Edna Conway is the Chief Security Strategist, Global Value Chain for Cisco and Vice-Chair of The Open Group Trusted Technology Forum.
Sally Long is the Director of the Trusted Technology Forum, The Open Group in San Francisco.
In a day and age where similar products from numerous vendors line store shelves, verifying goods and provided services before you buy has become second nature.
Take the pet food recall of 2007, for example, which associated with contaminated dog and cat food and further led to a Chinese export contamination investigation after concerns were raised as to the impact it could have had on the human food supply chain. Other cases involved numerous recalls of children’s toys that didn’t abide by national safety standards. And just like with any tangible product, online services and tools can also pose security threats that impact a consumer or company. Look at the numerous cloud-based platforms that have populated industries over the past several years due to increasing consumer demand. When shopping around for a hosted service or a product online, do you check the validity of the site before you click the “confirm” button at the time of purchase or agreement? Do you know where the goods came from and how they arrived at your door? Is their supply chain path vulnerable to disruption or threats?
Risks in almost any environment are inevitable. Thus, it is critical that proper procedures, secured infrastructures and industry standards are in place to prevent such threats and potential hazards from disrupting the global supply chain. And to better assure the integrity of Commercial Off-the Shelf (COTS) Information and Communication Technology (ICT) products, The Open Group released a Snapshot preview of its Open Trusted Technology Provider Standard (O-TTPS).
Call to action
Developed by The Open Group Trusted Technology Forum (OTTF)—one of the newest forums of The Open Group, an international vendor and technology-neutral consortium devoted to creating standards and certification programs— the open standard for organizational best practices aims to enhance the security of the global supply chain and address the risk of tainted and counterfeit products. By allowing suppliers, providers, integrators and acquirers of ICT a preview of the standard—version 1.0 to be release in Q4 later this year—they can better understand the importance in adopting these best practice requirements and recommendations.
“The objective for the OTTF and the snapshot is to raise the bar around the world for providers and their component suppliers—the idea being that if they all follow these best practices and implement them in their organizations, it would raise the bar for securing their global supply chain,” said Sally Long, Director of the Trusted Technology Forum, The Open Group, San Francisco. In development for the past nine months, the need for the standard “initially started with the need for identifying trustworthy COTS products, raising such questions as: What’s in the source code? Who built it? What are the meaningful supply chain considerations? And from there, we realized the real problem was how do we assure the industry is using best practices in development and in securing their supply chains in order to consistently produce trustworthy COTS products?” Long confirmed.
Although most technology hardware and software products today could not exist without global development, the increase in sophistication of cyber attacks has forced technology suppliers and governments to take a more comprehensive approach to product integrity and supply chain security.
“Delivering innovative information and communications technology today simply must leverage a global supply chain,” explained Edna Conway, Chief Security Strategist, Global Value Chain, Cisco Systems Inc., San Jose, Calif. and Vice-Chair of the OTTF. “Given this global supply chain, any effort to comprehensively address the challenges of cyber and product integrity can no longer be focused on end-point security alone. The OTTF is applying a comprehensive end-to-end supply chain way of thinking about the integrity of information and communications technology.”
David Lounsbury, Chief Technology Officer of The Open Group agreed, adding that “technology buyers across the globe need assurance the products they source come from trusted technology suppliers and providers who have met set criteria for securing their supply chains.”
And while there are other standards affecting certain segments of the supply chain industry—including IPC standards for the electronics industry which are accredited by the American National Standards Institute (ANSI) and PPAP standards for production part approval—the O-TTPS standard benefits a host of players in the industry.
“The uniqueness of this standard is its approach to identify best practices which serve the multiple players in the industry,” said Conway. “Suppliers, providers, integrators and acquirers will all benefit from knowledge and implementation of these practices which span the product lifecycle and supply chain stages of technology design, planning and ordering, sourcing, build, quality, delivery, sustainment and disposal/end of life management. Differentiation can be made based on understanding the degree to which we ourselves and our supply chains are implementing these best practices.”
The tainted and counterfeit risks identified in the standard pose significant threat to organizations because altered or non-genuine products introduce the possibility of untracked, malicious behavior or poor performance. Both product risks can damage customers and suppliers resulting in failed products, revenue and brand equity loss and disclosure of intellectual property.
“We have spoken with numerous government organizations and industry groups around the world and the reality of malware and substituted technology—which is the heart of the risk of tainted product —is something that everyone is concerned about,” confirmed Conway. “Governments are looking at nation-state concerns and are seeking to offer procurement guidance for ICT. Individual enterprises and industry sectors are equally concerned and often address concerns on an ad hoc rather than comprehensive way. A set of limited and integrated international standards will avoid balkanized ad hoc efforts by acquirers of ICT.”
“We wanted to issue a preview of the standard so we could show governments and organizations around the world that this standard can raise the bar for protecting against tainted and counterfeit products throughout the global supply chain,” Long added.
“One of the main drivers pushing the adoption for this standard is the global nature of technology,” Long continued. “Asking such large companies like IBM, Microsoft, HP and Oracle that they follow best practices is one thing. But because these threats are global, all governments and large commercial customers could benefit from taking an interest in this standard and encouraging all their suppliers to follow suit as well. Market adoption is being driven by the need for security throughout the entire global supply chain.”
One evident factor of this need for supply chain security is through the National Strategy for Global Supply Chain Security, initiated in January 2012 and released by the Department of Homeland Security, which focuses on two goals: “to promote the efficient and secure movement of goods; and foster a global supply chain system that is prepared for and can withstand evolving threats and hazards and recover rapidly from disruptions.”
“The global system relies upon an interconnected Web of transportation infrastructure and pathways, information technology, and cyber and energy networks,” said Janet Napolitano, Secretary, Department of Homeland Security. “While these interdependencies promote economic activity they also serve to propagate risk across a wide geographic area or industry that arises from a local or regional disruption.”
The O-TTPS Snapshot has been shaped by the following organizations: Apex Assurance, atsec Information Security, Boeing, Booz Allen Hamilton, CA Technologies, Carnegie Mellon SEI, Cisco, EMC, Fraunhofer SIT, Hewlett-Packard, IBM, IDA, Juniper Networks, Kingdee, Lockheed Martin, Microsoft, MITRE, Motorola Solutions, NASA, Oracle, Office of the Under Secretary of Defense for Acquisition, Technology and Logistics (OUSD AT&L), SAIC, Tata Consultancy Services, and the U.S. Department of Defense/CIO.
“The modern supply chain depends upon a complex and interrelated network involving the movement of goods, services, funds and information across a wide range of global participants, making it vulnerable to increasingly sophisticated cyber attacks and an ever increasing range of breaches and disruptions,” said Andras Szakal, Vice President and Chief Technology Officer, IBM U.S. Federal. “Standards like O-TTPS are critical in helping to ensure the integrity and security of data and giving customers peace of mind.”
Defining conformance criteria for an internal pilot accreditation on the standard is currently underway. The next phase requires the standard to go through an approval process and once published, will likely move into an accreditation program for global rollout.
“With the rapid changes in computing infrastructure and growing security threats our industry is facing, EMC has, from the beginning of this initiative, invested in the Trusted Technology Forum’s work to develop a practical standard that builds assurance for our global supply chains,” said Dan Reddy, Senior Consulting Product Manager, Product Security Office, EMC. “Global providers and governments everywhere must work together to leverage this common means to assure customers that the technology products they buy maintain integrity and reduce the risk to the customer’s operational environments. This Standard is an important milestone in that journey.”
“As a leading contract vehicle for the purchase of IT products by the Federal Government, the NASA Solutions for Enterprise-Wide Procurement (SEWP) Office is excited and encouraged by the progress made by the OTTF in this industry led effort to define and standardize the trustworthiness of supply chain management,” said Joanne Woytek, NASA SEWP Program Manager.
“Part of the OTTF’s commitment is to both evolve the O-TTPS standard and to leverage existing standards,” said Conway. “Over time, the standard will flexibly change to meet new challenges and embrace new technology innovation."
Moreover, the OTTF is committed to liaising with other standards bodies such as ISO and The Common Criteria where applicable and point to those standards that exist as evidence of ICT product integrity. The OTTF anticipates that other standards initiatives will point to its standard as well. Ultimately, the goal is to allow the COTS ICT provider community to make a single investment in product and organizational integrity practices and have multiple standards initiatives recognize that investment while providing acquires of the technology with continued assurance.