Managing Cybersecurity Threats

Transcription

1 Managing Cybersecurity Threats by engaging with Accredited Open Trusted Technology Providers - Organizations that conform to the Open Trusted Technology Provider Standard Mitigating Maliciously Tainted and Counterfeit Products (O- TTPS) Build with Integrity- Buy with Confidence Sally Long, Director, The Open Group Trusted Technology Forum s.long@opengroup.org 0

2 Presentation Overview q Background & Context: Brief overview of The Open Group and The Open Group Trusted Technology Forum (OTTF) q The Supply Chain Challenge as it applies to: COTS ICT Critical Infrastructure q Industry Response to the Challenge The Open Trusted Technology Provider Standard Mitigating Maliciously Tainted and Counterfeit Products (O-TTPS) O-TTPS Accreditation Program q Current State of the OTTF: Milestones, Roadmap and Global Outreach Efforts q What You Can do Now 1

3 The Open Group Membership Argentina Australia Austria Belgium Brazil Canada China Colombia Czech Republic Denmark Finland France Germany Hong Kong India Italy Japan Luxembourg Malaysia Poland Qatar Russian Federation Saudi Arabia Singapore South Africa Over 40,000 participants from Spain Over 95 countries Sweden Over 500 memberships with Switzerland HQs in 40 countries from Taiwan 6 continents Turkey Mexico UK Netherlands United Arab Emirates New Zealand USA Norway 2

4 What Does The Open Group Do? q Membership & Events International & Regional Conferences Forums: ArchiMate Architecture, Enterprise Management Forum, IT4IT, Open Platform 3.0, Real-time & Embedded Systems, Security, Trusted Technology Forum, Platform Base Working Group q Standards and Certification - Over 25 years experience Voluntary consensus standards and certification programs through The Open Group Standards Process consistent with OMB Circular A-119 People & Organizations: ArchiMate, POSIX, TOGAF, UNIX, Open Trusted Technology Provider Professional: TOGAF, ArchiMate, Certified Architect (Open CA), Certified IT Specialist (Open CITS), Open FAIR Consortia: Hotel Technology Next Generation (HTNG), North American State and Provincial Lotteries (NASP)L, Near Field Communication Forum (NFC Forum) NFC Forum, UNIX, WAP, Architecture Tools Defense Standards: DirecNet, FACE 3

5 The Open Group CyberSecurity Activities Security Forum Real Time & Embedded Systems Forum Trusted Technology Forum Open Standards & Best Practices Security architecture Information security management Risk management standards, best practices, and certification Compliance & security automation MILS Open Standards Software assurance High assurance certification Dependability Supply Chain Security Standards, Best Practices Open Trusted Technology Provider TM (O-TTPS) (Standard) Addressing maliciously tainted and counterfeit products O-TTPS Accreditation Program 4

6 The Supply Chain Challenge and the OTTF Copyright (C) The Open Group 2014

7 The Open Group Trusted Technology Forum (OTTF) q Government-industry roundtable discussion in 2009 Initiated by DoD AT&L(SE), DoD-CIO and The Open Group q Government raised these issues Moving from high assurance customized solutions to Commercial Off The Shelf (COTS) Information Communication Technology (ICT) Need to confidently identify trusted COTS ICT products/providers q Government recommendation Establish consensus on best of breed best practices based on industry experience to create a standard that enables all providers to conform to those best practices when building products. Create an accreditation program brand that identifies trusted technology providers who conform to the standard q Response to the recommendation the OTTF Providers, integrators, government agencies, third party labs from around the globe responded to the recommendation 6

8 The Open Group Trusted Technology Forum A global industry-led initiative defining best practices for secure engineering and supply chain integrity so that you can Build with Integrity and Buy with Confidence 7

9 The Supply Chain Challenge for COTS ICT Providers Product certification is not enough. Need assurance that best practices are followed through product life cycle including global supply chains. Governments Procure from an Accredited Open Trusted Technology Provider Consumers Service Providers Enterprises Challenges: Build with Integrity Buy with Confidence Need to secure our Global Supply Chains Need a full life cycle approach Need a standard of best practices for all constituents in the chain Need accreditation to help assure conformance to the standard Need public registry to identify trusted/accredited constituents Need customers to reward trusted/accredited constituents thru procurement 8

10 Technology Supply Chain Threat Matrix Taint Counterfeit Upstream Provider Downstream Upstream Provider Downstream Malware Malicious code (masquerading as vulnerabilities) Unauthorized Parts Unauthorized Configuration Scrap/ Substandard Parts Unauthorized Production 9

11 A Threat-Based Problem Global supply chain security for COTS products Commercial Off the Shelf Products are developed and used globally COTS products rely on components that are often globally sourced COTS products are integrated into Critical Infrastructure, Government systems and Commercial solutions THREATS Counterfeit product Maliciously tainted Tainted Insiders Obsolescence Many others 10

12 The product does what it s intended to do functionally & performs at the required performance levels Functional, & Quality Requirements for Products Functional, Quality, Security & Integrity Process Requirements for Operators Security Requirements for Products Security & Integrity Process Requirements for Providers The product meets certain security assurance levels based on requirements of the environment into which it s placed and the acceptable level of risk for that environment. 11

13 Operator organizations must ensure security and integrity of systems during operation. In addition operator organizations must have policies in place for each of the four categories: - all systems function & perform well - products comply with security reqs. - They buy from trusted providers. - Systems are secure during operation & recovery Functional, & Quality Requirements for Products Functional, Quality, Security & Integrity Process Requirements for Operations Security Requirements for Products Security & Integrity Process Requirements for Providers (O-TTPS) Integrators and providers who build IT products must follow best practices for security, integrity - design thru disposal (both inhouse and in their supply chains). Reduces risk of vulnerabilities (potential malware insertion sites), tainted & counterfeit components, before the products make it into the critical environment. 12

14 The O-TTPS The first version of the O-TTPS addresses the two threats that have been identified as the most pressing: Maliciously Tainted Counterfeit Products 13

15 O-TTPS Standard Mitigating Risks for Tainted and Counterfeit Products q q q A tainted product is produced by the provider and is acquired through reputable channels but has been tampered with maliciously. - Could result in: product failure, degraded performance, can enable malware insertion, weakened security mechanisms allowing rogue functionality and potentially critical damage enabled IP and Identity theft, damage to critical infrastructure operations which could lead to catastrophic results for citizens A counterfeit product is produced other than by or for the provider, or is supplied by other than a reputable channel, and is represented as legitimate. Could result in: For customers: if product fails at critical juncture loss of productivity, revenue For providers: loss of revenue stream and brand damage Double risk if counterfeit products are also tainted 14

16 O-TTPS: Mitigating Maliciously Tainted and Counterfeit Products q q q The Open Trusted Technology Provider TM Standard (O-TTPS) released in April, page document on requirements for organizational best practices The result of over 3 years of collaborative consensus-based effort Apply across product life cycle. Some highly correlated to threats of maliciously tainted and counterfeit products - others more foundational but considered essential Design Sourcing Build Fulfillment Distribution Sustainment Disposal Technology Development Supply Chain q 2 areas of requirements often overlap depending on product and provider: Technology Development - mostly under the provider s in-house supervision Supply Chain activities mostly where provider interacts with third parties who contribute their piece in the product s life cycle 15

17 O-TTPS: Technology Development q Product Development/Engineering Requirements in: Software/Firmware/Hardware Design Process Development/Engineering Process and Practices Configuration Management Quality/Test Management Product Sustainment Management q Secure Development/Engineering Requirements in: Threat Analysis and Mitigation Run-time Protection Techniques Vulnerability Analysis and Response Product Patching and Remediation Secure Engineering Practices Monitor and assess the impact of changes in the threat landscape 16

18 O-TTPS: Supply Chain Activities q Supply Chain Requirements In: Risk Management Physical Security Access Controls Employee and Supplier Security Business Partner Security Supply Chain Security Training Information Systems Security Trusted Technology Components Secure Transmission and Handling Open Source Handling Counterfeit Mitigation Malware Detection 17

19 OTTF Principles The OTTF is developing their standards and accreditation programs according to these principles: Practical and effective - Practitioner based, evidence that it works in the field Reasonable - Achievable and implementable by a wide variety of vendors and stakeholders Affordable - Reasonably cost effective to implement Open - Based on open standards and recognized industry best practices publically available to all Organizational/Process Based Accreditation - Flexible enough that an organization can choose their own scope of accreditation (product, product-line, entire organization) 18

20 The O-TTPS Accreditation Program Based on Warranty from Organization & Conformance Assessment Scope Flexible. Whole organization to one product Application Accreditation Authority: Program Operated by The Open Group Governance and Operation OTTF: develops and maintains Standard - Membership is open to all O-TTPS Accreditation Program Vendor neutral program: Accreditation Authority responsible for accreditation of 3 rd party assessors, appeals, certificates, logo-use, consistency Success! across accreditations Open Trusted Technology Providers Open to all Component Suppliers, Conformance Providers, Integrators, Distributors and Resellers O-TTPS Recognized 3 rd Party Assessors V e r i f i e s 19 Program logo used to support accreditation claims

21 Accreditation Program Description q q q q q q q q q The Applicant can be a Technology Provider, Component Supplier, Integrator, Distributor (Value-Add), Reseller The Applicant warrants and represents their conformance to requirements throughout their declared Scope of Accreditation that is they claim that they follow the best practices through out the product life-cycle, including supply chain cycles for all of the products in their declared Scope Scope up to Applicant: product, product(s), product-line, organization, etc. Warranty backed by evidence of conformance and assessment of evidence by 3 rd Party Assessors The Open Group will operate vendor-neutral program, provide oversight and consistency across applications Successful Applicant gets certificate and use of Trademark and Logo The Open Group manages Trademark and Logo use, problem reporting and appeals process. The accreditation period is 3 years before required renewal Launch of a public O-TTPS accreditation program December 2014 open to any organization don t need to be a member 20

22

23

24 Assessments by 3 rd Party Labs q Publically Available Assessment Procedures Help achieve objectivity, repeatability, and consistency across accreditations Geared specifically to: Providers, Component Suppliers, Integrators and Value Add Distributors, and Resellers (Non-Value Add) q Two types of requirements/evidence to be assessed: process and implementation Process Need evidence there are documented processes Implementation Need evidence that processes were implemented q Formal Recognition of O-TTPS 3 rd party labs q Must meet established criteria and assessors must pass O- TTPS Assessor exam. q Receive certificates and listed on public registry 23

25 O-TTPS Recognized Assessors atsec information security corporation EWA Canada Booz Allen Hamilton (BAH) 24

26 O-TTPS Recognized Assessor Requirements Recognized Assessor Company Accepted standards: ISO/IEC 17020: 2012: Conformity Assessment Requirements for the operation of various types of bodies performing inspection, ISO/IEC 17021:2011: Conformity Assessment Requirements for bodies providing audit and certification of management systems, ISO/IEC 17025:2005: General requirements for the competence of testing and calibration laboratories The Open Group Program relies on existing compliance with industry norms using standards commonly specified for information assurance (IA) assessor companies and process assessors Competent assessors Accepted qualifications: Lead auditor ISO/IEC ISO 9001 CMMI-DEV appraisers ISO/IEC or Common Criteria evaluator (with experience in evaluating lifecycle assurance requirements) ISO/IEC or FIPS tester with experience in testing the process requirements of that standard 25

27 O-TTPS Recognized Assessor Requirements Recognized Assessor Company Has established a process for performing O-TTPS accreditations in accordance with its own established management system requirements and The Open Group Assessment Procedures The Open Group Program builds on existing standards assuring that Subject Matter Expertise is established in the assessor companies Competent assessors Have sufficient skills in: Supply chain management terminology and techniques Technical knowledge of O-TTPS Attributes & the assessment program Have successfully completed the O-TTPS Assessor Exam 26

28 OTTF Milestones and Time Frames Q1 Q2 Early Industry Collaboration Q3 Forum Launched Framework White Paper Published Q4` Q1 Q2 Q3 Standard Development: Snapshot => Publish V 1.0 Define Conformance Criteria, Conduct Pilot Program Define & Approve O-TTPS Accreditation Program Q4` Q1 Q2 Q3 Q4` Q1 O-TTPS v. 1.0 published April 2013 Q2 Q3 Q4` Q1 Q2 Q3 Q4` Conducted Pilot of the O-TTPS Accreditation Feb 3, 2014 Announce: 1. Public Launch of Accreditation Program 2. First Accredited Open Trusted Technology Provider 3. First two O- TTPS Recognized Assessor Labs Implement and Launch Public O-TTPS Accreditation Program 27

29 The Open Group Trusted Technology Forum (OTTF) Roadmap Items 4Q2014 1Q2015 2Q2015 3Q2015 4Q2015 ISO PAS Submission - Open Trusted Technology Provider Standard (O-TTPS) V 1.1 ISO Review ISO Ballot If Approved work with ISO to Publish O-TTPS 1.1. Translation (Simplified Chinese) Review Review Publish O-TTPS Assessment Procedures Revisions Review V1.1 Publish V1.1 Consider ISO PAS Develop V1.2 Review V1.2 28

30 The OTTF Roadmap (continued) Items O-TTPS Mapping to other standards: 4Q2014 1Q2015 2Q2015 3Q2015 4Q2015 Map to: Common Criteria (CC) & NIST Cybersecurity Framework (NCF) Develop Review Publish O-TTPS 2.0 Develop Develop 29

31 OTTF Additional Publications Publications Type Date O-TTPS Recognized Assessor Program: Update Training Materials and Assessor Exam Training Materials for Accreditation Applicants & Market Adoption Materials for Customers O-TTPS Mapping Table(s): Update and Provide Additional Mappings O-TTPS Accreditation Program: Update Supporting Documents Accreditation Q2/15 Accreditation Q2/15 Accreditation Q3/15 Accreditation Q3/15 30

32 Outreach & Harmonization q Approach Communicate the facts GAO Report: mentions O-TTPS as one of the two most cited supply chain standards efforts in their report References to O-TTPS in NIST SP-161 draft NASA RFP recommendation included O-TTPS in (SEWP V 2013) Expect customers to begin demanding O-TTPS compliance Mapping to NIST Cybersecurity Framework Leverage opportunities to inform stakeholders Conference speaking engagements Concentrate on the strength of our content Mapping our content to other standards Use public sources and social media Develop demand among the broad community through the value proposition not regulation Focus on priorities 31

33 Offers Holistic Approach to Securing Global Supply Chains Customer/Acquirer Demands Accreditation certificate as evidence of conformance to Open Trusted Technology Provider standards Integrator, Distributors, Resellers Will seek business partners who meet Open Trusted Technology Provider requirements Business Partners Standards Process Standards Body Will seek ways of achieving market up-take/ integrity of standards Alliance Accreditation Component Suppliers May be hardware, software, global, open source - or not - multiple supplier layers Business Partners Provider Will seek business partners who meet Open Trusted Technology Provider requirements Process Accreditation/ Accreditation Body Must be independent & vendor/technology-neutral

34 What You Can Do Now. q Technology Providers (OEM S, component suppliers (HW or SW), Integrators, Value-add Resellers (VARs), Distributors: Get prepared: Go to Download the documents and read them everything is publically available learn what s required, and what you need to demonstrate conformance. Improve the integrity and the security of your processes. Get accredited Encourage your technology partners (Integrators, OEMs, VARs, Distributors, Component Suppliers) to get accredited. q Customers (government, commercial): Make your Suppliers, Integrators, VARs aware of O-TTPS. Encourage them to learn about it, prepare and get accredited. Let them know their accreditation is a differentiator in procurement. q Customers, Technology Providers, Assessors: Consider joining the OTTF (Forum) to evolve the standard and accreditation program in a way that meets your needs. 33

35 Resources q The Open Group Trusted Technology Forum (OTTF) q The OTTF Information Sheet Handout q The O-TTPS (Standard) Version 1.1 q The Open Group represents OTTF at Congress q OTTF Vendor Testimonials q The O-TTPS Accreditation Website q OTTF Podcast (Dana Gander with: Brickman, Lipner, Lounsbury, and Szakal) q Press Release Feb 3, 2014 Launch of the O-TTPS Accreditation Program q The Open Group 34

36 Thank You! For more information contact: Mike Hickey or Sally Long Copyright (C) The Open Group 2014