ottf - full slide set - jan 20 2015
TRANSCRIPT
Copyright (C) The Open Group 2015
Managing Cybersecurity Threats by engaging with
Accredited Open Trusted Technology Providers -‐ Organizations that conform to the
Open Trusted Technology Provider ™ Standard –
Mitigating Maliciously Tainted and Counterfeit Products (O-‐TTPS)
0
Sally Long, Director, The Open Group Trusted Technology Forum
“Build with Integrity- Buy with Confidence™”
Copyright (C) The Open Group 2015
Presentation Overview q Background & Context:
§ Brief overview of The Open Group and The Open Group Trusted Technology Forum (OTTF)
q The Supply Chain Challenge as it applies to: § COTS ICT § Critical Infrastructure
q Industry Response to the Challenge
§ The Open Trusted Technology Provider™ Standard –Mitigating Maliciously Tainted and Counterfeit Products (O-TTPS)
§ O-TTPS Accreditation Program
q Current State of the OTTF: § Milestones, Roadmap and Global Outreach Efforts
q What You Can do Now
1
Copyright (C) The Open Group 2015
The Open Group Membership
2
Over 40,000 participants from Over 95 countries
Over 500 memberships with HQs in 40 countries from
6 continents
Poland Qatar
Russian Federation Saudi Arabia
Singapore South Africa
Spain Sweden
Switzerland Taiwan Turkey
UK United Arab Emirates
USA
Argentina Australia Austria Belgium Brazil Canada China Colombia Czech Republic Denmark Finland France Germany Hong Kong India
Italy Japan Luxembourg Malaysia
Mexico Netherlands New Zealand Norway
Copyright (C) The Open Group 2015
What Does The Open Group Do? q Membership & Events
§ International & Regional Conferences § Forums:
ArchiMate® Architecture, Enterprise Management Forum, IT4IT™, Open Platform 3.0™, Real-time & Embedded Systems, Security, Trusted Technology Forum, Platform Base Working Group
q Standards and Certification - Over 25 years experience Voluntary consensus standards and certification programs through The Open Group Standards Process consistent with OMB Circular A-119 § People & Organizations: ArchiMate®, POSIX®, TOGAF®, UNIX®,
Open Trusted Technology Provider™ § Professional: TOGAF® , ArchiMate®, Certified Architect (Open CA),
Certified IT Specialist (Open CITS), Open FAIR § Consortia: Hotel Technology Next Generation (HTNG), North American
State and Provincial Lotteries (NASP)L, Near Field Communication Forum (NFC Forum) NFC Forum, UNIX®, WAP, Architecture Tools
§ Defense Standards: DirecNet, FACE™
3
Copyright (C) The Open Group 2015
The Open Group CyberSecurity Activities
4
Open Standards & Best Practices
• Security architecture
• Information security management
• Risk management standards, best practices, and certification
• Compliance & security automation
Open Standards
• MILS
• Software assurance
• High assurance certification
• Dependability
Supply Chain Security Standards, Best Practices
• Open Trusted Technology ProviderTM (O-TTPS) (Standard)
• Addressing maliciously tainted and counterfeit products
• O-TTPS Accreditation Program
Security Forum
Real Time & Embedded Systems Forum
Trusted Technology Forum
Copyright (C) The Open Group 2014 Copyright (C) The Open Group 201
The Supply Chain Challenge and
the OTTF
Copyright (C) The Open Group 2015
The Open Group Trusted Technology Forum (OTTF) q Government-industry roundtable discussion in 2009
§ Initiated by DoD AT&L(SE), DoD-CIO and The Open Group q Government raised these issues
§ Moving from high assurance customized solutions to Commercial Off The Shelf (COTS) Information Communication Technology (ICT)
§ Need to confidently identify trusted COTS ICT products/providers q Government recommendation
§ Establish consensus on best of breed best practices based on industry experience to create a standard that enables all providers to conform to those best practices when building products.
§ Create an accreditation program brand that identifies trusted technology providers who conform to the standard
q Response to the recommendation – the OTTF § Providers, integrators, government agencies, third party labs from
around the globe responded to the recommendation
6
Copyright (C) The Open Group 2015
A global industry-led initiative defining best practices for secure engineering and supply chain integrity so that you can “Build with Integrity and Buy with Confidence™”
The Open Group Trusted Technology Forum
7
Copyright (C) The Open Group 2015
Challenges: • Need to secure our Global Supply Chains • Need a full life cycle approach • Need a standard of best practices for all constituents in the chain • Need accreditation to help assure conformance to the standard • Need public registry to identify trusted/accredited constituents • Need customers to reward trusted/accredited constituents thru procurement
Procure from an Accredited Open Trusted Technology
Provider™
Governments
Consumers
Service Providers
Enterprises
8
“Build with Integrity – Buy with Confidence ”
The Supply Chain Challenge for COTS ICT Providers
Product certification is not enough. Need assurance that best practices are followed through product life cycle including global supply chains.
Copyright (C) The Open Group 2015
Taint Counterfeit Upstream Provider Downstream Upstream Provider Downstream
Malware
Malicious code (masquerading as
vulnerabilities)
Unauthorized “Parts”
Unauthorized Configuration
Scrap/ Substandard Parts
Unauthorized Production
Technology Supply Chain Threat Matrix
9
Copyright (C) The Open Group 2015
A Threat-Based Problem Global supply chain security for COTS products
10
Commercial Off the Shelf Products are developed and used globally
COTS products rely on components that are often globally sourced
COTS products are integrated into Critical Infrastructure, Government systems and Commercial solutions
Counterfeit product
Maliciously tainted Tainted Insiders Obsole-
scence Many
others …
THREA
TS
Copyright (C) The Open Group 2015
11
Functional, & Quality
Requirements for Products
Security Requirements for
Products
Security & Integrity Process Requirements for
Providers
Functional, Quality, Security
& Integrity Process
Requirements for Operators
The product meets certain security assurance levels based on requirements of the environment into which it’s placed and the acceptable level of risk for that environment.
The product does what it’s intended to do functionally & performs at the required performance levels
Copyright (C) The Open Group 2015
12
Functional, & Quality
Requirements for Products
Security Requirements for Products
Security & Integrity Process
Requirements for Providers
Functional, Quality, Security
& Integrity Process
Requirements for Operations
(O-TTPS) Integrators and providers who build IT products must follow best practices for security, integrity - design thru disposal (both in-house and in their supply chains). Reduces risk of vulnerabilities (potential malware insertion sites), tainted & counterfeit components, before the products make it into the critical environment.
Operator organizations must ensure security and integrity of systems during operation. In addition operator organizations must have policies in place for each of the four categories: - all systems function & perform well - products comply with security reqs. - They buy from trusted providers. - Systems are secure during operation & recovery
Copyright (C) The Open Group 2015
The O-TTPS
The first version of the O-TTPS addresses the two threats that have been identified as the most pressing:
§ Maliciously Tainted § Counterfeit Products
13
Copyright (C) The Open Group 2015
O-TTPS Standard – Mitigating Risks for Tainted and Counterfeit Products q A tainted product is “produced by the provider and is acquired through
reputable channels but has been tampered with maliciously”. - Could result in:
§ product failure, degraded performance, can enable malware insertion, weakened security mechanisms allowing rogue functionality and potentially critical damage
§ enabled IP and Identity theft, damage to critical infrastructure operations – which could lead to catastrophic results for citizens
q A counterfeit product is “produced other than by or for the provider, or is supplied by other than a reputable channel, and is represented as legitimate”. – Could result in:
§ For customers: if product fails at critical juncture – loss of productivity, revenue
§ For providers: loss of revenue stream and brand damage q Double risk if counterfeit products are also tainted
14
Copyright (C) The Open Group 2015
O-TTPS: Mitigating Maliciously Tainted and Counterfeit Products q The Open Trusted Technology ProviderTM Standard (O-TTPS) released in
April, 2013 – 50 page document on requirements for organizational best practices
q The result of over 3 years of collaborative consensus-based effort q Apply across product life cycle. Some highly correlated to threats of maliciously
tainted and counterfeit products - others more foundational but considered essential
q 2 areas of requirements – often overlap depending on product and provider:
§ Technology Development - mostly under the provider’s in-house supervision § Supply Chain activities mostly where provider interacts with third parties who
contribute their piece in the product’s life cycle
15
Sourcing Design Sustainment Disposal
Technology Development Supply Chain
Distribution Fulfillment Build
Copyright (C) The Open Group 2015
O-TTPS: Technology Development q Product Development/Engineering Requirements in:
§ Software/Firmware/Hardware Design Process § Development/Engineering Process and Practices § Configuration Management § Quality/Test Management § Product Sustainment Management
q Secure Development/Engineering Requirements in: § Threat Analysis and Mitigation § Run-time Protection Techniques § Vulnerability Analysis and Response § Product Patching and Remediation § Secure Engineering Practices § Monitor and assess the impact of changes in the threat landscape
16
Copyright (C) The Open Group 2015
O-TTPS: Supply Chain Activities q Supply Chain Requirements In:
§ Risk Management § Physical Security § Access Controls § Employee and Supplier Security § Business Partner Security § Supply Chain Security Training § Information Systems Security § Trusted Technology Components § Secure Transmission and Handling § Open Source Handling § Counterfeit Mitigation § Malware Detection
17
Copyright (C) The Open Group 2015
OTTF Principles The OTTF is developing their standards and accreditation programs according to these principles:
§ Practical and effective - Practitioner based, evidence that it works in the field
§ Reasonable - Achievable and implementable by a wide variety of vendors and stakeholders
§ Affordable - Reasonably cost effective to implement
§ Open - Based on open standards and recognized industry best practices – publically available to all
§ Organizational/Process Based Accreditation - Flexible enough that an organization can choose their own scope of accreditation (product, product-line, entire organization)
18
Copyright (C) The Open Group 2015
The O-TTPS Accreditation Program
19
Open to all Component Suppliers, Providers, Integrators, Distributors and Resellers–
Accreditation Authority: Program Operated by The Open Group
O-TTPS Recognized 3rd Party Assessors
O-TTPS Accreditation Program Vendor neutral program: Accreditation Authority responsible
for accreditation of 3rd party assessors, appeals, certificates, logo-use, consistency
across accreditations
OTTF: develops and maintains Standard - Membership is open to all
Application
Scope Flexible. Whole organization to one product
Governance
and O
peration
V e r i f i e s
Conformance
Success!
Open Trusted Technology Providers™
Program logo used to support accreditation claims
Based on Warranty from Organization & Conformance Assessment
Copyright (C) The Open Group 2015
Accreditation Program Description q The Applicant can be a Technology Provider, Component Supplier,
Integrator, Distributor (Value-Add), Reseller q The Applicant warrants and represents their conformance to requirements
throughout their declared Scope of Accreditation – that is they claim that they follow the best practices through out the product life-cycle, including supply chain cycles for all of the products in their declared Scope
q Scope up to Applicant: product, product(s), product-line, organization, etc. q Warranty backed by evidence of conformance and assessment of evidence by
3rd Party Assessors q The Open Group will operate vendor-neutral program, provide oversight and
consistency across applications q Successful Applicant gets certificate and use of Trademark and Logo q The Open Group manages Trademark and Logo use, problem reporting and
appeals process. q The accreditation period is 3 years before required renewal q Launch of a public O-TTPS accreditation program December 2014 – open to
any organization – don’t need to be a member 20
Copyright (C) The Open Group 2015
Assessments by 3rd Party Labs q Publically Available Assessment Procedures
§ Help achieve objectivity, repeatability, and consistency across accreditations Geared specifically to: § Providers, Component Suppliers, Integrators and Value Add
Distributors, and Resellers (Non-Value Add)
q Two types of requirements/evidence to be assessed: process and implementation § Process – Need evidence there are documented processes § Implementation – Need evidence that processes were
implemented q Formal Recognition of O-TTPS 3rd party labs
q Must meet established criteria and assessors must pass O-TTPS Assessor exam.
q Receive certificates and listed on public registry 23
Copyright (C) The Open Group 2015
O-TTPS Recognized Assessors
24
• atsec information security corporation • EWA – Canada • Booz Allen Hamilton (BAH)
Copyright (C) The Open Group 2015
O-TTPS Recognized Assessor Requirements
25
Recognized Assessor Company
Competent assessors
Accepted standards: • ISO/IEC 17020:
2012: Conformity Assessment – Requirements for the operation of various types of bodies performing inspection,
• ISO/IEC 17021:2011: Conformity Assessment – Requirements for bodies providing audit and certification of management systems,
• ISO/IEC 17025:2005: General requirements for the competence of testing and calibration laboratories
Accepted qualifications: • Lead auditor
• ISO/IEC 27001 • ISO 9001
• CMMI-DEV appraisers • ISO/IEC 15408 or Common
Criteria evaluator (with experience in evaluating life-cycle assurance requirements)
• ISO/IEC 19790 or FIPS
140-2 tester with experience in testing the process requirements of that standard
The Open Group Program relies on existing compliance with industry norms using standards commonly specified for information assurance (IA) assessor companies and process assessors
Copyright (C) The Open Group 2015
Have sufficient skills in: • Supply chain
management terminology and techniques
• Technical knowledge of
O-TTPS Attributes & the assessment program
• Have successfully
completed the O-TTPS Assessor Exam
O-TTPS Recognized Assessor Requirements
26
Recognized Assessor Company
Competent assessors
Has established a process for performing O-TTPS accreditations in accordance with its own established management system requirements and The Open Group Assessment Procedures
The Open Group Program builds on existing standards assuring that Subject Matter Expertise is established in the assessor companies
Copyright (C) The Open Group 2015
OTTF Milestones and Time Frames
Early Industry Collaboration Forum Launched Framework White Paper Published Standard Development: Snapshot => Publish V 1.0 Define Conformance Criteria, Conduct Pilot Program Define & Approve O-TTPS Accreditation Program Implement and Launch Public O-TTPS Accreditation Program
27
O-TTPS v. 1.0 published April 2013
Conducted Pilot of the O-TTPS Accreditation Feb 3, 2014
Announce: 1. Public Launch of Accreditation Program 2. First Accredited Open Trusted Technology Provider™ 3. First two O-TTPS Recognized Assessor Labs
2014 2010 2012 2011 2013
Q3 Q1 Q4` Q2
Q3 Q1 Q4` Q2
Q3 Q1 Q4` Q2
Q3 Q1 Q4` Q2
Q3 Q1 Q4` Q2
2014
Copyright (C) The Open Group 2015
The Open Group Trusted Technology Forum (OTTF) Roadmap
28
Items 4Q2014
1Q2015
2Q2015 3Q2015 4Q2015
ISO PAS Submission - Open Trusted Technology Provider Standard (O-TTPS) V 1.1
ISO Review
ISO Ballot
If Approved work with ISO to Publish
O-TTPS 1.1. Translation (Simplified Chinese)
Review Review Publish
O-TTPS Assessment Procedures – Revisions
Review V1.1
Publish V1.1
Consider ISO PAS
Develop V1.2
Review V1.2
Copyright (C) The Open Group 2015
The OTTF Roadmap (continued)
29
Items 4Q2014
1Q2015
2Q2015
3Q2015
4Q2015
O-TTPS Mapping to other standards: Map to: Common Criteria (CC) & NIST Cybersecurity Framework (NCF) …
Develop Review Publish
O-TTPS 2.0 Develop
Develop
Copyright (C) The Open Group 2015
OTTF– Additional Publications
30
Publications Type Date
O-TTPS Recognized Assessor Program: Update Training Materials and Assessor Exam
Accreditation Q2/15
Training Materials for Accreditation Applicants & Market Adoption Materials for Customers
Accreditation Q2/15
O-TTPS Mapping Table(s): Update and Provide Additional Mappings
Accreditation Q3/15
O-TTPS Accreditation Program: Update Supporting Documents
Accreditation Q3/15
Copyright (C) The Open Group 2015
Outreach & Harmonization q Approach
§ Communicate the facts § GAO Report: mentions O-TTPS as one of the two most cited supply chain
standards efforts in their report § References to O-TTPS in NIST SP-161 draft § NASA RFP recommendation included O-TTPS in (SEWP V 2013) § Expect customers to begin demanding O-TTPS compliance § Mapping to NIST Cybersecurity Framework
§ Leverage opportunities to inform stakeholders § Conference speaking engagements
§ Concentrate on the strength of our content § Mapping our content to other standards § Use public sources and social media
§ Develop demand among the broad community through the value proposition not regulation
§ Focus on priorities
31
Copyright (C) The Open Group 2015
Alliance
Customer/Acquirer
Integrator, Distributors, Resellers
Provider
Component Suppliers
Demands Accreditation certificate as evidence of conformance to Open Trusted Technology Provider™ standards
Will seek business partners who meet Open Trusted Technology Provider™ requirements
Will seek business partners who meet Open Trusted Technology Provider™ requirements
Business Partners
May be hardware, software, global, open source - or not - multiple supplier layers
Standards Body
Will seek ways of achieving market up-take/ integrity of standards
Accreditation/ Accreditation Body Must be independent & vendor/technology-neutral
Accreditation
Process Standards Business Partners
Process
Offers Holistic Approach to Securing Global Supply Chains
Copyright (C) The Open Group 2015
What You Can Do Now …. q Technology Providers (OEM’S, component suppliers (HW or
SW), Integrators, Value-add Resellers (VARs), Distributors: § Get prepared: Go to http://ottps-accred.opengroup.org/home-public
§ Download the documents and read them – everything is publically available – learn what’s required, and what you need to demonstrate conformance.
§ Improve the integrity and the security of your processes.
§ Get accredited § Encourage your technology partners (Integrators, OEMs, VARs,
Distributors, Component Suppliers) to get accredited.
q Customers (government, commercial): § Make your Suppliers, Integrators, VARs aware of O-TTPS. § Encourage them to learn about it, prepare and get accredited. § Let them know their accreditation is a differentiator in procurement.
q Customers, Technology Providers, Assessors: § Consider joining the OTTF (Forum) to evolve the standard and
accreditation program in a way that meets your needs. 33
Copyright (C) The Open Group 2015
Resources q The Open Group Trusted Technology Forum (OTTF) q The OTTF Information Sheet Handout q The O-TTPS (Standard) Version 1.1 q The Open Group represents OTTF at Congress q OTTF Vendor Testimonials q The O-TTPS Accreditation Website q OTTF Podcast (Dana Gander with: Brickman, Lipner, Lounsbury, and Szakal) q Press Release Feb 3, 2014 – Launch of the O-TTPS Accreditation Program q The Open Group
34
Copyright (C) The Open Group 2014 Copyright (C) The Open Group 201
Thank You!
For more information contact:
Mike Hickey [email protected]
or
Sally Long [email protected]