Addressing the Global Supply Chain Threat Challenge Huawei, a Case Study

Similar documents
Cyber Security Strategy and Approach Making Cyber Security part of your company DNA

Global Supply Chain Control Towers

Huawei Corporate Presentation

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Domain 1 The Process of Auditing Information Systems

Essential infrastructure for cities and industries

Delivering a Comprehensive Serialization Traceability Program Peggy Staver - Pfizer

DEFENSE SUPPLY CHAIN SECURITY & RISK MANAGEMENT: PRINCIPLES & PRACTICE

We decided that we would build IFS Applications on standards so our customers would not be locked into any particular technology. We still do.

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

Procurement and Logistics Service. Overcoming the challenges and complexities of international business

Supply Chain Risk Management. Operating ahead of the threat, not behind the vulnerabilities

Supply Chain Management Think Global, Go Global. Hau L. Lee Stanford University

The face of consistent global performance

Sensitive handling of your sensitive shipments

White Paper. 10 Reasons to Choose Image-based Barcode Readers

How companies leverage quality and quality certifications to achieve competitive advantage

TWX-21 Business System Cloud for Global Corporations

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

AVANTGARD Hosting and Managed Services

RACK AND CONTAINER TRACKING SOLUTION

Supply Chain Risk: Understanding Emerging Threats to Global Supply Chains

10 Reasons to Choose Image-based ID Readers. White Paper

Capabilities for Cybersecurity Resilience

Best Practices For. Supply Chain Security

Supply Chain Management

Hidden Supply Chain Risk A Social, Quality, Environmental and Security Challenge

ISO Information Security Management Systems Foundation

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Building Information Modelling and collaborative construction

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Integrating CaliberRM with Software Configuration Management Tools

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Towards a standard approach to supply chain integrity. Claire Vishik September 2013

Globalization Drives Market Need for Supply Chain Segmentation: Research & Key Strategies

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

Roles within ITIL V3. Contents

IIA South West Event. A look at key supply chain risks and why contracting is a key step 14 January 2015

servicing the global cruise fleet

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Reputation. Further excellence. business continuity. risk management. Data security

RFID current applications and potential economic benefits

SMART CAMERA VISION SYSTEMS The new approach to track and trace. White Paper

PRODUCT INFORMATION. SICK LifeTime Services. LifeTime Services for Machines and Systems

Page 1 of 7 Effective Date: 12/18/03 Software Supplier Process Requirements

Security Guide for ICT Procurement

MANUFACTURING JOURNAL LEADERSHIP

Software Quality Subcontractor Survey Questionnaire INSTRUCTIONS FOR PURCHASE ORDER ATTACHMENT Q-201

A GOOD PRACTICE GUIDE FOR EMPLOYERS

REVIEW OF CURRENT STATE OF EUROPEAN 3PL MARKET AND ITS MAIN CHALLENGES

Transforming. Source & Deploy Solutions from Computacenter

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

A Supply Chain Management Perspective on Mitigating the Risks of Counterfeit Products

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Primary Logistics Activities

C-TPAT Program Benefits. Reference Guide

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

API Q2 Specification for Quality Management System Requirements for Service Supply Organizations for the Petroleum and Natural Gas Industries

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

New Certified Company Program (NEEC) Reinforcing Supply Chain Security in Mexico NEEC Profile

Supply Chain Integrity Business Process Architecture. John D Andrea Director, Global Supply Chain Program Management

Study Paper on Security Accreditation Scheme for SIM

C-TPAT Executive Summary

COMPLEXITY AND INTERNATIONALISATION OF INNOVATION

Managing Open Source Code Best Practices

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Service Integration &

PATCH MANAGEMENT POLICY IT-P-016

Managed Services Consulting. Europe, Asia, Africa, Middle East, Latin America, North America

Rx-360 Supply Chain Security White Paper: Audits and Assessments of Third Party Warehousing and Distribution Facilities

ADRIAN DAVIS INFORMATION SECURITY FORUM

Transaction Security. Training Academy

Services Providers. Ivan Soto

CORPORATE EBS PROFILE

AS9100 Quality Manual

Global Sourcing Opportinuties. The Home Depot Latin American Sourcing Office

SuccessFactors Employee Central: Cloud Core HR Introduction, Overview, and Roadmap Update Joachim Foerderer, SAP AG

Quality through Competence Services made to order

Risk-Based Approach to Managing Supply Chain Security and Compliance

AVANTGARD Private Cloud and Managed Services

The ICT sector in the spotlight

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

Hardware and Software Security

How To Manage An Ip Telephony Service For A Business

Eighth UPS Pain in the Chain Survey. Survey Snapshot

Corporate Basel, Panalpina Security. "Adding value, while ensuring our customers' products are safe and secure"

Global Enterprise Business Management Platform Interactive, Intelligent with Controls to Ensure Profit

External Supplier Control Requirements

Cloud Computing Security Considerations

Welcome to UL Protecting People, Products and Places

Security Overview. A guide to data security at AIMES Data Centres. TEL: enquiries@aimes.

INFORMATION TECHNOLOGY ENGINEER V

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION.

Harmonized Risk Scoring-Advance Trade Data Internal Audit Report

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

FREQUENTLY ASKED QUESTIONS

How To Be Successful In The Czech Republic

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Transcription:

SESSION ID: ECO-W02 Addressing the Global Supply Chain Threat Challenge Huawei, a Case Study Andy Purdy Chief Security Officer Huawei Technologies USA

Huawei is a global organization serving over a third of the planet s population. A leading global ICT solutions, Fortune Global 500 company Operations in 170 countries, 150,000 employees, 73% recruited locally 70,000 employees in R&D 15 R&D centers; 25 Joint Innovation Centers $46 B revenue in 2014 Serving 45 of the world's top 50 operators Global Supply Global R&D Global Service Establish in IT Solutions Lead in Networks Expand in Devices Extend in Enterprise Market Lead in Telecom Carriers Expand In Consumer Market Secure products, solutions and services 2

Huawei and Cyber Security Toward a risk-based, level playing field for ICT Supply Chain Risk Huawei is working with the Open Group Trusted Technology Forum and other major companies and government to gain international support for the Open Group Trusted Technology Provider Standard and accreditation program. 3

Huawei and Cyber Security Toward a risk-based, level playing field for ICT (2) EastWest Institute Cyber Initiative EWI is working with key companies (Huawei and Microsoft and others) and governments (US, China, Russia, UK, Germany, India, etc.) to seek agreement on contentious cyber issues, including the global availability of more secure ICT products. 4

Huawei and Cyber Security The Open Group Trusted Technology Forum 5

Huawei and Cyber Security Huawei guarantees that its commitment to cyber security will never be outweighed by the consideration of commercial interests. It(Cyber Security)is for our survival. To meet our customers security and assurance requirements with transparency To strengthen and promote transparency about Huawei global and US assurance programs among customers and stakeholders. To promote adoption of a fact-based, risk informed, transparent, level-playing field for ICT products and services 6

Huawei and Cyber Security Critical Success Factors for Global Assurance Organizational commitment Strategy based on addressing future challenges Clear governance roles and responsibilities 7

Huawei and Cyber Security Critical Success Factors for Global Assurance Consistent, repeatable processes Robust verification -- assume nothing, believe no-one and check everything. Plan, Do, Check, Act. Openness and transparency regarding progress, successes, and failures 8

Huawei Global Supply Network Netherland Hungary Chengdu Beijing Shanghai Mexico Panama HUB TBD Dubai India China Reverse center Supply center Regional hub Regional hub Under feasibility Brazil Source: US: 32%,the largest material source Taiwan, Japan & Korea: 28% components); Europe: 10% Mainland China: 30% (cable, battery, mechanical parts, cabinet, etc.) Supply Center Regional Hub Reverse Center Local EMS China (Delivery for the globe) Europe (Delivery for West Europe &North Africa) Mexico (Delivery for North America & Latin America) Brazil (Delivery for South Latin America ) India (Delivery for India) Dubai (United Arab Emirates ) Netherlands China Mexico Europe Brazil, Mexico, India and Hungary supply centers work with local partners to do manufacturing and make delivery 9

Global Supply Chain Threats Stakeholders Tainted Counterfeit Main Threats Upstream Downstream Upstream Downstream Malware Unauthorized Parts Unauthorized Configuration Scrap/Sub-standard Parts Unauthorized Production Intentionally Damage Confidentiality Integrity Availability Traceability Authenticity Courtesy of the Open Group 10

Supply Chain Security Strategy Objective: E-2-E assurance in all stages of supply chain: trusted material, manufacturing, software, logistics, regional warehousing, and distribution. Efficiency Promote timely and efficient flow of products and services in the supply chain Protect the supply chain from exploitation Reduce the risks of supply chain interruption. 11

Supply Chain Security Strategy Objective: E-2-E assurance in all stages of supply chain: trusted material, manufacturing, software, logistics, regional warehousing, and distribution. Security Ensure products and services integrity in global supply chain. Identify and resolve threats early in the process and strengthen the security of supply chain infrastructure, logistics and information assets Establish a sustainable supply chain security management system. Identify supply chain risks and work out improvement plans to ensure the supply chain can quickly recover from disruption due to changing threats and risks. Establish an accurate and effective traceability system to identify and mark problems at the first time and recover and improve the supply chain quickly and pointedly. 12

Supply Chain Security Strategy Objective: E-2-E assurance in all stages of supply chain: trusted material, manufacturing, software, logistics, regional warehousing, and distribution. Resilience Identify supply chain risks and work out improvement plans to ensure the supply chain can quickly recover from disruption due to changing threats and risks. Establish an accurate and effective traceability system to identify and mark problems at the first time and recover and improve the supply chain quickly and pointedly. 13

Supply Chain Cyber Security Baseline Management Identify risks Improve continuously Baseline Mgmt. Develop baselines Check the implementation Integrate into processes 14

Supply Chain Cyber Security Baseline Management Based on risks to the supply chain and customer & government requirements: - we develop cyber security baselines, aiming to protect product integrity, traceability, and authenticity, and - take a built-in approach to integrate the baselines into processes. We have developed nearly100 baselines around 10 security elements. 15

Supply Chain Cyber Security Baseline Management Laws and regulations Infrastructure security Access control Incoming material security Manufacturing security 16

Supply Chain Cyber Security Baseline Management Software delivery security Order fulfillment security Traceability system Emergency response Risk analysis improvement and audit 17

Framework of SCM Cyber Security Baselines Physical security Prevent tampering and implanting in logic through preventing unauthorized physical access Integrity Authenticity Traceability Software delivery security Ensure SW integrity by E2E prevention of unauthorized physical access and technical verification methods Organization, process and awareness Establish baselines based on risk analysis and embed baselines into daily operation of processes 18

Supply Chain Management Security Logistics and return are key areas of security risk. Shenzhen/EMS Shipment International Transportation Custom Clearance Inspect goods to ensure they are not tampered with during and after delivery. Region WH Deliver to Site Site Installation Site Acceptance Central WH Customer WH Subcontractor WH SZ/HK Supplier ship to WH Return Site Goods Receive Return Goods Local Purchase Develop deposal solution of return goods Ship back return goods Warehouse physical security will reduce product risk due to component substitution, etc. Re-use of return goods Scrapping of return goods Returned materials must be inspected/approved for reuse, to prevent reuse of insecure products. 19

Integrity and Traceability Integrated processes/technology in supply chain ISO28000 supply chain security system operating and 3rd certification. Global multi-supply centres to provide efficient and resilient supply to customers. Barcode system to support tracing ISO28000 certificate Security of incoming materials Security of Factory (EMS) Security of logistics & warehousing C-TPAT 3 rd party audit report Infrastructure & entry control:7*24 security guard and CCTV monitoring, Electronic entry control & identify identification system 20

Manufacturing Security Ensures product and component security Incoming Material Material setup PCBA Mfg. PCBA FT Maintenance IQC IPQC/PQC Incoming Material FQC Material setup OQC PCBA Mfg. FT: Function Test ST: System Test; IQC: incoming quality control; IPQC: in-process quality control PQC: product quality control FQC: final quality control OQC: outgoing quality control PCBA: Printed Circuit Board Assembly 21

Secure and Efficient Delivery World-class logistics service providers (LSPs) Secure logistics solution Trusted LSP Visualized process Global-Region-Country logistics solution; Route security analysis Business continuity assurance solution Industry role model, secure main LSP Sign security agreement Visualized transportation process; IT systems record logistics process details. 22

Secure and Efficient Delivery World-class logistics service providers (LSPs) (2) Standardized Warehouse Mgt. Follow C-TPAT Record barcode when product leaves warehouse 7*24 security guard & CCTV; Access control Products reverse Mgmt. Return material with customer info. cleared out. Manage according to government and customer s rules and requirements. 23

Supplier Management Reduce potential risks and mitigate security threats Security is one of the seven elements of supplier management TQRDCES (Technology, Quality, Response, Delivery, Cost, Environment and CSR, security). All Suppliers that are related to cyber security must sign the cyber security agreement, and pass the cyber security system qualification. All materials of cyber security must pass the material security test and qualification. 24

Supplier Management Reduce potential risks and mitigate security threats Manage Supplier Manage Procurement Requirement Manage Supplier Qualification Baseline Manage Supplier Selection Baseline Manage Procurement Strategy Manage Supplier Performance Manage Supplier Portfolio Manage Supplier Qualification/Selection Manage Supplier Organization Relationship Manage Supplier Quality Manage Fulfillment & Acceptance Manage Supplier Phase-out Manage Supplier Security Supplier and Material Security Certification Procurement Security Agreement and Execution Supplier Security audit and emergency Response Security test And Acceptance Supplier Security Performance and Phase Out Measures MEASURES 25

Supplier Management Measures Manage Supplier Security Supplier and Material Security Certification Procurement Security Agreement and Execution Supplier Security audit and emergency Response Security test And Acceptance Supplier Security Performance and Phase Out Measures Procurement security baseline Material Security Sourcing and Qualification Supplier Security System Certification Sign Supplier Security Agreement Implement Supplier Security Agreement Security training Supplier Security Risk and audit Supplier Security Vulnerabilities improvement Supplier Emergency Response Incoming Material Security Check Engineering Cyber Security Acceptance Logistics Security Acceptance Supplier Security Performance Evaluation Supplier Security Performance Application Supplier Security Phase Out 26

Supplier Security System Qualification Cyber Security Evaluation Supplier cyber security risk evaluation involves a determination of risk, using an audit checklist that includes 10 items, 42 questions, each of which is weighted to contribute to the total score. - Security agreement - Security assurance system - Product security - Security testing - Open source software security - Delivery security - Product service security - Emergency response - Traceability - Personnel management 27

Supplier Security Performance Scorecard and Product Test Appraise the suppliers performance in security each year and the appraisal result will be applied in the selection and phase-out of suppliers Security testing of materials include the testing for selection of new materials, at shipment, and at arrival at Huawei. 28

Supplier Security Performance Scorecard and Product Test Pass the product security test Products do not contain any unknown functions Products or services are traceable Product security emergency response Cyber security training Sourcing Test Supplier product test Incoming Materials Test Material specifications Cyber security technical quality risk assessment report Cyber security sourcing process Supplier sign security agreement including security test Supplier security test Perform virus test for cyber security critical materials Perform virus inspection and comparison with standard source software for software 29

End-2-End Traceability System Process of product design & contact delivery ensures rapid locating and querying We look to: trace every component from every supplier, every route, factory, logistics method, R&D center, and end customer product and back. trace any software request from the customer through every stage in the process, through design, software coding, testing, QA, authorization, live deployment and back to the original source. 30

Software Development Traceability From customer requirement to final release. Concept Plan Development Qualify Launch Lifecycle 31

Site Installation Product Traceability in Supply Chain From contract to delivery. Customer Client PO Contract Mgmt Requirement Supply Chain Return logistics Return Mgmt Raw Material Semi Product Logistics Hardware Supplier & EMS Product manufacturing Return Regional Warehouse Customer Software Supplier 3 rd Party Software SW & HW Design R&D 3 rd Party Software License 32

Third Party Supplier Management Leverage Purchasing Power Top 100 Requirements End-to-end cyber security means a vendor must work with their own vendors to adopt best practice cyber security approaches. 61. How does the vendor conduct security management with their suppliers? Has the vendor established relevant security criteria and passed them to their suppliers? How frequently does the vendor update their criteria to ensure they keep up-to-date with the latest thinking? 62. What procurement process requirements do the vendor s suppliers take with their suppliers? 63. Does the vendor have contractual clauses or security agreements in place with their core technology suppliers that provide a comprehensive, risk informed set of requirements that they must meet? 33

Conclusion There is no simple, cookie-cutter approach to understanding and managing supply chain risk. Managing supply chain risk appropriately requires organizational commitment and a comprehensive end-to-end approach based on standards and best practices with independent verification for each critical component. Agreement on a global supply chain standard, such as the Open Group OTTPS, could contribute to reduction in supply chain risk and increased trust. 34

Apply What You Have Learned Today Next week you should: Determine if/how you address supply chain risk within your organization and the security risk of your suppliers. In the first three months following this presentation you should: Assess the adequacy of your supply chain risk controls and your security requirements for your suppliers Review the Open Group Trusted Technology Provider Standard (OTTPS) Review the Huawei security papers, Making cyber security a part of a company s DNA - A set of integrated processes, policies and standards (October 2013), and Top100 cyber security requirements. Implement a supply chain risk mitigation strategy appropriate to your risk, including risk-informed security requirements for your suppliers. 35

Huawei and Cyber Security Huawei s cyber security White Paper series 21st century technology and security a difficult marriage (September 2012) Making cyber security a part of a company s DNA - A set of integrated processes, policies and standards (October 2013) Top100 cyber security requirements 2012 2013 2014 http://www.huawei.com/ilink/ en/download/hw_u_202577 http://www.huawei.com/ilink /en/download/hw_310547 http://www.huawei.com/ilink /en/download/hw_401430 36

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information