Climate Risk & Business: Practical Methods for Assessing Risk
Assessing and Addressing Enterprise and Cyber Supply Chain Risk · Page 7. HUAWEI TECHNOLOGIES CO.,...
Transcript of Assessing and Addressing Enterprise and Cyber Supply Chain Risk · Page 7. HUAWEI TECHNOLOGIES CO.,...
Page 1 HUAWEI TECHNOLOGIES CO., LTD.
Assessing and Addressing Enterprise and Cyber Supply Chain Risk
November 6 2017www.huawei.com
Andy PurdyCSO, Huawei Technologies [email protected]
Page 2 HUAWEI TECHNOLOGIES CO., LTD.
INTRODUCTION
• Understand and address cyber and privacy risks –including from 3rd parties.
• Commitment and governance.• Enterprise-wide risk management. • Clear requirements and strong internal compliance
and accountability.• Buyers of ICT should leverage their purchasing
power.• Continuous improvement!
Page 3 HUAWEI TECHNOLOGIES CO., LTD.
Huawei – A Global Company Facing the Challenges of Enterprise & Supply Chain Risk
Secure products, solutions and services
A leading global ICTsolutions, Fortune Global 500 company
Operations in 170 countries, 150,000employees, 73% recruited locally
$74.5 B revenue in 2016 Serving 45 of the world's
top 50 operators
GlobalR&D
Global Supply
GlobalService
70,000+ employees in R&D 15 R&D centers; 25 Joint
Innovation Centers
Page 4 HUAWEI TECHNOLOGIES CO., LTD.
Huawei’s Global Supply Network
China Mexico Europe
Dubai (United Arab Emirates ) Netherlands
China (Delivery for the globe) Europe (Delivery for West
Europe &North Africa) Mexico (Delivery for North
America & Latin America) Brazil (Delivery for South Latin
America ) India (Delivery for India)
Brazil , Mexico, India and Hungary supply centers work with local partners to do manufacturing and make delivery
Supply Center Regional Hub Reverse Center Local EMS
Mexico
Brazil
China
HungaryNetherland
Dubai IndiaPanama HUB TBD
Reverse center
Supply center
Regional hub
ChengduBeijing
Shanghai
Regional hub Under feasibility
Source: US:32%,the largest material source, ROC, Japan & Korea:28% (components); Europe:10% Mainland China:30% (cable, battery, mechanical parts,
cabinet etc.)
Page 6 HUAWEI TECHNOLOGIES CO., LTD.
Enterprise and Supply Chain Risk Organizational Success Factors for Assurance
• Organization-wide commitment, clear governance, and accountability.
• Enterprise-wide risk management.• Requirements for consistent, repeatable processes.• Separation of duties and robust verification. • Openness and transparency.• Continuous improvement.
Page 7 HUAWEI TECHNOLOGIES CO., LTD.
Assessing and Managing RiskThe NIST Cybersecurity Framework (CSF)
• A risk-analytic tool with a set of standards, methodologies, procedures, and processes aligning policy, business, and technological approaches to address cyber risks.
• Prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
• Identifies areas for improvement. • Consistent with voluntary international standards.
Courtesy of NIST: https://www.nist.gov/file/354081
Page 8 HUAWEI TECHNOLOGIES CO., LTD.
Assessing and Managing RiskThe NIST CSF – Risk Management Properties
Courtesy of NIST: https://www.nist.gov/file/354081
Page 9 HUAWEI TECHNOLOGIES CO., LTD.
Assessing and Managing RiskThe NIST CSF - Implementation Tiers
Courtesy of NIST: https://www.nist.gov/file/354081
1 2 3 4Partial Risk
InformedRepeatable Adaptive
Risk Management
Process
The functionality and repeatability of cybersecurityrisk management
Integrated Risk Management
Program
The extent to which cybersecurity is considered in broader risk management decisions
External Participation
The degree to which the organization benefits my sharing or receiving information from outside parties
Page 10 HUAWEI TECHNOLOGIES CO., LTD.
Assessing and Managing RiskThe NIST CSF – Framework Component: The Core
Courtesy of NIST: https://www.nist.gov/file/354081
FunctionWhat processes and assets need
protection? Identify
What safeguards are available? Protect
What techniques can identify incidents? Detect
What techniques can contain impacts of incidents? Respond
What techniques can restore capabilities? Recover
Page 11 HUAWEI TECHNOLOGIES CO., LTD. 11
Assessing and Managing RiskThe NIST CSF – Framework Component: The Core
Courtesy of NIST: https://www.nist.gov/file/354081
Function Category ID
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Protect
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes & Procedures
PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Page 12 HUAWEI TECHNOLOGIES CO., LTD.
Function Category ID
DetectAnomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
RecoverRecovery Planning RC.RP
Improvements RC.IM
Communications RC.CO
12
Assessing and Managing RiskThe NIST CSF – Framework Component: The Core
Courtesy of NIST: https://www.nist.gov/file/354081
Page 13 HUAWEI TECHNOLOGIES CO., LTD.
The NIST CSF C
ourtesy of NIST:
https://ww
w.nist.gov/file/354081Function Category ID
Identify
Asset Management ID.AMBusiness Environment ID.BEGovernance ID.GVRisk Assessment ID.RARisk Management Strategy ID.RM
Protect
Access Control PR.ACAwareness and Training PR.AT
Data Security PR.DSInformation Protection Processes & Procedures
PR.IP
Maintenance PR.MAProtective Technology PR.PT
Detect
Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
Respond
Response Planning RS.RPCommunications RS.COAnalysis RS.ANMitigation RS.MIImprovements RS.IM
RecoverRecovery Planning RC.RPImprovements RC.IMCommunications RC.CO
Subcategory Informative ReferencesID.BE-1: The organization’s role in the supply chain is identified and communicated
COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
COBIT 5 APO02.06, APO03.01NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
COBIT 5 APO02.01, APO02.06, APO03.01ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6NIST SP 800-53 Rev. 4 PM-11, SA-14
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
ID.BE-5: Resilience requirements to support delivery of critical services are established
COBIT 5 DSS04.02ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14
Page 14 HUAWEI TECHNOLOGIES CO., LTD.
The NIST CSF C
ourtesy of NIST:
https://ww
w.nist.gov/file/354081
Function Category
Identify
Asset Management
Business EnvironmentGovernance
Risk Assessment
Risk Management Strategy
Subcategory Informative ReferencesID.BE-1: The organization’s role in the supply chain is identified and communicated
COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
COBIT 5 APO02.06, APO03.01NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
COBIT 5 APO02.01, APO02.06, APO03.01ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6NIST SP 800-53 Rev. 4 PM-11, SA-14
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
ID.BE-5: Resilience requirements to support delivery of critical services are established
COBIT 5 DSS04.02ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14
Page 15 HUAWEI TECHNOLOGIES CO., LTD.
The NIST CSF – Subcategories/Informative References
Courtesy of NIST: https://www.nist.gov/file/354081
Function Category ID
Identify Business Environment ID.BE
Subcategory Informative ReferencesID.BE-1: The organization’s role in the supply chain is identified and communicated
COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
COBIT 5 APO02.06, APO03.01NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
COBIT 5 APO02.01, APO02.06, APO03.01ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6NIST SP 800-53 Rev. 4 PM-11, SA-14
Page 16 HUAWEI TECHNOLOGIES CO., LTD.
Assessing and Managing RiskThe NIST CSF – Risk Profile
Courtesy of NIST: https://www.nist.gov/file/354081
What is a Risk Profile?• A customization of the Core for a given
sector, subsector, or organization.• A fusion of business/mission logic and
cybersecurity outcomes.• An alignment of cybersecurity
requirements with operational methodologies.
• A basis for assessment and expressing target state.
• A decision support tool for cybersecurity risk management.
IdentifyProtectDetectRespondRecover
Page 17 HUAWEI TECHNOLOGIES CO., LTD.
NIST Cybersecurity Framework NIST: Conformity Assessment - Information and Confidence
• Conformity assessment systems provide critical business-business and business-consumer information
• The rigor of conformity assessment systems can provide confidence and inform risk managementSupporting activities include:o testing
o inspection
o supplier’s declaration
o certification
o accreditation
• Authorities and regulators may rely on effective conformity assessment to support their missions
Page 18 HUAWEI TECHNOLOGIES CO., LTD.
Tainted Counterfeit
Upstream Downstream Upstream Downstream
Malware √ √ √
Unauthorized “Parts” √ √ √
Unauthorized Configuration
√
Scrap/Sub-standard Parts
√
Unauthorized Production
√ √
Intentional Damage √ √
Integrity Availability TraceabilityConfidentiality Authenticity
StakeholdersMain Threats
Courtesy of The Open Group
Cyber threats in technology development and global supply chains
Page 19 HUAWEI TECHNOLOGIES CO., LTD.
DescriptionSupplier Management Model
1. Technology2. Quality3. Response4. Delivery5. Cost6. Environment7. CSR8. Cyber security: policy,
baseline, process, agreement, training, test, emergency response
Technology, Quality, Response, Delivery, Cost, Environment, CSR, and Cyber Security.Security integrated into the procurement business processes, including procurement cyber security policies, baseline, and process criteria.
Eight Elements of Supplier Management: TQRDCESS
Supplier Management Model
Technology
Cost
Delivery
CSR Response
Cyber Security
Quality
Environment
CSR: customer satisfaction representative TCO: total cost of ownership
Page 20 HUAWEI TECHNOLOGIES CO., LTD.
Baseline Mgmt.
Supply Chain Cyber Security Baseline Management
Identify risks
Develop baselines
Improve continuously
Check the implementation
Integrate into
processes
Page 21 HUAWEI TECHNOLOGIES CO., LTD.
Physical security Prevent tampering and implanting in logic through preventing unauthorized physical access Integrity
AuthenticityTraceability
Ensure SW integrity by E2E prevention of unauthorized physical access and technical verification methods
Software delivery security
Establish baselines based on risk analysis and embed baselines into daily operation of processes
Organization, process and awareness
Framework of SCM Cyber Security Baselines
Page 22 HUAWEI TECHNOLOGIES CO., LTD.
A global industry-led initiative defining best practices for secure engineering and supply chain integrity so that you can “Build with Integrity and Buy with Confidence™”
The Open Group Trusted Technology Forum
22
Page 23 HUAWEI TECHNOLOGIES CO., LTD.
The Open Trusted Technology ForumWhy Huawei Joined the OTTF
•A Common View of the Challenges:• Need to secure our Technology Development and Global
Supply Chains• Need to develop and agree on risk-informed, objective
standards and best practices for all constituents• Need a full lifecycle approach• Need certification to help assure conformance to the
standard• Need public registry to identify trusted/certified providers• Need customers to reward trusted/certified providers
through procurement
•
Page 24 HUAWEI TECHNOLOGIES CO., LTD.
Trusted Technology Provider Standard Mitigating Risk of Malicious Taint and Counterfeit Products
• Two areas of requirements› Technology Development - mostly under the provider’s in-house
supervision› Supply Chain activities mostly where provider interacts with
third parties who contribute their piece in the product’s life cycle
• ISO 20243. Applies across the product life cycle. • Result of 3 years collaborative consensus-based effort • Some highly correlated to threats of maliciously tainted and
counterfeit products - others more foundational but considered essential
SourcingDesign Sustain-ment
Disposal
Technology Development Supply Chain
Distribu-tion
FulfillmentBuild
Page 25 HUAWEI TECHNOLOGIES CO., LTD.
The O-TTPS Accreditation ProgramIndependent Evaluation of Conformance
• Provides structure and discipline to a set of benchmarks
• Requires independent confirmation of conformance based on evidence
• Identifies necessary processes for technology development and supply chain
Page 26 HUAWEI TECHNOLOGIES CO., LTD.
EastWest Institute (EWI) Buyers Guide for ICTUse Purchasing Power to Lower Cyber Risk
• Led by Huawei, Microsoft, and The Open Group, the Guide helps buyers develop purchasing requirements for what to ask of, or require from, their providers.
• “Enterprise Security Governance”
• “The Product and Service Lifecycle – from Design through Sustainment and Response”
https://www.eastwest.ngo/sites/default/files/EWI_BuyersGuide.pdf
Page 27 HUAWEI TECHNOLOGIES CO., LTD.
CONCLUSION AND SUMMARY
• Responsible organizations – providers and users –should address security and privacy risk as part of enterprise-wide risk management.
• Consider the risk from 3rd party providers of products and services, including the risk of counterfeit and maliciously tainted products.
• Providers need recognized standards and agreed-upon mechanisms to establish trust.
• Buyers of ICT need risk-based security requirements, and should use their collective purchasing power to incentivize assurance.