OTTF - Full Slide Set - Jan 20 2015 - The Open Group€¦ · · 2015-02-10" Brief overview of The Open Group and The Open Group ... Enterprise Management Forum, IT4IT™, Open

Copyright (C) The Open Group 2015

Managing Cybersecurity Threats by engaging with

Accredited Open Trusted Technology Providers -‐ Organizations that conform to the

Open Trusted Technology Provider ™ Standard –

Mitigating Maliciously Tainted and Counterfeit Products (O-‐TTPS)

0

Sally Long, Director, The Open Group Trusted Technology Forum

[email protected]

“Build with Integrity- Buy with Confidence™”


Presentation Overview q  Background & Context:

§  Brief overview of The Open Group and The Open Group Trusted Technology Forum (OTTF)

q  The Supply Chain Challenge as it applies to: §  COTS ICT §  Critical Infrastructure

q  Industry Response to the Challenge

§  The Open Trusted Technology Provider™ Standard –Mitigating Maliciously Tainted and Counterfeit Products (O-TTPS)

§  O-TTPS Accreditation Program

q  Current State of the OTTF: §  Milestones, Roadmap and Global Outreach Efforts

q  What You Can do Now

1


The Open Group Membership

2

Over 40,000 participants from Over 95 countries

Over 500 memberships with HQs in 40 countries from

6 continents

Poland Qatar

Russian Federation Saudi Arabia

Singapore South Africa

Spain Sweden

Switzerland Taiwan Turkey

UK United Arab Emirates

USA

Argentina Australia Austria Belgium Brazil Canada China Colombia Czech Republic Denmark Finland France Germany Hong Kong India

Italy Japan Luxembourg Malaysia

Mexico Netherlands New Zealand Norway


What Does The Open Group Do? q  Membership & Events

§  International & Regional Conferences §  Forums:

ArchiMate® Architecture, Enterprise Management Forum, IT4IT™, Open Platform 3.0™, Real-time & Embedded Systems, Security, Trusted Technology Forum, Platform Base Working Group

q  Standards and Certification - Over 25 years experience Voluntary consensus standards and certification programs through The Open Group Standards Process consistent with OMB Circular A-119 §  People & Organizations: ArchiMate®, POSIX®, TOGAF®, UNIX®,

Open Trusted Technology Provider™ §  Professional: TOGAF® , ArchiMate®, Certified Architect (Open CA),

Certified IT Specialist (Open CITS), Open FAIR §  Consortia: Hotel Technology Next Generation (HTNG), North American

State and Provincial Lotteries (NASP)L, Near Field Communication Forum (NFC Forum) NFC Forum, UNIX®, WAP, Architecture Tools

§  Defense Standards: DirecNet, FACE™

3


The Open Group CyberSecurity Activities

4

Open Standards & Best Practices

• Security architecture

•  Information security management

• Risk management standards, best practices, and certification

• Compliance & security automation

Open Standards

• MILS

• Software assurance

• High assurance certification

• Dependability

Supply Chain Security Standards, Best Practices

• Open Trusted Technology ProviderTM (O-TTPS) (Standard)

• Addressing maliciously tainted and counterfeit products

• O-TTPS Accreditation Program

Security Forum

Real Time & Embedded Systems Forum

Trusted Technology Forum

Copyright (C) The Open Group 2014 Copyright (C) The Open Group 201

The Supply Chain Challenge and

the OTTF


The Open Group Trusted Technology Forum (OTTF) q  Government-industry roundtable discussion in 2009

§  Initiated by DoD AT&L(SE), DoD-CIO and The Open Group q  Government raised these issues

§  Moving from high assurance customized solutions to Commercial Off The Shelf (COTS) Information Communication Technology (ICT)

§  Need to confidently identify trusted COTS ICT products/providers q  Government recommendation

§  Establish consensus on best of breed best practices based on industry experience to create a standard that enables all providers to conform to those best practices when building products.

§  Create an accreditation program brand that identifies trusted technology providers who conform to the standard

q  Response to the recommendation – the OTTF §  Providers, integrators, government agencies, third party labs from

around the globe responded to the recommendation

6


A global industry-led initiative defining best practices for secure engineering and supply chain integrity so that you can “Build with Integrity and Buy with Confidence™”

The Open Group Trusted Technology Forum

7


Challenges: •  Need to secure our Global Supply Chains •  Need a full life cycle approach •  Need a standard of best practices for all constituents in the chain •  Need accreditation to help assure conformance to the standard •  Need public registry to identify trusted/accredited constituents •  Need customers to reward trusted/accredited constituents thru procurement

Procure from an Accredited Open Trusted Technology

Provider™

Governments

Consumers

Service Providers

Enterprises

8

“Build with Integrity – Buy with Confidence ”

The Supply Chain Challenge for COTS ICT Providers

Product certification is not enough. Need assurance that best practices are followed through product life cycle including global supply chains.


Taint Counterfeit Upstream Provider Downstream Upstream Provider Downstream

Malware

Malicious code (masquerading as

vulnerabilities)

Unauthorized “Parts”

Unauthorized Configuration

Scrap/ Substandard Parts

Unauthorized Production

Technology Supply Chain Threat Matrix

9


A Threat-Based Problem Global supply chain security for COTS products

10

Commercial Off the Shelf Products are developed and used globally

COTS products rely on components that are often globally sourced

COTS products are integrated into Critical Infrastructure, Government systems and Commercial solutions

Counterfeit product

Maliciously tainted Tainted Insiders Obsole-

scence Many

others …

THREA

TS


11

Functional, & Quality

Requirements for Products

Security Requirements for

Products

Security & Integrity Process Requirements for

Providers

Functional, Quality, Security

& Integrity Process

Requirements for Operators

The product meets certain security assurance levels based on requirements of the environment into which it’s placed and the acceptable level of risk for that environment.

The product does what it’s intended to do functionally & performs at the required performance levels


12

Functional, & Quality

Requirements for Products

Security Requirements for Products

Security & Integrity Process

Requirements for Providers

Functional, Quality, Security

& Integrity Process

Requirements for Operations

(O-TTPS) Integrators and providers who build IT products must follow best practices for security, integrity - design thru disposal (both in-house and in their supply chains). Reduces risk of vulnerabilities (potential malware insertion sites), tainted & counterfeit components, before the products make it into the critical environment.

Operator organizations must ensure security and integrity of systems during operation. In addition operator organizations must have policies in place for each of the four categories: - all systems function & perform well - products comply with security reqs. - They buy from trusted providers. - Systems are secure during operation & recovery


The O-TTPS

The first version of the O-TTPS addresses the two threats that have been identified as the most pressing:

§  Maliciously Tainted §  Counterfeit Products

13


O-TTPS Standard – Mitigating Risks for Tainted and Counterfeit Products q  A tainted product is “produced by the provider and is acquired through

reputable channels but has been tampered with maliciously”. - Could result in:

§  product failure, degraded performance, can enable malware insertion, weakened security mechanisms allowing rogue functionality and potentially critical damage

§  enabled IP and Identity theft, damage to critical infrastructure operations – which could lead to catastrophic results for citizens

q  A counterfeit product is “produced other than by or for the provider, or is supplied by other than a reputable channel, and is represented as legitimate”. – Could result in:

§  For customers: if product fails at critical juncture – loss of productivity, revenue

§  For providers: loss of revenue stream and brand damage q  Double risk if counterfeit products are also tainted

14


O-TTPS: Mitigating Maliciously Tainted and Counterfeit Products q  The Open Trusted Technology ProviderTM Standard (O-TTPS) released in

April, 2013 – 50 page document on requirements for organizational best practices

q  The result of over 3 years of collaborative consensus-based effort q  Apply across product life cycle. Some highly correlated to threats of maliciously

tainted and counterfeit products - others more foundational but considered essential

q  2 areas of requirements – often overlap depending on product and provider:

§  Technology Development - mostly under the provider’s in-house supervision §  Supply Chain activities mostly where provider interacts with third parties who

contribute their piece in the product’s life cycle

15

Sourcing Design Sustainment Disposal

Technology Development Supply Chain

Distribution Fulfillment Build


O-TTPS: Technology Development q  Product Development/Engineering Requirements in:

§  Software/Firmware/Hardware Design Process §  Development/Engineering Process and Practices §  Configuration Management §  Quality/Test Management §  Product Sustainment Management

q  Secure Development/Engineering Requirements in: §  Threat Analysis and Mitigation §  Run-time Protection Techniques §  Vulnerability Analysis and Response §  Product Patching and Remediation §  Secure Engineering Practices §  Monitor and assess the impact of changes in the threat landscape

16


O-TTPS: Supply Chain Activities q  Supply Chain Requirements In:

§  Risk Management §  Physical Security §  Access Controls §  Employee and Supplier Security §  Business Partner Security §  Supply Chain Security Training §  Information Systems Security §  Trusted Technology Components §  Secure Transmission and Handling §  Open Source Handling §  Counterfeit Mitigation §  Malware Detection

17


OTTF Principles The OTTF is developing their standards and accreditation programs according to these principles:

§  Practical and effective - Practitioner based, evidence that it works in the field

§  Reasonable - Achievable and implementable by a wide variety of vendors and stakeholders

§  Affordable - Reasonably cost effective to implement

§  Open - Based on open standards and recognized industry best practices – publically available to all

§  Organizational/Process Based Accreditation - Flexible enough that an organization can choose their own scope of accreditation (product, product-line, entire organization)

18


The O-TTPS Accreditation Program

19

Open to all Component Suppliers, Providers, Integrators, Distributors and Resellers–

Accreditation Authority: Program Operated by The Open Group

O-TTPS Recognized 3rd Party Assessors

O-TTPS Accreditation Program Vendor neutral program: Accreditation Authority responsible

for accreditation of 3rd party assessors, appeals, certificates, logo-use, consistency

across accreditations

OTTF: develops and maintains Standard - Membership is open to all

Application

Scope Flexible. Whole organization to one product

Governance

and O

peration

V e r i f i e s

Conformance

Success!

Open Trusted Technology Providers™

Program logo used to support accreditation claims

Based on Warranty from Organization & Conformance Assessment


Accreditation Program Description q  The Applicant can be a Technology Provider, Component Supplier,

Integrator, Distributor (Value-Add), Reseller q  The Applicant warrants and represents their conformance to requirements

throughout their declared Scope of Accreditation – that is they claim that they follow the best practices through out the product life-cycle, including supply chain cycles for all of the products in their declared Scope

q  Scope up to Applicant: product, product(s), product-line, organization, etc. q  Warranty backed by evidence of conformance and assessment of evidence by

3rd Party Assessors q  The Open Group will operate vendor-neutral program, provide oversight and

consistency across applications q  Successful Applicant gets certificate and use of Trademark and Logo q  The Open Group manages Trademark and Logo use, problem reporting and

appeals process. q  The accreditation period is 3 years before required renewal q  Launch of a public O-TTPS accreditation program December 2014 – open to

any organization – don’t need to be a member 20




Assessments by 3rd Party Labs q  Publically Available Assessment Procedures

§  Help achieve objectivity, repeatability, and consistency across accreditations Geared specifically to: §  Providers, Component Suppliers, Integrators and Value Add

Distributors, and Resellers (Non-Value Add)

q  Two types of requirements/evidence to be assessed: process and implementation §  Process – Need evidence there are documented processes §  Implementation – Need evidence that processes were

implemented q  Formal Recognition of O-TTPS 3rd party labs

q  Must meet established criteria and assessors must pass O-TTPS Assessor exam.

q  Receive certificates and listed on public registry 23


O-TTPS Recognized Assessors

24

•  atsec information security corporation •  EWA – Canada •  Booz Allen Hamilton (BAH)


O-TTPS Recognized Assessor Requirements

25

Recognized Assessor Company

Competent assessors

Accepted standards: •  ISO/IEC 17020:

2012: Conformity Assessment – Requirements for the operation of various types of bodies performing inspection,

•  ISO/IEC 17021:2011: Conformity Assessment – Requirements for bodies providing audit and certification of management systems,

•  ISO/IEC 17025:2005: General requirements for the competence of testing and calibration laboratories

Accepted qualifications: •  Lead auditor

•  ISO/IEC 27001 •  ISO 9001

•  CMMI-DEV appraisers •  ISO/IEC 15408 or Common

Criteria evaluator (with experience in evaluating life-cycle assurance requirements)

•  ISO/IEC 19790 or FIPS

140-2 tester with experience in testing the process requirements of that standard

The Open Group Program relies on existing compliance with industry norms using standards commonly specified for information assurance (IA) assessor companies and process assessors


Have sufficient skills in: •  Supply chain

management terminology and techniques

•  Technical knowledge of

O-TTPS Attributes & the assessment program

•  Have successfully

completed the O-TTPS Assessor Exam

O-TTPS Recognized Assessor Requirements

26

Recognized Assessor Company

Competent assessors

Has established a process for performing O-TTPS accreditations in accordance with its own established management system requirements and The Open Group Assessment Procedures

The Open Group Program builds on existing standards assuring that Subject Matter Expertise is established in the assessor companies


OTTF Milestones and Time Frames

Early Industry Collaboration Forum Launched Framework White Paper Published Standard Development: Snapshot => Publish V 1.0 Define Conformance Criteria, Conduct Pilot Program Define & Approve O-TTPS Accreditation Program Implement and Launch Public O-TTPS Accreditation Program

27

O-TTPS v. 1.0 published April 2013

Conducted Pilot of the O-TTPS Accreditation Feb 3, 2014

Announce: 1. Public Launch of Accreditation Program 2. First Accredited Open Trusted Technology Provider™ 3. First two O-TTPS Recognized Assessor Labs

2014 2010 2012 2011 2013

Q3 Q1 Q4` Q2

Q3 Q1 Q4` Q2

Q3 Q1 Q4` Q2

Q3 Q1 Q4` Q2

Q3 Q1 Q4` Q2

2014


The Open Group Trusted Technology Forum (OTTF) Roadmap

28

Items 4Q2014

1Q2015

2Q2015 3Q2015 4Q2015

ISO PAS Submission - Open Trusted Technology Provider Standard (O-TTPS) V 1.1

ISO Review

ISO Ballot

If Approved work with ISO to Publish

O-TTPS 1.1. Translation (Simplified Chinese)

Review Review Publish

O-TTPS Assessment Procedures – Revisions

Review V1.1

Publish V1.1

Consider ISO PAS

Develop V1.2

Review V1.2


The OTTF Roadmap (continued)

29

Items 4Q2014

1Q2015

2Q2015

3Q2015

4Q2015

O-TTPS Mapping to other standards: Map to: Common Criteria (CC) & NIST Cybersecurity Framework (NCF) …

Develop Review Publish

O-TTPS 2.0 Develop

Develop


OTTF– Additional Publications

30

Publications Type Date

O-TTPS Recognized Assessor Program: Update Training Materials and Assessor Exam

Accreditation Q2/15

Training Materials for Accreditation Applicants & Market Adoption Materials for Customers

Accreditation Q2/15

O-TTPS Mapping Table(s): Update and Provide Additional Mappings

Accreditation Q3/15

O-TTPS Accreditation Program: Update Supporting Documents

Accreditation Q3/15


Outreach & Harmonization q  Approach

§  Communicate the facts §  GAO Report: mentions O-TTPS as one of the two most cited supply chain

standards efforts in their report §  References to O-TTPS in NIST SP-161 draft §  NASA RFP recommendation included O-TTPS in (SEWP V 2013) §  Expect customers to begin demanding O-TTPS compliance §  Mapping to NIST Cybersecurity Framework

§  Leverage opportunities to inform stakeholders §  Conference speaking engagements

§  Concentrate on the strength of our content §  Mapping our content to other standards §  Use public sources and social media

§  Develop demand among the broad community through the value proposition not regulation

§  Focus on priorities

31


Alliance

Customer/Acquirer

Integrator, Distributors, Resellers

Provider

Component Suppliers

Demands Accreditation certificate as evidence of conformance to Open Trusted Technology Provider™ standards

Will seek business partners who meet Open Trusted Technology Provider™ requirements

Will seek business partners who meet Open Trusted Technology Provider™ requirements

Business Partners

May be hardware, software, global, open source - or not - multiple supplier layers

Standards Body

Will seek ways of achieving market up-take/ integrity of standards

Accreditation/ Accreditation Body Must be independent & vendor/technology-neutral

Accreditation

Process Standards Business Partners

Process

Offers Holistic Approach to Securing Global Supply Chains


What You Can Do Now …. q  Technology Providers (OEM’S, component suppliers (HW or

SW), Integrators, Value-add Resellers (VARs), Distributors: §  Get prepared: Go to http://ottps-accred.opengroup.org/home-public

§  Download the documents and read them – everything is publically available – learn what’s required, and what you need to demonstrate conformance.

§  Improve the integrity and the security of your processes.

§  Get accredited §  Encourage your technology partners (Integrators, OEMs, VARs,

Distributors, Component Suppliers) to get accredited.

q  Customers (government, commercial): §  Make your Suppliers, Integrators, VARs aware of O-TTPS. §  Encourage them to learn about it, prepare and get accredited. §  Let them know their accreditation is a differentiator in procurement.

q  Customers, Technology Providers, Assessors: §  Consider joining the OTTF (Forum) to evolve the standard and

accreditation program in a way that meets your needs. 33


Resources q  The Open Group Trusted Technology Forum (OTTF) q  The OTTF Information Sheet Handout q  The O-TTPS (Standard) Version 1.1 q  The Open Group represents OTTF at Congress q  OTTF Vendor Testimonials q  The O-TTPS Accreditation Website q  OTTF Podcast (Dana Gander with: Brickman, Lipner, Lounsbury, and Szakal) q  Press Release Feb 3, 2014 – Launch of the O-TTPS Accreditation Program q The Open Group

34

Copyright (C) The Open Group 2014 Copyright (C) The Open Group 201

Thank You!

For more information contact:

Mike Hickey [email protected]

or

Sally Long [email protected]