The Open Trusted Technology Provider™ Standard for …Copyright © The Open Group 2016...

Copyright © The Open Group 2016

The Open Trusted Technology Provider™ Standard

for Product Integrity and Supply Chain Security

A New ISO/IEC Standard and Accreditation Program for Product Integrity and Supply Chain Integrity ICMC 2016 18 May 2016


Introductions, Presentation Overview

• The Cybersecurity Risks of Taint and Counterfeit,

and the Supply Chain Challenge

• Context and Industry Response

• Standard and Accreditation Program

• What Next?

• Questions

1


Cybersecurity Risks

of Taint and Counterfeit, and the

Supply Chain Challenge

2


A Risk Based Problem Product integrity and supply chain security for commercial-off-the-shelf

(COTS) information and communication technology (ICT)

3

COTS products are developed and used globally

COTS products rely on components that are often globally sourced

COTS products are integrated into Critical Infrastructure, Government systems and Commercial solutions

Counterfeit product

Maliciously tainted

Tainted Insiders Obsole-scence

Many others …

RIS

KS


Taint Counterfeit

Upstream Provider Downstream Upstream Provider Downstream

Malware

Malicious code (masquerading as

vulnerabilities)

Unauthorized

“Parts”

Unauthorized

Configuration

Scrap/ Substandard

Parts

Unauthorized

Production

Technology Supply Chain Threat Matrix

4


Cybersecurity Risks from Tainted and

Counterfeit Products/Components • Maliciously tainted products, can result in:

• product failure, degraded performance, and weakened

security mechanisms, allowing:

• rogue functionality

• critical damage

• theft of intellectual property.

• Counterfeit products can have several consequences:

• It may behave normally but also have nefarious functions

• For customers, if the product fails at a critical point, it can

affect productivity, revenue, and reputation.

• For providers, it can impact the revenue stream and

damage brand and reputation

5


Addressing Cybersecurity Risk of your

Technology Providers • How do you know you are not purchasing a product that

leaves your infrastructure vulnerable, that it may have been

maliciously compromised or is counterfeit?

• How do you establish trust with your providers of COTS

ICT?

• By their reputation?

• By the strength of your business partnership?

• By individually surveying each provider?

• By testing every product for security yourself?

• How do you measure / assess / compare these

characteristics?

6


Challenges:

• Need to secure Global Supply Chains

• Need a full life cycle approach

• Need a standard of best practices for all constituents in the chain

• Need accreditation to help assure conformance to the standard

• Need public registry to identify trusted/accredited constituents

• Need customers to reward trusted/accredited constituents thru procurement

7

“Build with Integrity – Buy with Confidence ”

The Supply Chain Challenge for ICT Providers

Product certification is not enough. Need assurance that best

practices are followed through product life cycle including global

supply chains.


Context and Industry Response

8


Brief History • U.S. Government concerns

• Increased use of Commercial Off The Shelf (COTS) Information Communication Technology (ICT)

• Need to confidently identify trusted COTS ICT products & providers

• U.S. Government-industry roundtable - 2009 • Initiated by U.S. Government’s Under Secretary of Defense

• U.S. Government recommendation • Establish consensus on best-of-breed practices based on industry experience to

create a standard to which all providers can conform when building products

• Establish Brand to identify trusted technology providers throughout the supply chain who conform to the standard

• Industry Response • Members of The Open Group created Trusted Technology Forum Forum

• Developed a Standard of best practices for product integrity and supply chain security

• Developed and launched an accreditation program for OEMs, h/w and s/w component suppliers, value-add resellers and distributors who conform to the standard.

• Harmonize with other standards where appropriate

• Submit to ISO for approval as ISO/IEC standard

9


A global industry-led initiative defining best practices for secure engineering and supply chain

integrity so that you can “Build with Integrity and Buy with Confidence™”

The Open Group Trusted Technology Forum

10


Open Trusted Technology Provider™ Standard

<=> ISO/IEC 20243

The first version of the

O-TTPS addresses the most

pressing threats

• Maliciously Tainted

Products

• Counterfeit Products

11


O-TTPS: Mitigating Maliciously Tainted and

Counterfeit Products

• Looks at process, not product

• Scope is flexible, from entire organization to one product

• Two areas of requirements

• Technology Development - mostly under the provider’s in-house supervision

• Supply Chain activities mostly where provider interacts with third parties who

contribute their piece in the product’s life cycle

12

Sourcing Design Sustainment Disposal

Technology

Development Supply Chain

Distribution Fulfillment Build

O-TTPS applies to and mitigates threats across product life cycle


O-TTPS: Technology Development

• Product Development/Engineering Requirements in: • Software/Firmware/Hardware Design Process

• Development/Engineering Process and Practices

• Configuration Management

• Quality/Test Management

• Product Sustainment Management

• Secure Development/Engineering Requirements in: • Threat Analysis and Mitigation

• Run-time Protection Techniques

• Vulnerability Analysis and Response

• Product Patching and Remediation

• Secure Engineering Practices

• Monitor and assess the impact of changes in the threat landscape

13


O-TTPS: Supply Chain Activities

• Supply Chain Requirements In: • Risk Management

• Physical Security

• Access Controls

• Employee and Supplier Security

• Business Partner Security

• Supply Chain Security Training

• Information Systems Security

• Trusted Technology Components

• Secure Transmission and Handling

• Open Source Handling

• Counterfeit Mitigation

• Malware Detection

14


The O-TTPS Accreditation Program

15

Accreditation

Authority

awards

accreditation

O-TTPS Recognized 3rd Party Assessors

O-TTPS Accreditation/Certification Program

Applies:

Warranty,

Scope of

Accreditation Verifies

Conformance

Open

Trusted

Technology

Providers™

Component Suppliers

OEMs

Distributors

Integrators

Resellers

Awards

Standards

Authority (OTTF):

develops and

maintains Standard


Accreditation Program Description

• The Applicant can be a Technology Provider, Component Supplier,

Integrator, Distributor, (Value-Add) Reseller

• The Applicant warrants and represents their conformance to requirements

throughout their declared Scope of Accreditation – that is they claim that they

follow the best practices through out the product life-cycle, including supply

chain cycles for all of the products in their declared Scope

• Scope up to Applicant: product, product(s), product-line, organization, etc.

• Warranty backed by evidence of conformance and assessment of evidence by

3rd Party Assessors

• The Open Group will operate vendor-neutral program, provide oversight and

consistency across applications

• Successful Applicant gets certificate and use of Trademark and Logo

• The Open Group manages Trademark and Logo use, problem reporting and

appeals process.

• The accreditation period is 3 years before required renewal

• Launch of a public O-TTPS accreditation program December 2014 – open to

any organization – membership not required

16


Assessments by 3rd Party Labs

• Publicly Available Assessment Procedures

• Help achieve objectivity, repeatability, and consistency across accreditations

• Two types of requirements/evidence to be assessed: process and implementation

• Process – Evidence of documented processes

• Implementation – Evidence that processes were followed

• Formal Recognition of O-TTPS 3rd party labs

• Must meet established criteria and assessors must pass O-TTPS Assessor exam.

• Currently @tsec, EWA-Canada & Booz Allen Hamilton

17


Alliance

Customer/Acquirer

Integrator, Distributors, Resellers

Original Equipment Manufacturers Component

Suppliers

Demands Accreditation

certificate as evidence of

conformance to Open

Trusted Technology

Provider™ standards

Will seek business partners who meet Open

Trusted Technology Provider™ requirements

Will seek business partners who meet

Open Trusted Technology Provider™

requirements

Business Partners

May be hardware, software,

global, open source - or not

- multiple supplier layers

Standards Body

Will seek ways of achieving

market up-take/ integrity

of standards

Accreditation/

Accreditation Body Independent & vendor/

technology-neutral

Accreditation

Process

Standards Business Partners

Process

A Holistic Approach to Securing Global Supply Chains


What Next?

19


Global Outreach and Standards

Harmonization

• Philosophy: Measure Once, Leverage Often

• Map between prominent standards and frameworks

to create linkage.

• NIST Cybersecurity Framework

• Advocate international adoption of open standards

rather than each nation reinventing their own.

• Examples:

• Approval of O-TTPS as ISO/IEC 20243

• Chinese translation of O-TTPS

20


The Open Group Trusted

Technology Forum (OTTF) Roadmap Projects

4Q/2015 1Q/2016 2Q/2016 3Q/2016 4Q/2016

ISO PAS Submission -

(O-TTPS) V 1.1

(ISO/IEC 20243 ) Publish

Simplified Chinese

Translation of O-TTPS

1.1. (ISO/IEC 20243) Publish

Prepare Published

Assessment Procedures

V 1.1 for ISO Submission Develop

Review

Review Request

ISO PAS

ISO

Review

O-TTPS Accreditation

Program Update Develop Review Review Publish

Simplified Chinese

Translation of

Accreditation Docs Review

Review Review Publish

21


What You Can Do Now …. • Technology Providers (OEM’S, component suppliers (HW or

SW), Integrators, Value-add Resellers (VARs), Distributors:

• Get prepared: Go to http://ottps-accred.opengroup.org/home-public

• Get accredited

• Encourage your technology partners (Integrators, OEMs, VARs,

Distributors, Component Suppliers) to get accredited.

• Customers (government, commercial):

• Make your Suppliers, Integrators, VARs aware of O-TTPS.

• Encourage them to learn about it, prepare and get accredited.

• Let them know their accreditation is a differentiator in procurement.

• Customers, Technology Providers, Assessors:

• Consider joining the OTTF (Forum) to evolve the standard and

accreditation program in a way that meets your needs.

22

http://ottps-accred.opengroup.org/home-public





Copyright (C) The Open Group 2015

Thank You!

For more information contact:

Mike Hickey, [email protected] or

Sally Long, [email protected]

The Open Trusted Technology Provider™ Standard for …Copyright © The Open Group 2016...

Documents

Transcript of The Open Trusted Technology Provider™ Standard for …Copyright © The Open Group 2016...