Towards a standard approach to supply chain integrity. Claire Vishik September 2013



Similar documents
ICT Supply Chain Risk Management

Designed-In Cyber Security for Cyber-Physical Systems

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

The Software Supply Chain Integrity Framework. Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.

Piloting Supply Chain Risk Management Practices for Federal Information Systems

Principles for Software Assurance Assessment. A Framework for Examining the Secure Development Processes of Commercial Technology Providers

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Addressing the Global Supply Chain Threat Challenge Huawei, a Case Study

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Looking at the SANS 20 Critical Security Controls

SECURITY RISK MANAGEMENT

Department of Management Services. Request for Information

Civil Aviation and CyberSecurity Dr. Daniel P. Johnson Honeywell Aerospace Advanced Technology

NIST Cyber Security Activities

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

ENISA workshop on Security Certification of ICT products in Europe

DoD Software Assurance (SwA) Overview

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

GAO Information Security Issues

Adding a Security Assurance Dimension to Supply Chain Practices

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

IT Risk Management Era: Research Challenges and Best Practices. Eyal Adar, Founder & CEO Eyal@WhiteCyberKnight.com Chairman of the EU SRMI

FREQUENTLY ASKED QUESTIONS

Building Security In:

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

Dean C. Garfield President & CEO, Information Technology Industry Council (ITI) Committee on Energy and Commerce

Securing the Microsoft Cloud

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

Big Data, Big Risk, Big Rewards. Hussein Syed

Notional Supply Chain Risk Management Practices for Federal Information Systems

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Implementing Program Protection and Cybersecurity

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

PLM Center of Excellence PLM for Embedded Product Development - Challenges, Experiences and Solution. M a y

Software Product Quality Practices Quality Measurement and Evaluation using TL9000 and ISO/IEC 9126

ICT investment trends in Brazil. Enterprise ICT spending patterns through to the end of 2015 May 2014

STREAM Cyber Security

Which cybersecurity standard is most relevant for a water utility?

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

State of Oregon. State of Oregon 1

Cyber Security and Privacy - Program 183

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Managing Risk in Global ICT Supply Chains

Smart grid security analysis

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Metrics that Matter Security Risk Analytics

NICE and Framework Overview

SECTION A: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

IEEE-Northwest Energy Systems Symposium (NWESS)

Department of Defense INSTRUCTION

Actions and Recommendations (A/R) Summary

Cyber Supply Chain Risk Management Portal

SECTION C: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT Article C.1 Introduction This contract is intended to provide IT solutions and services as

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Framework for Improving Critical Infrastructure Cybersecurity

Hadoop Market - Global Industry Analysis, Size, Share, Growth, Trends, And Forecast,

ISA-99 Industrial Automation & Control Systems Security

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

Certified Information Security Manager (CISM)

FINRA Publishes its 2015 Report on Cybersecurity Practices

Operational security for online services overview

AEROSPACE QUALITY MANAGEMENT SYSTEM

MarketsandMarkets. Publisher Sample

Medical Device Software Standards for Safety and Regulatory Compliance

Cybersecurity Strategic Consulting

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Security in Space: Intelsat Information Assurance

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

RFID current applications and potential economic benefits

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

ISA Security Compliance Institute ISASecure IACS Certification Programs

IT Risk Management: Guide to Software Risk Assessments and Audits

Transcription:

Towards a standard approach to supply chain integrity Claire Vishik September 2013 1

Draws from: ENISA s report on this topic Slawomir Gorniak, European Network and Information Security Agency Demosthenes Ikonomou, European Network and Information Security Agency Contributors: Scott Cadzow, Cadzow Communications Consulting Georgios Giannopoulos, European Commission Joint Research Centre Alain Merle, LETI France Tyson Storch, Microsoft Claire Vishik, Intel http://www.enisa.europa.eu/media/news-items/new-reporton-supply-chain-integrity-launched CSRA Report on research priorities in supply chain for cyber-physical systems Coordinators: Nadya Bartol, UTC; and Jon Boyens, NIST Available at: http://www.cybersecurityresearch.org/ 2

A supply chain is a system of organizations, people, technology, activities, information and resources involved in developing or producing a product or service from supplier or producer to customer Integrity is the extent to which consistency of actions, values, methods, measures, principles, expectations and outcome is achieved SCI (Supply Chain Integrity): --Not a binary all or nothing term --Can be improved, by, e.g. going directly to trusted manufacturer, and deteriorates when un-vetted links are introduced --Best practice: authorized distribution framework 3

Supply Chain Puzzle SC Execution Standards, Best Practices Lifecycle Sourcing & Delivery Supply Chain Legal & Regulatory Requirements Some Key Issues (including gaps) Complexity of the space Trust, Claims & Evidence Harmonization of global requirements Coordinated framework for commonalities Understanding of operational context Broadly applicable approaches to analysis and mitigations Metrics and test tools Industry Verticals 4

Background for SCI (Supply Chain Integrity) Threat Analysis The goal of supply chain integrity in the ICT domain is to ensure that ICT products meet the intended specifications Multiple diverse threats (context dependent, but a canonical list would improve understanding) Typology of threat agents is as important as typology of threats Prioritization of threats by probability and impact is necessary Remedies Mitigations are also context dependent Co-design approaches could be used in practice and in standardization Decision support strategies for remedies based on the typologies of threats and threat agents could be an important area of standardization 5

Example: Cyber-Physical Systems Specific context Longer term use Focus on mission rather than security Available best practices Suggested research priorities focus on understanding context and finding commonalities Telecom Aerospace Short term goals Describe context and existing best practices Develop supplier reliability methodologies Develop testing tools Long term goals Build secure architectures for CPS Develop next generation analytics Determine treatment of legacy systems and protocols From CSRA report 6

SCI Landscape by Focus Origins ISO/IEC 27036: Guidelines for Security of Outsourcing Delivery & Governance Numerous related standards exist, but their mutual dependencies are still weak. Several ANSI and NIST standards ISO/IEC 15288 (lifecycle) Processing & Configuration RFID supply chain applications (SC31 in ISO) Risk Modeling pilot (inemi) Data Exchange pilot (HDPUG) Integrity N10656: Update to ISO 27002: Security Techniques Open Trusted Technology Framework Verification & Checks Fraud Controls and Countermeasures SEMI T20: Traceability (semiconductor industry) 7

Industry Government Some activities From CSRA report, Bartol & Boyens Comprehensive National Cybersecurity Initiative Stood Up 2008 DoD ICT SCRM Key Practices Document Cyberspace Policy Review NIST IR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems The President s International Strategy for Cyberspace GAO Report NIST SP 800-161 PMOs developed in DOJ and DOE DHS ICT Supply Chain Exploits Frame of Reference 2009 2010 2011 2012 2013 DHS Vendor Procurement Language SAFECode Software Supply Chain Integrity papers Open Trusted Technology Framework Common Criteria Technical Document ISF Supplier Assurance Framework IEC 62443-2-4 Industrialprocess measurement, control and automation ISO/IEC 27036 Guidelines for Information Security in Supplier Relationships SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.) 8

SCI Landscape by Involvement Standards Bodies NIST, ANSI. JTC1,OASIS, ISO, other Numerous related efforts ar under way, but it is too early to look at aggregation Industry & Research Efforts ISF, Open Group, SafeCode, NASPO (North American Security Products Organization), inemi (International Electronic Manufacturing Initiative), HDPUG (High Density Packaging User Group International, Inc.), DARPA, FP7, other Industry Segments Software, hardware, retail, aerospace, technology manufacturing, pharmaceuticals, other. Geography Europe, US, China, India, Japan, other 9

Some Gaps to be Addressed Technology, Process Risk Analysis, Metrics Real time integrity checks and awareness New integrity technologies to strengthen supply chain Evaluation tools & approaches, including approaches to composition Approaches for broader contexts More general purpose techniques and models Broadly applicable metrics General understanding of evidence Standards Numerous light or exploratory efforts, no large scale coordinated work No forum for multi-domain multi-disciplinary discussion No big picture 10

Some Recommendations: Areas of Focus Technology, Process Improved trust models New approaches to assurance Technology solutions (e.g., to counterfeiting) Improved evaluation & integrity checking Standards, Policy Practice Global policy assessment Taxonomy of the space Coordinated SCI framework Broadly applicable and efficient standard development Universally recognized best practices Collaboration mechanisms to assess and evaluate existing best practices Harmonized legal and evaluation framework Metrics and threat analysis tools 11

Thank you Questions? 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information