The Open Trusted Technology Provider™ Standard for …Copyright © The Open Group 2016...
Transcript of The Open Trusted Technology Provider™ Standard for …Copyright © The Open Group 2016...
Copyright © The Open Group 2016
The Open Trusted Technology Provider™ Standard
for Product Integrity and Supply Chain Security
A New ISO/IEC Standard and Accreditation Program for Product Integrity and Supply Chain Integrity ICMC 2016 18 May 2016
Copyright © The Open Group 2016
Introductions, Presentation Overview
• The Cybersecurity Risks of Taint and Counterfeit,
and the Supply Chain Challenge
• Context and Industry Response
• Standard and Accreditation Program
• What Next?
• Questions
1
Copyright © The Open Group 2016
Cybersecurity Risks
of Taint and Counterfeit, and the
Supply Chain Challenge
2
Copyright © The Open Group 2016
A Risk Based Problem Product integrity and supply chain security for commercial-off-the-shelf
(COTS) information and communication technology (ICT)
3
COTS products are developed and used globally
COTS products rely on components that are often globally sourced
COTS products are integrated into Critical Infrastructure, Government systems and Commercial solutions
Counterfeit product
Maliciously tainted
Tainted Insiders Obsole-scence
Many others …
RIS
KS
Copyright © The Open Group 2016
Taint Counterfeit
Upstream Provider Downstream Upstream Provider Downstream
Malware
Malicious code (masquerading as
vulnerabilities)
Unauthorized
“Parts”
Unauthorized
Configuration
Scrap/ Substandard
Parts
Unauthorized
Production
Technology Supply Chain Threat Matrix
4
Copyright © The Open Group 2016
Cybersecurity Risks from Tainted and
Counterfeit Products/Components • Maliciously tainted products, can result in:
• product failure, degraded performance, and weakened
security mechanisms, allowing:
• rogue functionality
• critical damage
• theft of intellectual property.
• Counterfeit products can have several consequences:
• It may behave normally but also have nefarious functions
• For customers, if the product fails at a critical point, it can
affect productivity, revenue, and reputation.
• For providers, it can impact the revenue stream and
damage brand and reputation
5
Copyright © The Open Group 2016
Addressing Cybersecurity Risk of your
Technology Providers • How do you know you are not purchasing a product that
leaves your infrastructure vulnerable, that it may have been
maliciously compromised or is counterfeit?
• How do you establish trust with your providers of COTS
ICT?
• By their reputation?
• By the strength of your business partnership?
• By individually surveying each provider?
• By testing every product for security yourself?
• How do you measure / assess / compare these
characteristics?
6
Copyright © The Open Group 2016
Challenges:
• Need to secure Global Supply Chains
• Need a full life cycle approach
• Need a standard of best practices for all constituents in the chain
• Need accreditation to help assure conformance to the standard
• Need public registry to identify trusted/accredited constituents
• Need customers to reward trusted/accredited constituents thru procurement
7
“Build with Integrity – Buy with Confidence ”
The Supply Chain Challenge for ICT Providers
Product certification is not enough. Need assurance that best
practices are followed through product life cycle including global
supply chains.
Copyright © The Open Group 2016
Context and Industry Response
8
Copyright © The Open Group 2016
Brief History • U.S. Government concerns
• Increased use of Commercial Off The Shelf (COTS) Information Communication Technology (ICT)
• Need to confidently identify trusted COTS ICT products & providers
• U.S. Government-industry roundtable - 2009 • Initiated by U.S. Government’s Under Secretary of Defense
• U.S. Government recommendation • Establish consensus on best-of-breed practices based on industry experience to
create a standard to which all providers can conform when building products
• Establish Brand to identify trusted technology providers throughout the supply chain who conform to the standard
• Industry Response • Members of The Open Group created Trusted Technology Forum Forum
• Developed a Standard of best practices for product integrity and supply chain security
• Developed and launched an accreditation program for OEMs, h/w and s/w component suppliers, value-add resellers and distributors who conform to the standard.
• Harmonize with other standards where appropriate
• Submit to ISO for approval as ISO/IEC standard
9
Copyright © The Open Group 2016
A global industry-led initiative defining best practices for secure engineering and supply chain
integrity so that you can “Build with Integrity and Buy with Confidence™”
The Open Group Trusted Technology Forum
10
Copyright © The Open Group 2016
Open Trusted Technology Provider™ Standard
<=> ISO/IEC 20243
The first version of the
O-TTPS addresses the most
pressing threats
• Maliciously Tainted
Products
• Counterfeit Products
11
Copyright © The Open Group 2016
O-TTPS: Mitigating Maliciously Tainted and
Counterfeit Products
• Looks at process, not product
• Scope is flexible, from entire organization to one product
• Two areas of requirements
• Technology Development - mostly under the provider’s in-house supervision
• Supply Chain activities mostly where provider interacts with third parties who
contribute their piece in the product’s life cycle
12
Sourcing Design Sustainment Disposal
Technology
Development Supply Chain
Distribution Fulfillment Build
O-TTPS applies to and mitigates threats across product life cycle
Copyright © The Open Group 2016
O-TTPS: Technology Development
• Product Development/Engineering Requirements in: • Software/Firmware/Hardware Design Process
• Development/Engineering Process and Practices
• Configuration Management
• Quality/Test Management
• Product Sustainment Management
• Secure Development/Engineering Requirements in: • Threat Analysis and Mitigation
• Run-time Protection Techniques
• Vulnerability Analysis and Response
• Product Patching and Remediation
• Secure Engineering Practices
• Monitor and assess the impact of changes in the threat landscape
13
Copyright © The Open Group 2016
O-TTPS: Supply Chain Activities
• Supply Chain Requirements In: • Risk Management
• Physical Security
• Access Controls
• Employee and Supplier Security
• Business Partner Security
• Supply Chain Security Training
• Information Systems Security
• Trusted Technology Components
• Secure Transmission and Handling
• Open Source Handling
• Counterfeit Mitigation
• Malware Detection
14
Copyright © The Open Group 2016
The O-TTPS Accreditation Program
15
Accreditation
Authority
awards
accreditation
O-TTPS Recognized 3rd Party Assessors
O-TTPS Accreditation/Certification Program
Applies:
Warranty,
Scope of
Accreditation Verifies
Conformance
Open
Trusted
Technology
Providers™
Component Suppliers
OEMs
Distributors
Integrators
Resellers
Awards
Standards
Authority (OTTF):
develops and
maintains Standard
Copyright © The Open Group 2016
Accreditation Program Description
• The Applicant can be a Technology Provider, Component Supplier,
Integrator, Distributor, (Value-Add) Reseller
• The Applicant warrants and represents their conformance to requirements
throughout their declared Scope of Accreditation – that is they claim that they
follow the best practices through out the product life-cycle, including supply
chain cycles for all of the products in their declared Scope
• Scope up to Applicant: product, product(s), product-line, organization, etc.
• Warranty backed by evidence of conformance and assessment of evidence by
3rd Party Assessors
• The Open Group will operate vendor-neutral program, provide oversight and
consistency across applications
• Successful Applicant gets certificate and use of Trademark and Logo
• The Open Group manages Trademark and Logo use, problem reporting and
appeals process.
• The accreditation period is 3 years before required renewal
• Launch of a public O-TTPS accreditation program December 2014 – open to
any organization – membership not required
16
Copyright © The Open Group 2016
Assessments by 3rd Party Labs
• Publicly Available Assessment Procedures
• Help achieve objectivity, repeatability, and consistency across accreditations
• Two types of requirements/evidence to be assessed: process and implementation
• Process – Evidence of documented processes
• Implementation – Evidence that processes were followed
• Formal Recognition of O-TTPS 3rd party labs
• Must meet established criteria and assessors must pass O-TTPS Assessor exam.
• Currently @tsec, EWA-Canada & Booz Allen Hamilton
17
Copyright © The Open Group 2016
Alliance
Customer/Acquirer
Integrator, Distributors, Resellers
Original Equipment Manufacturers Component
Suppliers
Demands Accreditation
certificate as evidence of
conformance to Open
Trusted Technology
Provider™ standards
Will seek business partners who meet Open
Trusted Technology Provider™ requirements
Will seek business partners who meet
Open Trusted Technology Provider™
requirements
Business Partners
May be hardware, software,
global, open source - or not
- multiple supplier layers
Standards Body
Will seek ways of achieving
market up-take/ integrity
of standards
Accreditation/
Accreditation Body Independent & vendor/
technology-neutral
Accreditation
Process
Standards Business Partners
Process
A Holistic Approach to Securing Global Supply Chains
Copyright © The Open Group 2016
What Next?
19
Copyright © The Open Group 2016
Global Outreach and Standards
Harmonization
• Philosophy: Measure Once, Leverage Often
• Map between prominent standards and frameworks
to create linkage.
• NIST Cybersecurity Framework
• Advocate international adoption of open standards
rather than each nation reinventing their own.
• Examples:
• Approval of O-TTPS as ISO/IEC 20243
• Chinese translation of O-TTPS
20
Copyright © The Open Group 2016
The Open Group Trusted
Technology Forum (OTTF) Roadmap Projects
4Q/2015 1Q/2016 2Q/2016 3Q/2016 4Q/2016
ISO PAS Submission -
(O-TTPS) V 1.1
(ISO/IEC 20243 ) Publish
Simplified Chinese
Translation of O-TTPS
1.1. (ISO/IEC 20243) Publish
Prepare Published
Assessment Procedures
V 1.1 for ISO Submission Develop
Review
Review Request
ISO PAS
ISO
Review
O-TTPS Accreditation
Program Update Develop Review Review Publish
Simplified Chinese
Translation of
Accreditation Docs Review
Review Review Publish
21
Copyright © The Open Group 2016
What You Can Do Now …. • Technology Providers (OEM’S, component suppliers (HW or
SW), Integrators, Value-add Resellers (VARs), Distributors:
• Get prepared: Go to http://ottps-accred.opengroup.org/home-public
• Get accredited
• Encourage your technology partners (Integrators, OEMs, VARs,
Distributors, Component Suppliers) to get accredited.
• Customers (government, commercial):
• Make your Suppliers, Integrators, VARs aware of O-TTPS.
• Encourage them to learn about it, prepare and get accredited.
• Let them know their accreditation is a differentiator in procurement.
• Customers, Technology Providers, Assessors:
• Consider joining the OTTF (Forum) to evolve the standard and
accreditation program in a way that meets your needs.
22
Copyright (C) The Open Group 2015
Thank You!
For more information contact:
Mike Hickey, [email protected] or
Sally Long, [email protected]