格。 此外,在这个实验象那个毁坏的一台柴油发电器可能需要几个月对修造,运送,并且替换,意味cyber攻击象极光可能有长期国家安全涵义。 |
|
The cyber-attacks on Estonia in 2007. In 2007, the Estonian government removed a Soviet-era statue, the Bronze Soldier of Tallinn, from the city. This action was taken as an insult by Russian nationals within Estonia and some members of the Russian cybersecurity community within and outside the government. In April 2007, the small Baltic nation experienced a wave of devastating distributed denial-of-service (DDOS) attacks that disrupted the services of the Estonian banks, broadcasters, ministries, newspapers, and parliament. The Estonian attacks are sometimes referred to as the first documented acts of cyberwar. |
2007年在爱沙尼亚cyber攻击。 2007年,爱沙尼亚语政府从城市去除了苏维埃时代雕像, Tallinn的古铜色战士。 这次行动在爱沙尼亚范围内采取了作为侮辱由俄国国民和俄国cybersecurity社区的有些成员在和在政府之外之内。 在2007年4月,小波儿地克的国家体验了摧残打乱爱沙尼亚语银行、播报员、部、报纸和议会的服务的分布的否认服务(DDOS)攻击波浪。 爱沙尼亚语攻击有时指计算机战争首先被提供的行动。 |
|
The cyber-theft of the F-35 Joint Strike Fighter and other military secrets. In 2015, NSA documents leaked by former contractor, Edward Snowden, revealed that cyber-attackers in China obtained more than 50 terabytes of data from U.S. defense contractors and government networks. This data included detailed plans about the F-35 Joint Strike Fighter’s stealth radar and engine. By learning about these and other design points, Chinese defense companies were able to include similar designs and technologies in China’s new stealth jet, the J-20. The secret also could allow Chinese air defenses to target the F-35 in a future conflict. |
F-35联接罢工战斗机和其他军事秘密的cyber偷窃。 2015年, NSA文件由前承包商,爱德华Snowden漏了,显露cyber攻击者在中国获得了超过数据50个太字节从美国。 防御工程承包商和政府网络。 这数据包括详细计划关于F-35联接罢工战斗机的秘密行动雷达和引擎。 通过得知这些和其他设计点,中国防御公司能包括相似的设计,并且技术在中国的新的秘密行动喷射, J-20。 秘密在未来冲突能也允许中国空防瞄准F-35。 |
|
The potential for a devastating cyber-attack on U.S. critical infrastructure has had Washington’s attention for a number of years. In 1998, Deputy Defense Secretary John Hamre cautioned the U.S. Congress about critical infrastructure protection (CIP) by warning of a potential “cyber Pearl Harbor.” Hamre stated that a devastating cyber-attack “… is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.” |
在毁灭的潜力在美国cyber攻击。 重要基础设施几年有华盛顿的注意。 1998年,代理国防部长约翰Hamre警告了美国。 国会关于重要基础设施保护(CIP)由潜在的“cyber珍珠港的警告”。 Hamre阐明,毁灭cyber攻击“…不反对坐在海军造船厂的军舰。 它反对商业基础设施”。 |
|
After taking office, President Obama stated: |
在担任职务以后, Obama总统陈述的: |
|
“From now on, our digital infrastructure, the networks and computers we depend on every day will be treated as they should be; as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy, and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.” |
“从现在起,我们的数字式基础设施、我们依靠的网络和计算机每天对待他们应该是; 作为战略全国财产。 保护这基础设施将是一种国家安全优先权。 我们保证这些网络是安全,信得过和韧性的。 我们将阻止,防止,查出,并且保卫反对攻击并且从所有中断或损伤迅速恢复”。 |
|
In 2012, defense secretary, Leon Panetta, echoed these earlier warnings, stating that the U.S. faced a potential “cyber Pearl Harbor,” and was vulnerable to an increasing number of foreign hackers who could disrupt U.S.-based power grids, transportation networks, financial systems, and the government itself. Finally, in February 2015 at a cybersecurity summit held at Stanford University, President Obama announced five priorities to strengthen the U.S. approach to cybersecurity threats: |
2012年,国防部长, Leon Panetta,随声附和了这些早期前兆,阐明,美国。 面对潜在的“cyber珍珠港”,并且是脆弱的到可能打乱美国-基于功率网格、运输网络、财政系统和政府外国黑客的一个增长的数字。 终于,在2月2015年在cybersecurity山顶举行了在斯坦福大学, Obama总统宣布五种优先权加强美国。 对cybersecurity威胁的方法: |
|
1. Protecting the country's critical infrastructure—our most important information systems—from cyber-threats. |
1. 保护国家的重要基础设施我们的最重要的信息系统从cyber威胁。 |
|
2. Improving the country’s ability to identify and report cyber-incidents so that we can respond in a timely manner. |
2. 改进国家的能力辨认和报告cyber事件,以便我们可以及时地反应。 |
|
3. Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace. |
3. 国际伙伴与$$4相啮促进互联网自由和获得支持为开放,相互可操作,巩固和可靠的网际空间。 |
|
4. Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets. |
4. 巩固联邦网络通过设置清楚的安全目标和拿着代办处对实现那些目标负有责任。 |
|
5. Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector. |
5. 塑造cyber精明的劳工和移动在密码之外与私人部门合伙。 |
|
There is clear evidence that the U.S. critical infrastructure faces a state of constant cyber-attack and a successful breach could have devastating consequences. Are critical infrastructure organizations adequately prepared to defend themselves? Do they have the right controls and oversight in place for cyber supply chain security? Are government agencies providing critical infrastructure organizations with the right programs and support? This ESG research report is intended to explore the answers to these important questions. |
有美国的清楚的证据。 重要基础设施面对状态恒定cyber攻击,并且一个成功的突破口可能有破坏性结果。 重要基础设施组织充分地准备保护自己? 他们是否为cyber供应链安全到位有正确的控制和失察? 政府机构提供重要基础设施组织以正确的节目并且支持? 这个ESG研究报告意欲探索答复到这些重要问题。 |