it is time to get serious about addressing cybersecurity...
TRANSCRIPT
It is Time to Get Serious About Addressing Cyber Supply Chain Risk
www.huawei.co
Andy Purdy, Esq., CISSP, CIPP/USCSO, Huawei Technologies USAVice Chair, Open Group Trusted Technology ForumDecember 1, 2016
Page 2 HUAWEI TECHNOLOGIES CO., LTD.
Increasing Cyber Security Threats
Concerns and
challenges faced users and owners
and operators
Security assurance capability
Malicious attacks to steal confidential information
Application network security issues
Protecting users' privacy data from leakage; enhancing security defense capability of equipment and security challenges of the new technology are issues that mostly concern customers.
Security challenges of new technologies NFV, SDN ,etc)
Page 3 HUAWEI TECHNOLOGIES CO., LTD.
Contents
• About Huawei• Threats in technology development and global supply chains –
counterfeit and malicious taint.• Internal governance success factors• The NIST Cybersecurity Framework – a risk analytic tool.• Using Economics to Lower Risk – the EastWest Institute Buyers
Guide for ICT• The Open Trusted Technology Provider Standard – processes
that warrant trust• Independent Evaluation of Conformance – the O-TTPS
Accreditation Program• Huawei’s approach • Conclusion
Page 4 HUAWEI TECHNOLOGIES CO., LTD.
Secure products, solutions and services
Huawei is a global organization serving over a third of the planet’s population
A leading global ICTsolutions, Fortune Global 500 company
Operations in 170 countries, 170,000employees, 73% recruited locally
$60+ B revenue in 2016Serving 45 of the world's top 50 operators
GlobalR&D
Global Supply
GlobalService
IT Solutions
Networks
Devices
Enterprise Market
Telecom Carriers
Consumer Market
70,000 employees in R&D15 R&D centers; 25 Joint Innovation Centers
Page 5 HUAWEI TECHNOLOGIES CO., LTD.
Huawei Global Supply Network
Mexico
Brazil
China
HungaryNetherland
Dubai IndiaPanama HUB TBD
Reverse center
Supply center
Regional hub
Chengdu
Beijing
Shanghai
Regional hub Under feasibility
Source: US: 32%,the largest material source Taiwan, Japan & Korea: 28% components); Europe: 10% Mainland China: 30% (cable, battery, mechanical
parts, cabinet, etc.)
Page 6 HUAWEI TECHNOLOGIES CO., LTD.
Tainted Counterfeit
Upstream Downstream Upstream Downstream
Malware √ √ √
Unauthorized “Parts” √ √ √
Unauthorized Configuration
√
Scrap/Sub-standard Parts
√
Unauthorized Production
√ √
Intentional Damage √ √
Integrity Availability TraceabilityConfidentiality Authenticity
StakeholdersMain Threats
Courtesy of the Open Group
Threats in technology development and global supply chains – counterfeit and malicious taint
Page 7 HUAWEI TECHNOLOGIES CO., LTD.
Critical Success Factors for Global Assurance
• Organizational commitment• Strategy based on addressing future challenges• Clear governance roles and responsibilities• Consistent, repeatable processes• Robust verification -- “assume nothing, believe no-one and
check everything.” Plan, Do, Check, Act. • Openness and transparency regarding progress, successes,
and failures
Page 8 HUAWEI TECHNOLOGIES CO., LTD.
The NIST Cybersecurity Framework (CSF): A valuable, risk analytic tool
• NIST CSF consists of standards, guidelines, and best practices, first intended to promote the protection of critical infrastructure.
• A prioritized, flexible, repeatable, and cost-effective risk-analytic tool that can help owners and operators of critical infrastructure – and most other organizations -- to assess and manage cybersecurity-related risk.
• CSF is organized by five key functions related to cyber risk: identify, protect, detect, respond, & recover.
• CSF lists key categories for each function; for example, “identify”: assess management, business environment, governance, risk assessment, and risk management.
• CSF has sub categories of each category, and provides a list of informative references (relevant standards/best practices) for each.
• For more information: https://www.nist.gov/cyberframework
Page 9 HUAWEI TECHNOLOGIES CO., LTD.
EastWest Institute: Use Economics to Lower Risk “Purchasing Secure ICT Products and Services”• EastWest Institute (EWI) Buyers Guide will help buyers of Information
and Communication Technologies (ICT) in Managing Cybersecurity risks When Buying Technology Products and Services
• Enterprise security governance1. Strategy and Control2. Standards and Processes3. Human Resources
• The Product and Service Lifecycle – from Design through Sustainment and Response1. Design and Development2. Build3. Release, Fulfillment, and Distribution 4. Sustainment and Response5. Sourcing and Supply Chain 6. Creating assurance: Fostering Assurance and Demonstrating Assurance
• https://www.eastwest.ngo/sites/default/files/EWI_BuyersGuide.pdf
Page 10 HUAWEI TECHNOLOGIES CO., LTD.
Open Trusted Technology Provider Standard (O-TTPS)
• O-TTPS standard was developed by The Open Group Trusted Technology Forum under the auspices of the Open Group and was recognized by ISO as ISO 20243.
• Demonstration of conformance through the Open Group’s independent, voluntary O-TTPS Accreditation Program process provides formal recognition of an organization’s conformance to this industry standard.
• Successful applicants gain accreditation and can use the Open Trusted Technology Provider trademarked logo.
• Imbedded in this slide are files containing the standard and fact sheet
Page 11 HUAWEI TECHNOLOGIES CO., LTD.
Global industry-led initiative -- best practices for secure engineering and supply chain integrity. “Build with Integrity and Buy with Confidence™”
The Open Group Trusted Technology Forum
Page 12 HUAWEI TECHNOLOGIES CO., LTD.
O-TTPS: Mitigating Risk of Malicious Taint and Counterfeit
• 50-page document of requirements for organizational best practices• Recognized in 2015 by the International Standards Organization as ISO 20234.• The result of over 3 years of collaborative consensus-based effort • Applies across product life cycle. • Some highly correlated to threats of maliciously tainted and counterfeit
products - others more foundational but considered essential
• 2 areas of requirements – often overlap depending on product and provider:› Technology Development - mostly under the provider’s in-house
supervision› Supply Chain activities mostly where provider interacts with third parties
who contribute their piece in the product’s life cycle
SourcingDesign Sustain-ment Disposal
Technology Development Supply Chain
Distribu-tionFulfillmentBuild
Page 13 HUAWEI TECHNOLOGIES CO., LTD.
The O-TTPS Accreditation ProgramIndependent Evaluation of Conformance
• The O-TTPS Accreditation Program provides structure and discipline to a set of benchmarks and requires independent confirmation of conformance based on evidence
• Process promotes self evaluation of operations• Identifies necessary processes for technology development and
supply chain• Organization needs to determine scope sought for accreditation:
organization-wide, a business unit(s), product line, or products?• Company must determine:
› What products are made in what region and nation?› Do the required processes exist everywhere that is relevant?› Are the processes implemented as required, and what evidence is there
to confirm that? Are there gaps? What needs to be done to fill the gaps?
Page 14 HUAWEI TECHNOLOGIES CO., LTD.
• Supplier management includes eight elements: Technology, Quality, Response, Delivery, Cost, Environment, CSR, and Cyber Security.
• Security has been integrated into the procurement business processes, including cyber security policies, baseline, and process criteria.
Supplier Management Model
Huawei’s Approach8 Elements of Supplier Management: TQRDCESS
Supplier Managemen
t Model
Technology
Cost
Delivery
CSR Response
Cyber Security
Quality
EnvironmentCSR: customer satisfaction representative TCO: total cost of ownership
Page 15 HUAWEI TECHNOLOGIES CO., LTD.
Trusted manufacturing
Trusted SW delivery
Trusted logistics
Trusted material
Trusted regional Warehouses &
distribution
Customer
E2E assurance of security in all stages of supply chain
Commitment to a supply chain with the following DNA, which we believe is quite consistent with the O-TTPS approach:
Efficiency
Security.
Resilience
Huawei’s Supply Chain Security Strategy
Page 16 HUAWEI TECHNOLOGIES CO., LTD.
Baseline Mgmt.
Huawei Supply Chain Cyber Security Baseline Management
Identify risks
Develop baselines
Improve continuously
Check the implementation
Integrate into
processes
Page 17 HUAWEI TECHNOLOGIES CO., LTD.
Physical security Prevent tampering and implanting in logic through preventing unauthorized physical access
IntegrityAuthenticityTraceability
Ensure SW integrity by E2E prevention of unauthorized physical access and technical verification methods
Software delivery security
Establish baselines based on risk analysis and embed baselines into daily operation of processes
Organization, process and awareness
Huawei Framework of Supply Chain Management Cyber Security Baselines
Page 18 HUAWEI TECHNOLOGIES CO., LTD.
Supplier Qualification System:
Quality, Environment, Corporate Social Responsibility, Health& Safety, Finance, Delivery, Security
Process:Product Manufacturing process
Product:Product test and qualification
Supplier Performance Management System: Evaluate supplier’s performance and contribution to Huawei TCO through T,Q,R,D,C,E,S,S
Huawei’s approach to E2E supplier management
Page 19 HUAWEI TECHNOLOGIES CO., LTD.
Conclusion
• Responsible organizations should address the risk of counterfeit and maliciously tainted products as part of an enterprise risk management program that considers risk from 3rd party providers of products & services.
• Buyers of ICT should develop security requirements for their procurements and collaborate with like-minded buyers to leverage their purchasing power.
• The O-TTPS (Open Trusted Technology Provider Standard – ISO/IEC 20243) provides a standard that providers, customers and stakeholders can use to set and meet requirements, and determine whether a provider is worthy of trust.
• The Accreditation Program supports the goals and transparency of the O-TTPS, providing independent evaluation of conformance to the technology development and supply chain processes of the standard.
Thank youwww.huawei.com
Copyright©2011 Huawei Technologies Co., Ltd. All Rights Reserved.The information in this document may contain predictive statements including, without limitation,statements regarding the future financial and operating results, future product portfolio, new technology,etc. There are a number of factors that could cause actual results and developments to differ materiallyfrom those expressed or implied in the predictive statements. Therefore, such information is provided forreference purpose only and constitutes neither an offer nor an acceptance. Huawei may change theinformation at any time without notice.