It is Time to Get Serious About Addressing Cybersecurity...

It is Time to Get Serious About Addressing Cyber Supply Chain Risk

www.huawei.co

Andy Purdy, Esq., CISSP, CIPP/USCSO, Huawei Technologies USAVice Chair, Open Group Trusted Technology ForumDecember 1, 2016

HUAWEI TECHNOLOGIES CO., LTD.

Increasing Cyber Security Threats

Concerns and

challenges faced users and owners

and operators

Security assurance capability

Malicious attacks to steal confidential information

Application network security issues

Protecting users' privacy data from leakage; enhancing security defense capability of equipment and security challenges of the new technology are issues that mostly concern customers.

Security challenges of new technologies NFV, SDN ,etc）


Contents

• About Huawei• Threats in technology development and global supply chains –

counterfeit and malicious taint.• Internal governance success factors• The NIST Cybersecurity Framework – a risk analytic tool.• Using Economics to Lower Risk – the EastWest Institute Buyers

Guide for ICT• The Open Trusted Technology Provider Standard – processes

that warrant trust• Independent Evaluation of Conformance – the O-TTPS

Accreditation Program• Huawei’s approach • Conclusion


Secure products, solutions and services

Huawei is a global organization serving over a third of the planet’s population

A leading global ICTsolutions, Fortune Global 500 company

Operations in 170 countries, 170,000employees, 73% recruited locally

$60+ B revenue in 2016Serving 45 of the world's top 50 operators

GlobalR&D

Global Supply

GlobalService

IT Solutions

Networks

Devices

Enterprise Market

Telecom Carriers

Consumer Market

70,000 employees in R&D15 R&D centers; 25 Joint Innovation Centers


Huawei Global Supply Network

Mexico

Brazil

China

HungaryNetherland

Dubai IndiaPanama HUB TBD

Reverse center

Supply center

Regional hub

Chengdu

Beijing

Shanghai

Regional hub Under feasibility

Source: US: 32%,the largest material source Taiwan, Japan & Korea: 28% components); Europe: 10% Mainland China: 30% (cable, battery, mechanical

parts, cabinet, etc.)


Tainted Counterfeit

Upstream Downstream Upstream Downstream

Malware √ √ √

Unauthorized “Parts” √ √ √

Unauthorized Configuration

√

Scrap/Sub-standard Parts

√

Unauthorized Production

√ √

Intentional Damage √ √

Integrity Availability TraceabilityConfidentiality Authenticity

StakeholdersMain Threats

Courtesy of the Open Group

Threats in technology development and global supply chains – counterfeit and malicious taint


Critical Success Factors for Global Assurance

• Organizational commitment• Strategy based on addressing future challenges• Clear governance roles and responsibilities• Consistent, repeatable processes• Robust verification -- “assume nothing, believe no-one and

check everything.” Plan, Do, Check, Act. • Openness and transparency regarding progress, successes,

and failures


The NIST Cybersecurity Framework (CSF): A valuable, risk analytic tool

• NIST CSF consists of standards, guidelines, and best practices, first intended to promote the protection of critical infrastructure.

• A prioritized, flexible, repeatable, and cost-effective risk-analytic tool that can help owners and operators of critical infrastructure – and most other organizations -- to assess and manage cybersecurity-related risk.

• CSF is organized by five key functions related to cyber risk: identify, protect, detect, respond, & recover.

• CSF lists key categories for each function; for example, “identify”: assess management, business environment, governance, risk assessment, and risk management.

• CSF has sub categories of each category, and provides a list of informative references (relevant standards/best practices) for each.

• For more information: https://www.nist.gov/cyberframework

https://www.nist.gov/cyberframework


EastWest Institute: Use Economics to Lower Risk “Purchasing Secure ICT Products and Services”• EastWest Institute (EWI) Buyers Guide will help buyers of Information

and Communication Technologies (ICT) in Managing Cybersecurity risks When Buying Technology Products and Services

• Enterprise security governance1. Strategy and Control2. Standards and Processes3. Human Resources

• The Product and Service Lifecycle – from Design through Sustainment and Response1. Design and Development2. Build3. Release, Fulfillment, and Distribution 4. Sustainment and Response5. Sourcing and Supply Chain 6. Creating assurance: Fostering Assurance and Demonstrating Assurance

• https://www.eastwest.ngo/sites/default/files/EWI_BuyersGuide.pdf


Open Trusted Technology Provider Standard (O-TTPS)

• O-TTPS standard was developed by The Open Group Trusted Technology Forum under the auspices of the Open Group and was recognized by ISO as ISO 20243.

• Demonstration of conformance through the Open Group’s independent, voluntary O-TTPS Accreditation Program process provides formal recognition of an organization’s conformance to this industry standard.

• Successful applicants gain accreditation and can use the Open Trusted Technology Provider trademarked logo.

• Imbedded in this slide are files containing the standard and fact sheet


Global industry-led initiative -- best practices for secure engineering and supply chain integrity. “Build with Integrity and Buy with Confidence™”

The Open Group Trusted Technology Forum

http://www.juniper.net/us/en/


O-TTPS: Mitigating Risk of Malicious Taint and Counterfeit

• 50-page document of requirements for organizational best practices• Recognized in 2015 by the International Standards Organization as ISO 20234.• The result of over 3 years of collaborative consensus-based effort • Applies across product life cycle. • Some highly correlated to threats of maliciously tainted and counterfeit

products - others more foundational but considered essential

• 2 areas of requirements – often overlap depending on product and provider:› Technology Development - mostly under the provider’s in-house

supervision› Supply Chain activities mostly where provider interacts with third parties

who contribute their piece in the product’s life cycle

SourcingDesign Sustain-ment Disposal

Technology Development Supply Chain

Distribu-tionFulfillmentBuild

演示者

演示文稿备注

While these categories are useful as an organizing construct, they are not absolute distinctions; for example, one product may be handled by the provider’s own organization exclusively, whilst another product’s life cycle could involve many aspects being handled in conjunction with a variety of third parties as governed by the provider. These two major categories of the product life cycle are depicted in Figure 2:


The O-TTPS Accreditation ProgramIndependent Evaluation of Conformance

• The O-TTPS Accreditation Program provides structure and discipline to a set of benchmarks and requires independent confirmation of conformance based on evidence

• Process promotes self evaluation of operations• Identifies necessary processes for technology development and

supply chain• Organization needs to determine scope sought for accreditation:

organization-wide, a business unit(s), product line, or products?• Company must determine:

› What products are made in what region and nation?› Do the required processes exist everywhere that is relevant?› Are the processes implemented as required, and what evidence is there

to confirm that? Are there gaps? What needs to be done to fill the gaps?

演示者

演示文稿备注

the scope of this certification is FDD (Frequency Division Duplex) product line of its Wireless Network Business Unit , including 10 products, and covering the global supply chain system of Huawei. More than 600 evidences are audited, and involving over 20 departments.


• Supplier management includes eight elements: Technology, Quality, Response, Delivery, Cost, Environment, CSR, and Cyber Security.

• Security has been integrated into the procurement business processes, including cyber security policies, baseline, and process criteria.

Supplier Management Model

Huawei’s Approach8 Elements of Supplier Management: TQRDCESS

Supplier Managemen

t Model

Technology

Cost

Delivery

CSR Response

Cyber Security

Quality

EnvironmentCSR: customer satisfaction representative TCO: total cost of ownership

演示者

演示文稿备注

Evaluate supplier’s performance and contribution to Huawei TCO Technology: Technological edge, open resources, and capabilities of early involvement in R&D, innovation, and technical service capabilities Quality: Quality system, quality performance, response speed in problem handling, and capabilities of continuous quality improvement. Response: Lead time, supply flexibility, market information sharing, promptness in capacity preparation, and response to orders. Delivery: timely, accurate, and complete delivery Cost: Price competitiveness, capabilities of continuous price reduction, contribution to the TCO, and preferential commercial clauses and conditions. Environment: Establishment of an environmental system, including removing harmful substances and controlling and reducing pollution and greenhouse gases CSR: Establishment of the occupational health and safety management system (OHSMS), including labor standards, health and safety, and business ethics Cyber security: policy, baseline, process, agreement, training, test, emergency response


Trusted manufacturing

Trusted SW delivery

Trusted logistics

Trusted material

Trusted regional Warehouses &

distribution

Customer

E2E assurance of security in all stages of supply chain

Commitment to a supply chain with the following DNA, which we believe is quite consistent with the O-TTPS approach:

Efficiency

Security.

Resilience

Huawei’s Supply Chain Security Strategy

演示者

演示文稿备注

Efficiency: Promote timely and efficient flow of products and services in the supply chain Protect the supply chain from exploitation Reduce the risks of supply chain interruption Security Ensure products and services integrity in global supply chain. Identify and resolve threats early in the process and strengthen the security of supply chain infrastructure, logistics and information assets Establish a sustainable supply chain security management system. Identify supply chain risks and work out improvement plans to ensure the supply chain can quickly recover from disruption due to changing threats and risks. Establish an accurate and effective traceability system to identify and mark problems at the first time and recover and improve the supply chain quickly and pointedly. Resilience Identify supply chain risks and work out improvement plans to ensure the supply chain can quickly recover from disruption due to changing threats and risks. Establish an accurate and effective traceability system to identify and mark problems at the first time and recover and improve the supply chain quickly and pointedly.


Baseline Mgmt.

Huawei Supply Chain Cyber Security Baseline Management

Identify risks

Develop baselines

Improve continuously

Check the implementation

Integrate into

processes

演示者

演示文稿备注

Based on risks to the supply chain and customer & government requirements: - we develop cyber security baselines, aiming to protect product integrity, traceability, and authenticity, and - take a built-in approach to integrate the baselines into processes. We have developed nearly 100 baselines around 10 security elements. Laws and regulations Infrastructure security Access control Incoming material security Manufacturing security Software delivery security Order fulfillment security Traceability system Emergency response Risk analysis improvement and audit


Physical security Prevent tampering and implanting in logic through preventing unauthorized physical access

IntegrityAuthenticityTraceability

Ensure SW integrity by E2E prevention of unauthorized physical access and technical verification methods

Software delivery security

Establish baselines based on risk analysis and embed baselines into daily operation of processes

Organization, process and awareness

Huawei Framework of Supply Chain Management Cyber Security Baselines


Supplier Qualification System:

Quality, Environment, Corporate Social Responsibility, Health& Safety, Finance, Delivery, Security

Process:Product Manufacturing process

Product:Product test and qualification

Supplier Performance Management System: Evaluate supplier’s performance and contribution to Huawei TCO through T,Q,R,D,C,E,S,S

Huawei’s approach to E2E supplier management

演示者

演示文稿备注

Sign quality assurance agreement Define Huawei PCN requirement Quarterly quality grade appraisal Supplier independent quality improvement Periodic on-site inspection and SCAR & Score card system mgmt. Daily record in systems & KPI monitoring PCN: product change notice AVL: Approved Vendor List SPE: Supplier Performance Evaluation KPI: Key Performance Index SCAR: Supplier Correct Action Request


Conclusion

• Responsible organizations should address the risk of counterfeit and maliciously tainted products as part of an enterprise risk management program that considers risk from 3rd party providers of products & services.

• Buyers of ICT should develop security requirements for their procurements and collaborate with like-minded buyers to leverage their purchasing power.

• The O-TTPS (Open Trusted Technology Provider Standard – ISO/IEC 20243) provides a standard that providers, customers and stakeholders can use to set and meet requirements, and determine whether a provider is worthy of trust.

• The Accreditation Program supports the goals and transparency of the O-TTPS, providing independent evaluation of conformance to the technology development and supply chain processes of the standard.

Thank youwww.huawei.com

Copyright©2011 Huawei Technologies Co., Ltd. All Rights Reserved.The information in this document may contain predictive statements including, without limitation,statements regarding the future financial and operating results, future product portfolio, new technology,etc. There are a number of factors that could cause actual results and developments to differ materiallyfrom those expressed or implied in the predictive statements. Therefore, such information is provided forreference purpose only and constitutes neither an offer nor an acceptance. Huawei may change theinformation at any time without notice.

[email protected]

It is Time to Get Serious About Addressing Cybersecurity...

Documents

Transcript of It is Time to Get Serious About Addressing Cybersecurity...