Group aims to help secure the technology supply chain

Targeted threats underscore importance of protecting infrastrucure

• By William Jackson
• Dec 15, 2010

A working group of government, commercial and academic organizations has been formed to identify and promote best practices for securing the global technology supply chain from malicious activity.

The Trusted Technology Forum is a product of the Acquisition Cybersecurity Initiative sponsored by the Defense Department and supported by the Open Group, an industry open standards body, to help define trustworthy acquisition policies and practices.

“We’ve defined a Trusted Technology Provider Framework based on existing open standards and best practices,” said Andras Szakal, distinguished engineer at IBM and an Open Group board member. One of the requirements of the framework is that it be “grounded in reality” and based on practices already in use by organizations with mature supply chain security programs, he said.

---

Related stories:

Supply chain security expands in unclassified community

Software supply chain security is target of industry group best practices

---

An initial version of the framework has been developed but not released. The forum’s first product is expected to be a white paper based on the framework outlining current best practices.

The forum has defined supply a supply chain threat or attack as the subversion of hardware or software prior to delivery in order to put in a vulnerability for later exploit.

Technology supply chain security is emerging as an area of concern as cyber threats become more targeted and sophisticated. Although random attacks exploiting flaws in software remain a major cybersecurity risk, stealthy and advanced attacks targeting high-value resources and systems are becoming more common – or at least now are being discovered.

Several high-profile examples, including the Google Aurora breach reported early this year and the Stuxnet worm targeting industrial control systems, exploit zero-day software vulnerabilities that were not known of before the exploits were discovered. The next step in this escalation of exploits is the intentional introduction of vulnerabilities in software and hardware products by insiders in the supply chain.

The Homeland Security Department, which is charged with overseeing the security of the nation’s critical infrastructure, has identified 18 Critical Infrastructure and Key Resources (CIKR) sectors that are vital to the nation’s security and economy:

• Agriculture and food.
• Defense industrial base.
• Energy.
• Health care and public health.
• National monuments and icons.
• Banking and finance
• Water.
• Chemical.
• Designated commercial facilities.
• Critical manufacturing.
• Dams.
• Emergency services.
• Nuclear reactors, materials and waste.
• Information technology.
• Communications.
• Postal and shipping.
• Transportation systems.
• Government facilities.

A recent study by the Enterprise Strategy Group, sponsored by Hewlett-Packard and Microsoft, two of the forum’s founding members, concluded that there is a lot of room for improvement by the industries operating the nation’s critical infrastructure in ensuring that their supply chains are reliable. “Few organizations are doing thorough due diligence on their IT vendors’ security, so CIKR firms may be buying hardware and software with security vulnerabilities ‘baked-in,’” the report states.

“Many critical infrastructure organizations are employing some types of secure software development programs, but these are often instituted haphazardly. Finally, CIKR companies are sharing IT systems with business partner employees and systems, but most lack formal cyber supply chain governance and oversight. As a result, secure CIKR organizations are increasing their security risks through electronic business processes with insecure partners.”

The study described software assurance as a work in progress. Although many CIKR firms studied by ESG have developer training, software testing and other safeguard programs, they are not mature or uniformly implemented.

Another weakness in software assurance is that development training and software testing focus on vulnerabilities created by errors in software rather than on intentional flaws that can be carefully crafted and hidden.

The Acquisition Cybersecurity Initiative began in 2008 to identify existing best practices to ensure trusted development, manufacture, delivery and operation of commercial technology products. This would benefit technology buyers by establishing a mechanism for acquiring trusted products and would help trusted suppliers by providing a market differentiator.

A framework defining the characteristics of trustworthy development could allow streamlining of current overlapping certification and accreditation efforts.

Although the initial framework has been developed, “there is a lot to do,” said Josh Brickman, director of program management for CA Technologies. Standards embodying some of the best practices need to be developed and conformance metrics are needed identify proper implementation of standards by vendors.

“We also want to establish an accreditation program for vendors” so that procurement agencies can have a list of trusted vendors to purchase from, Brickman said.

Founding members of the Trusted Technology Forum are the Office of the Under Secretary of Defense for Acquisition, Technology, & Logistics; NASA; the Carnegie Mellon Software Engineering Institute; MITRE Corp.; CA Technologies; Cisco Systems; Hewlett-Packard; IBM, Kingdee International Software Group; Microsoft and Oracle.