Identifying the risks
To survive against malicious attacks, organizations must guarantee and trust every link in their technology supply chain. But as systems become more interoperable, more of the supply chain is becoming exposed. International connectivity created massive benefits to large Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT) producers and consumers, but with those advancements come a higher level of risk.
The introduction of maliciously tainted and counterfeit components can occur at various stages of the supply chain life cycle. From design, sourcing, build, fulfillment, distribution, sustainment and disposal stages, the supply chain is wide open for an unfriendly “passenger” to take a ride straight into an organization’s computer systems and access intellectual property. This has led to many organizations facing the unknown when purchasing hardware or software for mission-critical systems. There is a huge possibility now that products are filtering to them without any guarantee that suppliers have used secure engineering practices and supply chain management practices.
Today’s technology supply chain is complex, with component suppliers located across the globe. To ensure its supply chain is secure, organizations need to guarantee that they are purchasing items from trusted technology providers who follow universally accepted best practices. This not only includes standardizing secure development and engineering practices in-house when creating software and hardware pieces, but also that best practices are being followed at every step of the supply chain. In today’s global economy, the best way to anticipate the massive threat of cyber criminals and counterfeit products is to identify trusted component suppliers, trusted providers and trusted integrators. With a trusted network, organizations can know who in the supply chain is following best practices, and be sure they are aligned with the best partners.
The Trojan horse
Let’s take a closer look at the gateways that are exposing the supply chain, starting with the “Trojan horse” techniques. Tainted products introduced within the supply chain increases the possibility of untracked, malicious behavior, as evident when Target’s credentials were stolen via a heating and refrigerator contractor. This is known fondly by hackers as the “Trojan Horse”, and may be hiding within your company right now.
Customers and governments are moving away from creating personal high assurance and customized systems to secure against these threats. Instead, they are adopting the use of COTS because they are cheaper and more reliable. But a maliciously tainted COTS product, once connected or incorporated, can pose a substantial security once it is operating at a customer site. Unfortunately for organizations like Target, it can allow hackers to take control of the organization’s network or gain access to sensitive intellectual property.
In addition to the maliciously tainted “Trojan horse” scenario, counterfeit products within the supply chain are another major threat to customers and suppliers. Manufacturers and suppliers have been plagued by counterfeit products for years due to the growth in outsourcing and expanded global supply chains. These counterfeit products can result in faulty or sub-par products, revenue and brand equity loss and even expose sensitive intellectual property. With these mounting risks to the supply chain, how can vendors, corporations and suppliers increase the integrity of technology products and help protect the supply chain from the threat of attacks?
Creating unity and securing the supply chain
Virtually nothing is made from one source anymore, making it difficult to build security into supply chains. The global and speedy manner in which technologies are invented, produced and sold require agile business processes to achieve routine and scalable results. Combining an international focus and the public-private partnership is a big issue for all parties impacted by supply chain security issues. Security value is now broadening its reach from the end point perspective and looking end to end at the product lifecycle of the global supply chain.
The increased sophistication of cyber-attacks has made it necessary for technology suppliers and governments to take a more comprehensive approach to assuring product integrity and supply chain security. Customers and governments are now beginning to seek universal guarantees that their providers are following best practices to mitigate the risk of tainted or counterfeit components before they make their way into mission-critical infrastructure. Aligning this with a codified approach that is universally formulated with transparent standards, which are recognized by multiple industries and regions, will increase the integrity of the supply chain and help protect against cybersecurity attacks.
Creating global unity across industries and establishing open conversations is key to progressing supply chain security. With an open path to share best practices on how to assure product integrity and secure supply chains, organizations can be in sync with all parts of their supply chain. This is crucial when developing a framework of best practices as an open standard, which can then be utilized to assess and guarantee providers are conforming to the standard.
Universal standard and accreditation of conformance
Creating a global common standard of best practices for securing supply chains is necessary to comprehensively tackle the vulnerabilities inherent in global supply chains. A standard that is freely available, and open to be adopted by all component suppliers, technology providers, and integrators can help ensure that products are built with integrity so customers can buy with confidence.
With a universal understanding of the issues, implementation of a universal standard and a formal accreditation program to verify conformance, all parties involved in the supply chain can have assurance that they are working with trusted technology providers. Thus making every enterprise environment that partners with trusted technology providers safer and more secure.
The security bar must be raised across the full spectrum of the supply chain, from small component suppliers to the providers who include those components in their products, to the integrators who incorporate those providers’ products into customers’ systems. By accepting the realities of the threat landscape and taking appropriate measures, like working only with trusted technology providers who conform to a universal standard for mitigating those threats, organizations can be sure that they will improve the integrity of their products and the security of their supply chains.
The Open Group Trusted Technology Forum (OTTF) is an international forum of industry providers, third-party labs and governments developing standards and conformance programs to increase security in global technology supply chains. OTTF has published the Open Trusted Technology Provider Standard (O-TTPS), which benefits global providers and acquirers of commercial off-the-shelf (COTS) information and communication technology products. This open standard and the O-TTPS accreditation program are the first of their kind to help organizations, component suppliers, technology providers, and integrators to demonstrate conformance to the standard and achieve Open Trusted Technology Provider status, helping assure the integrity of COTS ICT products worldwide and safeguarding global supply chains against the increased sophistication of cybersecurity attacks.