Category Archives: supply chain

The Open Trusted Technology Provider™ Standard (O-TTPS) Approved as ISO/IEC International Standard

The Open Trusted Technology Provider™ Standard (O-TTPS), a Standard from The Open Group for Product Integrity and Supply Chain Security, Approved as ISO/IEC International Standard

Doing More to Secure IT Products and their Global Supply Chains

By Sally Long, The Open Group Trusted Technology Forum Director

As the Director of The Open Group Trusted Technology Forum, I am thrilled to share the news that The Open Trusted Technology Provider™ Standard – Mitigating Maliciously Tainted and Counterfeit Products (O-TTPS) v 1.1 is approved as an ISO/IEC International Standard (ISO/IEC 20243:2015).

It is one of the first standards aimed at assuring both the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products and the security of their supply chains.

The standard defines a set of best practices for COTS ICT providers to use to mitigate the risk of maliciously tainted and counterfeit components from being incorporated into each phase of a product’s lifecycle. This encompasses design, sourcing, build, fulfilment, distribution, sustainment, and disposal. The best practices apply to in-house development, outsourced development and manufacturing, and to global supply chains.

The ISO/IEC standard will be published in the coming weeks. In advance of the ISO/IEC 20243 publication, The Open Group edition of the standard, technically identical to the ISO/IEC approved edition, is freely available here.

The standardization effort is the result of a collaboration in The Open Group Trusted Technology Provider Forum (OTTF), between government, third party evaluators and some of industry’s most mature and respected providers who came together as members and, over a period of five years, shared and built on their practices for integrity and security, including those used in-house and those used with their own supply chains. From these, they created a set of best practices that were standardized through The Open Group consensus review process as the O-TTPS. That was then submitted to the ISO/IEC JTC1 process for Publicly Available Specifications (PAS), where it was recently approved.

The Open Group has also developed an O-TTPS Accreditation Program to recognize Open Trusted Technology Providers who conform to the standard and adhere to best practices across their entire enterprise, within a specific product line or business unit, or within an individual product. Accreditation is applicable to all ICT providers in the chain: OEMS, integrators, hardware and software component suppliers, value-add distributors, and resellers.

While The Open Group assumes the role of the Accreditation Authority over the entire program, it also uses third-party assessors to assess conformance to the O-TTPS requirements. The Accreditation Program and the Assessment Procedures are publicly available here. The Open Group is also considering submitting the O-TTPS Assessment Procedures to the ISO/IEC JTC1 PAS process.

This international approval comes none-too-soon, given the global threat landscape continues to change dramatically, and cyber attacks – which have long targeted governments and big business – are growing in sophistication and prominence. We saw this most clearly with the Sony hack late last year. Despite successes using more longstanding hacking methods, maliciously intentioned cyber criminals are looking at new ways to cause damage and are increasingly looking at the technology supply chain as a potentially profitable avenue. In such a transitional environment, it is worth reviewing again why IT products and their supply chains are so vulnerable and what can be done to secure them in the face of numerous challenges.

Risk lies in complexity

Information Technology supply chains depend upon complex and interrelated networks of component suppliers across a wide range of global partners. Suppliers deliver parts to OEMS, or component integrators who build products from them, and in turn offer products to customers directly or to system integrators who integrate them with products from multiple providers at a customer site. This complexity leaves ample opportunity for malicious components to enter the supply chain and leave vulnerabilities that can potentially be exploited.

As a result, organizations now need assurances that they are buying from trusted technology providers who follow best practices every step of the way. This means that they not only follow secure development and engineering practices in-house while developing their own software and hardware pieces, but also that they are following best practices to secure their supply chains. Modern cyber criminals go through strenuous efforts to identify any sort of vulnerability that can be exploited for malicious gain and the supply chain is no different.

Untracked malicious behavior and counterfeit components

Tainted products introduced into the supply chain pose significant risk to organizations because altered products introduce the possibility of untracked malicious behavior. A compromised electrical component or piece of software that lies dormant and undetected within an organization could cause tremendous damage if activated externally. Customers, including governments are moving away from building their own high assurance and customized systems and moving toward the use of commercial off the shelf (COTS) information and communication technology (ICT), typically because they are better, cheaper and more reliable. But a maliciously tainted COTS ICT product, once connected or incorporated, poses a significant security threat. For example, it could allow unauthorized access to sensitive corporate data including intellectual property, or allow hackers to take control of the organization’s network. Perhaps the most concerning element of the whole scenario is the amount of damage that such destructive hardware or software could inflict on safety or mission critical systems.

Like maliciously tainted components, counterfeit products can also cause significant damage to customers and providers resulting in failed or inferior products, revenue and brand equity loss, and disclosure of intellectual property. Although fakes have plagued manufacturers and suppliers for many years, globalization has greatly increased the number of out-sourced components and the number of links in every supply chain, and with that comes increased risk of tainted or counterfeit parts making it into operational environments. Consider the consequences if a faulty component was to fail in a government, financial or safety critical system or if it was also maliciously tainted for the sole purpose of causing widespread catastrophic damage.

Global solution for a global problem – the relevance of international standards

One of the emerging challenges is the rise of local demands on IT providers related to cybersecurity and IT supply chains. Despite technology supply chains being global in nature, more and more local solutions are cropping up to address some of the issues mentioned earlier, resulting in multiple countries with different policies that included disparate and variable requirements related to cybersecurity and their supply chains. Some are competing local standards, but many are local solutions generated by governmental policies that dictate which country to buy from and which not to. The supply chain has become a nationally charged issue that requires the creation of a level playing field regardless of where your company is based. Competition should be based on the quality, integrity and security of your products and processes and not where the products were developed, manufactured, or assembled.

Having transparent criteria through global international standards like our recently approved O-TTPS standard (ISO/IEC 20243) and objective assessments like the O-TTPS Accreditation Program that help assure conformance to those standards is critical to both raise the bar on global suppliers and to provide equal opportunity (vendor-neutral and country-nuetral) for all constituents in the chain to reach that bar – regardless of locale.

The approval by ISO/IEC of this universal product integrity and supply chain security standard is an important next step in the continued battle to secure ICT products and protect the environments in which they operate. Suppliers should explore what they need to do to conform to the standard and buyers should consider encouraging conformance by requesting conformance to it in their RFPs. By adhering to relevant international standards and demonstrating conformance we will have a powerful tool for technology providers and component suppliers around the world to utilize in combating current and future cyber attacks on our critical infrastructure, our governments, our business enterprises and even on the COTS ICT that we have in our homes. This is truly a universal problem that we can begin to solve through adoption and adherence to international standards.

By Sally Long, OTTF DirectorSally Long is the Director of The Open Group Trusted Technology Forum (OTTF). She has managed customer supplier forums and collaborative development projects for over twenty years. She was the release engineering section manager for all multi-vendor collaborative technology development projects at The Open Software Foundation (OSF) in Cambridge Massachusetts. Following the merger of the OSF and X/Open under The Open Group, she served as director for multiple forums in The Open Group. Sally has a Bachelor of Science degree in Electrical Engineering from Northeastern University in Boston, Massachusetts.

Contact:  s.long@opengroup.org; @sallyannlong

Comments Off on The Open Trusted Technology Provider™ Standard (O-TTPS) Approved as ISO/IEC International Standard

Filed under Accreditations, Cybersecurity, OTTF, Standards, supply chain, Supply chain risk, The Open Group

Global Open Trusted Technology Provider™ Standard

By Sally Long, Forum Director, Open Trusted Technology Forum, The Open Group

A First Line of Defense in Protecting Critical Infrastructure – A Technical Solution that can Help Address a Geo-political Issue

The challenges associated with Cybersecurity and critical infrastructure, which include the security of global supply chains, are enormous. After working almost exclusively on supply chain security issues for the past 5 years, I am still amazed at the number of perspectives that need to be brought to bear on this issue.

Recently I had the opportunity to participate in a virtual panel sponsored by InfoSecurity Magazine entitled: “Protecting Critical Infrastructure: Developing a Framework to Mitigate Cybersecurity Risks and Build Resilience”. The session was recorded and the link can be found at the end of this blog.

The panelists were:

  • Jonathan Pollet, Founder, Executive Director Red Tiger Security
  • Ernie Hayden, Executive Consultant, Securicon LLC
  • Sean Paul McGurk, Global Managing Principal, Critical Infrastructure Protection Cybersecurity, Verizon
  • Sally Long, Director, The Open Group Trusted Technology Forum

One perspective I brought to the discussion was the importance of product integrity and the security of ICT global supply chains as a first line of defense to mitigate vulnerabilities that can lead to maliciously tainted and counterfeit products. This first line of defense must not be ignored when discussing how to prevent damage to critical infrastructure and the horrific consequences that can ensue.

The other perspective I highlighted was that securing global supply chains is both a technical and a global geo-political issue. And that addressing the technical perspective in a vendor-neutral and country-neutral manner can have a positive effect on diminishing the geo-political issues as well.

The technical perspective is driven by the simple fact that most everything has a global supply chain – virtually nothing is built from just one company or in just one country. In order for products to have integrity and their supply chains to be secure all constituents in the chain must follow best practices for security – both in-house and in their supply chains.

The related but separate geo-political perspective, driven by a desire to protect against malicious attackers and a lack of trust of/from nation-states, is pushing many countries to consider approaches that are disconcerting, to put it mildly. This is not just a US issue; every country is concerned about securing their critical infrastructures and their underlying supply chains. Unfortunately we are beginning to see attempts to address these global concerns through local solutions (i.e. country specific and disparate requirements that raise the toll on suppliers and could set up barriers to trade).

The point is that an international technical solution (e.g. a standard and accreditation program for all constituents in global supply chains), which all countries can adopt, helps address the geo-political issues by having a common standard and common conformance requirements, raising all boats on the river toward becoming trusted suppliers.

To illustrate the point, I provided some insight into a technical solution from The Open Group Trusted Technology Provider Forum. The Open Group announced the release of the Open Trusted Technology Provider™ Standard (O-TTPS) – Mitigating Maliciously Tainted and Counterfeit Products. A standard of best practices that addresses product integrity and supply chain security throughout a product’s life cycle (from design through disposal). In February 2014, The Open Group announced the O-TTPS Accreditation Program that enables a technology provider (e.g. integrator, OEM, hardware or software component supplier, or reseller) that conforms to the standard to be accredited – positioning them on the public accreditation registry so they can be identified as an Open Trusted Technology Provider™.

Establishing a global standard and accreditation program like the O-TTPS – a program which helps mitigate the risk of maliciously tainted and counterfeit products from being integrated into critical infrastructure – a program that is already available and is available to any technology provider in any country regardless if they are based in the US, China, Germany, India, Brazil, or in any other country in the world – is most certainly a step in the right direction.

For a varied set of perspectives and opinions from critical infrastructure and supply chain subject matter experts, you can view the recording at the following link. Please note that you may need to log in to the InfoSecurity website for access:

http://view6.workcast.net/?pak=1316915596199100&cpak=9135816490522516

To learn more about the Open Trusted Technology Provider Standard and Accreditation Program, please visit the OTTF site: http://www.opengroup.org/subjectareas/trusted-technology

Sally LongSally Long is the Director of The Open Group Trusted Technology Forum (OTTF). She has managed customer supplier forums and collaborative development projects for over twenty years. She was the release engineering section manager for all multi-vendor collaborative technology development projects at The Open Software Foundation (OSF) in Cambridge Massachusetts. Following the merger of the OSF and X/Open under The Open Group, she served as director for multiple forums in The Open Group. Sally has a Bachelor of Science degree in Electrical Engineering from Northeastern University in Boston, Massachusetts.

Contact:  s.long@opengroup.org; @sallyannlong

Comments Off on Global Open Trusted Technology Provider™ Standard

Filed under COTS, Cybersecurity, O-TTF, O-TTPS, OTTF, Security, Standards, supply chain, Supply chain risk, Uncategorized

How the Open Trusted Technology Provider Standard (O-TTPS) and Accreditation Will Help Lower Cyber Risk

By Andras Szakal, Vice President and Chief Technology Officer, IBM U.S. Federal

Changing business dynamics and enabling technologies

In 2008, IBM introduced the concept of a “Smarter Planet.” The Smarter Planet initiative focused, in part, on the evolution of globalization against the backdrop of changing business dynamics and enabling technologies. A key concept was the need for infrastructure to be tightly integrated, interconnected, and intelligent, thereby facilitating collaboration between people, government and businesses in order to meet the world’s growing appetite for data and automation. Since then, many industries and businesses have adopted this approach, including the ICT (information and communications technology) industries that support the global technology manufacturing supply chain.

Intelligent and interconnected critical systems

This transformation has infused technology into virtually all aspects of our lives, and involves, for example, government systems, the electric grid and healthcare. Most of these technological solutions are made up of hundreds or even thousands of components that are sourced from the growing global technology supply chain.
Intelligent and interconnected critical systems

In the global technology economy, no one technology vendor or integrator is able to always provide a single source solution. It is no longer cost competitive to design all of the electronic components, printed circuit boards, card assemblies, or other sub-assemblies in-house. Adapting to the changing market place and landscape by balancing response time and cost efficiency, in an expedient manner, drives a more wide-spread use of OEM (original equipment manufacturer) products.

As a result, most technology providers procure from a myriad of global component suppliers, who very often require similarly complex supply chains to source their components. Every enterprise has a supplier network, and each of their suppliers has a supply chain network, and these sub-tier suppliers have their own supply chain networks. The resultant technology supply chain is manifested into a network of integrated suppliers.

Increasingly, the critical systems of the planet — telecommunications, banking, energy and others — depend on and benefit from the intelligence and interconnectedness enabled by existing and emerging technologies. As evidence, one need only look to the increase in enterprise mobile applications and BYOD strategies to support corporate and government employees.

Cybersecurity by design: Addressing risk in a sustainable way across the ecosystem

Whether these systems are trusted by the societies they serve depends in part on whether the technologies incorporated into them are fit for the purpose they are intended to serve. Fit for purpose is manifested in two essential ways:

– Does the product meet essential functional requirements?
– Has the product or component been produced by trustworthy provider?

Of course, the leaders or owners of these systems have to do their part to achieve security and safety: e.g., to install, use and maintain technology appropriately, and to pay attention to people and process aspects such as insider threats. Cybersecurity considerations must be addressed in a sustainable way from the get-go, by design, and across the whole ecosystem — not after the fact, or in just one sector or another, or in reaction to crisis.

Assuring the quality and integrity of mission-critical technology

In addressing the broader cybersecurity challenge, however, buyers of mission-critical technology naturally seek reassurance as to the quality and integrity of the products they procure. In our view, the fundamentals of the institutional response to that need are similar to those that have worked in prior eras and in other industries — like food.

The very process of manufacturing technology is not immune to cyber-attack. The primary purpose of attacking the supply chain typically is motivated by monetary gain. The primary goals of a technology supply chain attack are intended to inflict massive economic damage in an effort to gain global economic advantage or as a way to seeding targets with malware that provides unfettered access for attackers.

It is for this reason that the global technology manufacturing industry must establish practices that mitigate this risk by increasing the cost barriers of launching such attacks and increasing the likelihood of being caught before the effects of such an attack are irreversible. As these threats evolve, the global ICT industry must deploy enhanced security through advanced automated cyber intelligence analysis. As critical infrastructure becomes more automated, integrated and essential to critical to functions, the technology supply chain that surrounds it must be considered a principle theme of the overall global security and risk mitigation strategy.

A global, agile, and scalable approach to supply chain security

Certainly, the manner in which technologies are invented, produced, and sold requires a global, agile, and scalable approach to supply chain assurance and is essential to achieve the desired results. Any technology supply chain security standard that hopes to be widely adopted must be flexible and country-agnostic. The very nature of the global supply chain (massively segmented and diverse) requires an approach that provides practicable guidance but avoids being overtly prescriptive. Such an approach would require the aggregation of industry practices that have been proven beneficial and effective at mitigating risk.

The OTTF (The Open Group Trusted Technology Forum) is an increasingly recognized and promising industry initiative to establish best practices to mitigate the risk of technology supply chain attack. Facilitated by The Open Group, a recognized international standards and certification body, the OTTF is working with governments and industry worldwide to create vendor-neutral open standards and best practices that can be implemented by anyone. Current membership includes a list of the most well-known technology vendors, integrators, and technology assessment laboratories.

The benefits of O-TTPS for governments and enterprises

IBM is currently a member of the OTTF and has been honored to hold the Chair for the last three years.  Governments and enterprises alike will benefit from the work of the OTTF. Technology purchasers can use the Open Trusted Technology Provider™ Standard (O-TTPS) and Framework best-practice recommendations to guide their strategies.

A wide range of technology vendors can use O-TTPS approaches to build security and integrity into their end-to-end supply chains. The first version of the O-TTPS is focused on mitigating the risk of maliciously tainted and counterfeit technology components or products. Note that a maliciously tainted product is one that has been produced by the provider and acquired through reputable channels but which has been tampered maliciously. A counterfeit product is produced other than by or for the provider, or is supplied by a non-reputable channel, and is represented as legitimate. The OTTF is currently working on a program that will accredit technology providers who conform to the O-TTPS. IBM expects to complete pilot testing of the program by 2014.

IBM has actively supported the formation of the OTTF and the development of the O-TTPS for several reasons. These include but are not limited to the following:

– The Forum was established within a trusted and respected international standards body – The Open Group.
– The Forum was founded, in part, through active participation by governments in a true public-private partnership in which government members actively participate.
– The OTTF membership includes some of the most mature and trusted commercial technology manufactures and vendors because a primary objective of the OTTF was harmonization with other standards groups such as ISO (International Organization for Standardization) and Common Criteria.

The O-TTPS defines a framework of organizational guidelines and best practices that enhance the security and integrity of COTS ICT. The first version of the O-TTPS is focused on mitigating certain risks of maliciously tainted and counterfeit products within the technology development / engineering lifecycle. These best practices are equally applicable for systems integrators; however, the standard is intended to primarily address the point of view of the technology manufacturer.

O-TTPS requirements

The O-TTPS requirements are divided into three categories:

1. Development / Engineering Process and Method
2. Secure Engineering Practices
3. Supply Chain Security Practices

The O-TTPS is intended to establish a normalized set of criteria against which a technology provider, component supplier, or integrator can be assessed. The standard is divided into categories that define best practices for engineering development practices, secure engineering, and supply chain security and integrity intended to mitigate the risk of maliciously tainted and counterfeit components.

The accreditation program

As part of the process for developing the accreditation criteria and policy, the OTTF established a pilot accreditation program. The purpose of the pilot was to take a handful of companies through the accreditation process and remediate any potential process or interpretation issues. IBM participated in the OTTP-S accreditation pilot to accredit a very significant segment of the software product portfolio; the Application Infrastructure Middleware Division (AIM) which includes the flagship WebSphere product line. The AIM pilot started in mid-2013 and completed in the first week of 2014 and was formally recognized as accredited in the fist week of February 2014.

IBM is currently leveraging the value of the O-TTPS and working to accredit additional development organizations. Some of the lessons learned during the IBM AIM initial O-TTPS accreditation include:

– Conducting a pre-assessment against the O-TTPS should be conducted by an organization before formally entering accreditation. This allows for remediation of any gaps and reduces potential assessment costs and project schedule.
– Starting with a segment of your development portfolio that has a mature secure engineering practices and processes. This helps an organization address accreditation requirements and facilitates interactions with the 3rd party lab.
– Using your first successful O-TTPS accreditation to create templates that will help drive data gathering and validate practices to establish a repeatable process as your organization undertakes additional accreditations.

andras-szakalAndras Szakal, VP and CTO, IBM U.S. Federal, is responsible for IBM’s industry solution technology strategy in support of the U.S. Federal customer. Andras was appointed IBM Distinguished Engineer and Director of IBM’s Federal Software Architecture team in 2005. He is an Open Group Distinguished Certified IT Architect, IBM Certified SOA Solution Designer and a Certified Secure Software Lifecycle Professional (CSSLP).  Andras holds undergraduate degrees in Biology and Computer Science and a Masters Degree in Computer Science from James Madison University. He has been a driving force behind IBM’s adoption of government IT standards as a member of the IBM Software Group Government Standards Strategy Team and the IBM Corporate Security Executive Board focused on secure development and cybersecurity. Andras represents the IBM Software Group on the Board of Directors of The Open Group and currently holds the Chair of the IT Architect Profession Certification Standard (ITAC). More recently, he was appointed chair of The Open Group Trusted Technology Forum and leads the development of The Open Trusted Technology Provider Framework.

1 Comment

Filed under Accreditations, Cybersecurity, government, O-TTF, O-TTPS, OTTF, RISK Management, Standards, supply chain, Supply chain risk