Assessing and Addressing Enterprise and Cyber Supply Chain Risk · Page 7. HUAWEI TECHNOLOGIES CO.,...

HUAWEI TECHNOLOGIES CO., LTD.

Assessing and Addressing Enterprise and Cyber Supply Chain Risk

November 6 2017www.huawei.com

Andy PurdyCSO, Huawei Technologies [email protected]


INTRODUCTION

• Understand and address cyber and privacy risks –including from 3rd parties.

• Commitment and governance.• Enterprise-wide risk management. • Clear requirements and strong internal compliance

and accountability.• Buyers of ICT should leverage their purchasing

power.• Continuous improvement!


Huawei – A Global Company Facing the Challenges of Enterprise & Supply Chain Risk

Secure products, solutions and services

A leading global ICTsolutions, Fortune Global 500 company

Operations in 170 countries, 150,000employees, 73% recruited locally

$74.5 B revenue in 2016 Serving 45 of the world's

top 50 operators

GlobalR&D

Global Supply

GlobalService

70,000+ employees in R&D 15 R&D centers; 25 Joint

Innovation Centers


Huawei’s Global Supply Network

China Mexico Europe

Dubai (United Arab Emirates ) Netherlands

China (Delivery for the globe) Europe (Delivery for West

Europe &North Africa) Mexico (Delivery for North

America & Latin America) Brazil (Delivery for South Latin

America ) India (Delivery for India)

Brazil , Mexico, India and Hungary supply centers work with local partners to do manufacturing and make delivery

Supply Center Regional Hub Reverse Center Local EMS

Mexico

Brazil

China

HungaryNetherland

Dubai IndiaPanama HUB TBD

Reverse center

Supply center

Regional hub

ChengduBeijing

Shanghai

Regional hub Under feasibility

Source: US:32%,the largest material source, ROC, Japan & Korea:28% （components）; Europe:10% Mainland China:30% (cable, battery, mechanical parts,

cabinet etc.)


Enterprise and Supply Chain Risk Organizational Success Factors for Assurance

• Organization-wide commitment, clear governance, and accountability.

• Enterprise-wide risk management.• Requirements for consistent, repeatable processes.• Separation of duties and robust verification. • Openness and transparency.• Continuous improvement.


Assessing and Managing RiskThe NIST Cybersecurity Framework (CSF)

• A risk-analytic tool with a set of standards, methodologies, procedures, and processes aligning policy, business, and technological approaches to address cyber risks.

• Prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.

• Identifies areas for improvement. • Consistent with voluntary international standards.

Courtesy of NIST: https://www.nist.gov/file/354081

https://www.nist.gov/file/354081


Assessing and Managing RiskThe NIST CSF – Risk Management Properties




Assessing and Managing RiskThe NIST CSF - Implementation Tiers


1 2 3 4Partial Risk

InformedRepeatable Adaptive

Risk Management

Process

The functionality and repeatability of cybersecurityrisk management

Integrated Risk Management

Program

The extent to which cybersecurity is considered in broader risk management decisions

External Participation

The degree to which the organization benefits my sharing or receiving information from outside parties



Assessing and Managing RiskThe NIST CSF – Framework Component: The Core


FunctionWhat processes and assets need

protection? Identify

What safeguards are available? Protect

What techniques can identify incidents? Detect

What techniques can contain impacts of incidents? Respond

What techniques can restore capabilities? Recover


HUAWEI TECHNOLOGIES CO., LTD. 11



Function Category ID

Identify

Asset Management ID.AM

Business Environment ID.BE

Governance ID.GV

Risk Assessment ID.RA

Risk Management Strategy ID.RM

Protect

Access Control PR.AC

Awareness and Training PR.AT

Data Security PR.DS

Information Protection Processes & Procedures

PR.IP

Maintenance PR.MA

Protective Technology PR.PT




DetectAnomalies and Events DE.AE

Security Continuous Monitoring DE.CM

Detection Processes DE.DP

Respond

Response Planning RS.RP

Communications RS.CO

Analysis RS.AN

Mitigation RS.MI

Improvements RS.IM

RecoverRecovery Planning RC.RP

Improvements RC.IM

Communications RC.CO

12





The NIST CSF C

ourtesy of NIST:

https://ww

w.nist.gov/file/354081Function Category ID

Identify

Asset Management ID.AMBusiness Environment ID.BEGovernance ID.GVRisk Assessment ID.RARisk Management Strategy ID.RM

Protect

Access Control PR.ACAwareness and Training PR.AT

Data Security PR.DSInformation Protection Processes & Procedures

PR.IP

Maintenance PR.MAProtective Technology PR.PT

Detect

Anomalies and Events DE.AE

Security Continuous Monitoring DE.CM

Detection Processes DE.DP

Respond

Response Planning RS.RPCommunications RS.COAnalysis RS.ANMitigation RS.MIImprovements RS.IM

RecoverRecovery Planning RC.RPImprovements RC.IMCommunications RC.CO

Subcategory Informative ReferencesID.BE-1: The organization’s role in the supply chain is identified and communicated

COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2NIST SP 800-53 Rev. 4 CP-2, SA-12

ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated

COBIT 5 APO02.06, APO03.01NIST SP 800-53 Rev. 4 PM-8

ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated

COBIT 5 APO02.01, APO02.06, APO03.01ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6NIST SP 800-53 Rev. 4 PM-11, SA-14

ID.BE-4: Dependencies and critical functions for delivery of critical services are established

ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14

ID.BE-5: Resilience requirements to support delivery of critical services are established

COBIT 5 DSS04.02ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14



The NIST CSF C

ourtesy of NIST:

https://ww

w.nist.gov/file/354081

Function Category

Identify

Asset Management

Business EnvironmentGovernance

Risk Assessment

Risk Management Strategy







ID.BE-4: Dependencies and critical functions for delivery of critical services are established

ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14

ID.BE-5: Resilience requirements to support delivery of critical services are established

COBIT 5 DSS04.02ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14



The NIST CSF – Subcategories/Informative References



Identify Business Environment ID.BE









Assessing and Managing RiskThe NIST CSF – Risk Profile


What is a Risk Profile?• A customization of the Core for a given

sector, subsector, or organization.• A fusion of business/mission logic and

cybersecurity outcomes.• An alignment of cybersecurity

requirements with operational methodologies.

• A basis for assessment and expressing target state.

• A decision support tool for cybersecurity risk management.

IdentifyProtectDetectRespondRecover



NIST Cybersecurity Framework NIST: Conformity Assessment - Information and Confidence

• Conformity assessment systems provide critical business-business and business-consumer information

• The rigor of conformity assessment systems can provide confidence and inform risk managementSupporting activities include:o testing

o inspection

o supplier’s declaration

o certification

o accreditation

• Authorities and regulators may rely on effective conformity assessment to support their missions


Tainted Counterfeit

Upstream Downstream Upstream Downstream

Malware √ √ √

Unauthorized “Parts” √ √ √

Unauthorized Configuration

√

Scrap/Sub-standard Parts

√

Unauthorized Production

√ √

Intentional Damage √ √

Integrity Availability TraceabilityConfidentiality Authenticity

StakeholdersMain Threats

Courtesy of The Open Group

Cyber threats in technology development and global supply chains


DescriptionSupplier Management Model

1. Technology2. Quality3. Response4. Delivery5. Cost6. Environment7. CSR8. Cyber security: policy,

baseline, process, agreement, training, test, emergency response

Technology, Quality, Response, Delivery, Cost, Environment, CSR, and Cyber Security.Security integrated into the procurement business processes, including procurement cyber security policies, baseline, and process criteria.

Eight Elements of Supplier Management: TQRDCESS

Supplier Management Model

Technology

Cost

Delivery

CSR Response

Cyber Security

Quality

Environment

CSR: customer satisfaction representative TCO: total cost of ownership


Baseline Mgmt.

Supply Chain Cyber Security Baseline Management

Identify risks

Develop baselines

Improve continuously

Check the implementation

Integrate into

processes


Physical security Prevent tampering and implanting in logic through preventing unauthorized physical access Integrity

AuthenticityTraceability

Ensure SW integrity by E2E prevention of unauthorized physical access and technical verification methods

Software delivery security

Establish baselines based on risk analysis and embed baselines into daily operation of processes

Organization, process and awareness

Framework of SCM Cyber Security Baselines


A global industry-led initiative defining best practices for secure engineering and supply chain integrity so that you can “Build with Integrity and Buy with Confidence™”

The Open Group Trusted Technology Forum

22


The Open Trusted Technology ForumWhy Huawei Joined the OTTF

•A Common View of the Challenges:• Need to secure our Technology Development and Global

Supply Chains• Need to develop and agree on risk-informed, objective

standards and best practices for all constituents• Need a full lifecycle approach• Need certification to help assure conformance to the

standard• Need public registry to identify trusted/certified providers• Need customers to reward trusted/certified providers

through procurement

•


Trusted Technology Provider Standard Mitigating Risk of Malicious Taint and Counterfeit Products

• Two areas of requirements› Technology Development - mostly under the provider’s in-house

supervision› Supply Chain activities mostly where provider interacts with

third parties who contribute their piece in the product’s life cycle

• ISO 20243. Applies across the product life cycle. • Result of 3 years collaborative consensus-based effort • Some highly correlated to threats of maliciously tainted and

counterfeit products - others more foundational but considered essential

SourcingDesign Sustain-ment

Disposal

Technology Development Supply Chain

Distribu-tion

FulfillmentBuild


The O-TTPS Accreditation ProgramIndependent Evaluation of Conformance

• Provides structure and discipline to a set of benchmarks

• Requires independent confirmation of conformance based on evidence

• Identifies necessary processes for technology development and supply chain


EastWest Institute (EWI) Buyers Guide for ICTUse Purchasing Power to Lower Cyber Risk

• Led by Huawei, Microsoft, and The Open Group, the Guide helps buyers develop purchasing requirements for what to ask of, or require from, their providers.

• “Enterprise Security Governance”

• “The Product and Service Lifecycle – from Design through Sustainment and Response”

https://www.eastwest.ngo/sites/default/files/EWI_BuyersGuide.pdf

https://www.eastwest.ngo/sites/default/files/EWI_BuyersGuide.pdf


CONCLUSION AND SUMMARY

• Responsible organizations – providers and users –should address security and privacy risk as part of enterprise-wide risk management.

• Consider the risk from 3rd party providers of products and services, including the risk of counterfeit and maliciously tainted products.

• Providers need recognized standards and agreed-upon mechanisms to establish trust.

• Buyers of ICT need risk-based security requirements, and should use their collective purchasing power to incentivize assurance.


Thank you.

Andy [email protected]

Assessing and Addressing Enterprise and Cyber Supply Chain Risk · Page 7. HUAWEI TECHNOLOGIES CO.,...

Documents

Transcript of Assessing and Addressing Enterprise and Cyber Supply Chain Risk · Page 7. HUAWEI TECHNOLOGIES CO.,...