FAQ on global supply-chain security standard to prevent IT tampering, counterfeiting

Whether you're buying or selling hardware and software, or acting as systems integrator, the new supply-chain security standard put forward by the Open Group in April could end up having a huge impact on you. Here are a few frequently asked questions that explain why.

What is the Open Group supply-chain security standard and what was the driving force behind it?

It's a 32-page document entitled "Open Trusted Technology Provider Standard (O-TTPS)" Version 1.0. The Open Group itself includes about 400 members from industry, enterprise and government in 90 countries. The Open Group Trusted Technology Forum (OTTF) -- which is chaired by Andras Szakal, vice president and CTO at IBM, with Edna Conway, chief security officer, global value chain at Cisco, as vice chair -- developed the standard. Other OTTF members include representatives from the U.S. Department of Defense (DOD), NASA and Lockheed Martin, plus several IT companies, among them Oracle, EMC, HP, Juniper, Microsoft, Motorola Solutions, Tata Consultancy Services and Dell.

[ BACKGROUND:IT supply-chain security standard aims to prevent counterfeiting, tampering]

O-TTPS sets organizational guidelines, requirements and recommendations to enhance security in commercial-off-the-shelf (COTS) information and communications technology (ICT) products. O-TTPS is an effort to find ways to deter counterfeiting of IT products and also prevent "tainting" that might include deliberate malware or misconfigurations aimed at tampering with hardware and software. These kind of security risks and supply-chain attacks are of deep concern to all buyers of IT, especially the U.S. government and the defense sector.

So how does the O-TTPS hope to reduce counterfeiting and tampering risks and how does this impact me?

O-TTPS asks that certain practices in both logical and physical security be followed by IT and communications suppliers that want to be considered "Trusted Technology Providers." It's expected that a formal conformance and certification process to certify Trusted Technology Providers will be announced by year-end. If the standard is successfully implemented, companies that can say they're certified Trusted Technology Providers -- and this might be an advantage with buyers. In some cases, being a certified Trusted Technology Provider might even become a prerequisite in order to succeed in winning IT contracts. The Open Group forum says the goal is also to influence the overall marketplace over time to promote trust and accountability in the information infrastructure.

How is the IT supply chain perceived in the standard?

The standard does make a distinction between a provider and a supplier in this way: "Suppliers are those upstream vendors who supply components or solutions (software or hardware) to providers and integrators" while "Providers are vendors who supply COTS ICT products directly to the downstream integrator or acquirer." Nevertheless, the standard is expected to be adopted by both providers and suppliers that want to attain "Trusted Technology Provider" status. It's meant to ensure in the global IT supply chain, third-party software and hardware in manufacturing and support services is secure and free of counterfeit components or malware. The standard also notes that the current O-TTPS Version 1 "does not apply to the operation or hosting infrastructure of on-line services, but can apply to COTS ICT products in as far as they are utilized by those services."

What kind of security practices does O-TTPS ask IT providers to adopt?

O-TTPS sets forth several required "best practices" and recommendations related to the entire product lifecycle that ranges from design, sourcing, build, fulfillment, distribution, sustainment and disposal. Among the security-related requirements listed in Section 4 of O-TTPS can be found:

  • Full documentation of the engineering process, configuration and components and tracking and, if need be, any that "are proven to be targets of tainting or counterfeiting as they progress through the lifecycle."
  • Established quality testing procedures, and security update and defect management processes.
  • Threat analysis and mitigation to assess potential attacks, plus vulnerability analysis, patching and remediation.
  • Secure coding practices and regular training of secure engineering, plus monitoring changes to the "threat landscape."
  • Risk-based physical security procures that are well-documented.
  • Access controls established for all product-relevant intellectual property and assets, subject to audit.
  • Background checks on employees and contractors "whose activities are directly related to sensitive product supply chain activities (within reason given local customs and according to local law)."
  • Recommending O-TTPS to "relevant business partners."
  • Secure transmission and handling controls related to IT assets, plus physical security. Methods of verifying authenticity and integrity of products after delivery should be available.
  • To keep malware out of components received from suppliers or in products delivered to customers and integrators, commercial malware detection tools need to be deployed as part of the code acceptance and development process, and before delivery.

There are specific requirements and recommendations related to use of open-source software components. What are they?

Open source assets and components have to be identified "as derived from well-understood component lineage." For these components, ongoing support and patching "shall be clearly understood." This means that there needs to be a tight rein on open source so that it's treated like any other type of software under the O-TTPS guidelines.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MotorolaNASAIBMsupply chain security standardOpen GroupmalwareTata Consultancy ServicesOracleemcHPDellMicrosoftsecurityciscolockheed martin

More about CiscoDellEMC CorporationHPIBM AustraliaIDGJuniperLockheed MartinMicrosoftMotorolaNASAOpen GroupOracleTataTata Consultancy ServicesTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place