IT supply-chain security standard aims to prevent counterfeits, tampering

The danger of counterfeit and tampered IT products is well known, and to fight it, the Open Group has published a technical security standard aimed at supply-chain safety. It's anticipated that by year-end there will also be an official process under way for accreditation so technology suppliers can prove adherence to the standard, according to some involved, which include IBM and Cisco.

The Open Group's Trusted Technology Forum (OTTF) has published the standard, called the "Open Trusted Technology Provider Standard (O-TTPS)," as a 32-page document available on the Open Group website. It's described as "a set of guidelines, requirements and recommendations that, when practically applied, create a business benefit in terms of reduced risk of acquiring maliciously tainted or counterfeit products for the technology acquirer."

It seeks to lay out best practices in design, sourcing, building, fulfillment and other facets of supply chain distribution, including for integrators. It addresses the huge concern that fake or tampered electronics, hardware and software is being sold, a concern that has been voiced specifically by the U.S. government and the Department of Defense in particular.

Andras Szakal, vice president and chief technology officer at IBM, is chair of OTTF, and Edna Conway, chief security officer, global value chain, at Cisco, serves as its vice chair.

Background: GAO goes undercover to expose electronics parts fraud against DoD

While neither would discuss specifics about how the Open Group's new supply-chain safety standard might be adopted at IBM and Cisco, they underscored the importance ascribed to it. They indicated a formal accreditation process is being formulated at Open Group in which technology suppliers in the future would be able to demonstrate adherence to O-TTPS.

"The focus is on conformance criteria to the standard and the structure of an accreditation program," said Szakal, adding the goal is to have a formal independent accreditation process in place towards the end of the year.

O-TTPS is intended to assure satisfactory security controls are in place for both logical and physical security for a trusted supplier, even down to how open-source components are used in information security and how you mitigate malware, Szakal says.

In addition to IBM and Cisco, high-tech firms and government agencies contributing to it include Juniper, Raytheon, CA Technologies, HP, Microsoft, Booz-Allen Hamilton, Huawei, EMC, Qualys, LynuxWorks, Boeing, the National Security Agency, the U.S. Department of Defense and NASA.

Conway pointed out that this public-private partnership for the standard was accomplished to address concerns that have been raised about the safety of the supply chain, as Department of Homeland Security Secretary Janet Napolitano emphasized over a year ago in her talk at the global economics conference in Davos, Switzerland.

The Open Group was seen as a good technical forum to develop a supply-chain safety standard because its membership extends to over 90 countries, says Sally Long, director of the Open Group Trusted Technology Forum (OTTF). While there's no specific date yet set to announce how the conformance testing and accreditation process for the Open Group standard will be carried out, the standard's backers are urging their IT industry supply-chain partners of all stripes to become familiar with the concepts in the document as adherence to it is expected to grow in importance as time goes on.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags IBMsecurityOpen GroupWide Area Network

More about Boeing AustraliaCA TechnologiesCiscoEMC CorporationHPHuaweiIBM AustraliaIDGJuniperLynuxWorksMicrosoftNASANational Security AgencyOpen GroupQualysRaytheon AustraliaStrategy&SwitzerlandTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts