By Robert Martin, Sr. Principal Engineer, MITRE, MITRE
On Tuesday March 1, as part of the What’s a Trusted Technology Provider and How Do I Know One When I See One? Peer2Peer session at RSA Conference 2016, about 30 people from around the world in industry, government, and academia, met and discussed the various aspects, challenges, and opportunities of finding and recognizing trustworthy suppliers. As the facilitator, I gave opening remarks about the topic and summarized my background and experience. A quick “around-the-room” introduction from by participants followed. Having never participated in or facilitated a Peer-2-Peer session, my approach was not to direct or lecture, but rather to ask questions and offer thoughts about aspects of supplier trust and the various organizations’ use of existing approaches to address the topic.
With a mix of acquirers, suppliers, integrators, and end organizations represented, we had several interesting discussions about various aspects of the problem, such as:
- How to define “trusted” so that both parties in a contractual agreement can meaningfully engage and have a clear understanding of expectations;
- How to consistently make judgements about “trust” across different supplier/acquirer pairings—and to do so over the year(s); and
- How to ensure adequate understanding of how a supplier or supplier ecosystem has performed and delivered a product/service so that users and stakeholders are assured that the system is trustworthy.
Our discussion centered on two public initiatives related to cybersecurity and the supply chain—in particular, about trusted technology and their providers. The first is a new international standard on mitigating the risk of taint and counterfeit parts and products in Information and Communication Technology; the other is related to standardized repositories that deal with known weaknesses and vulnerabilities and how those weakness and vulnerabilities are attacked. The information shared about these major initiatives is summarized below:
(now also available as ISO/IEC 20243:2015) and the O-TTPS Accreditation Program. The standard includes a set of best practices for COTS ICT providers throughout the entire product lifecycle, from design through disposal, including securing the supply chain. It applies to both in-house and outsourced development and manufacturing. The Accreditation Program certifies those providers who conform to the standard and lists them on a public registry so customers can identify who conforms.
- The Common Weakness Enumeration (CWE™), the Common Vulnerabilities and Exposures (CVE®), and the Common Attack Pattern Enumeration and Classification (CAPEC™) are standardized repositories of weaknesses that can lead to vulnerabilities, publicly know vulnerabilities, and patterns of attacks used to exploit vulnerabilities. Each of these were discussed and several participants offered that they found them to be very useful when discussing the topic of trust and trying to understand why something was trustworthy as well as what an organization looked for or considered as they investigated the trustworthiness of a capability. Tools and services that make use of these repositories are listed on the respective web sites of the efforts.
During the discussion, we also briefly touched on several other efforts, ranging from those that have been used, those that were starting to be used, as well as new ones that are being explored to address these challenges:
- Common Criteria (ISO/IEC 15408 and ISO/IEC 18045);
- The Open Group’s Dependability through Assuredness™ (O-DA) Framework;
- The Object Management Group’s Structured Assurance Case Metamodel™ (SACM™);
as well as
- The work regarding the industrial use of IoT by the Industrial Internet Consortium in their Industrial Internet Reference Architecture technical report on Key System Characteristics and their Assurance.
If you joined us in San Francisco for this Peer2Peer session, I’d love to hear your recollection and take-away you would like to share.
Robert Martin, a CSSLP and Senior Principal Engineer at MITRE, spends the majority of his time working with industry on the CWE and CAPEC security standardization initiatives and with the Industrial Internet Consortium. For the past 24 years, Martin’s efforts focused on the interplay of risk management and cybersecurity. Martin is a frequent international speaker on the various security and quality issues surrounding technology systems, has published numerous papers on these topics, authored over a dozen ITU-T X-series Recommendations, and chairs the OMG Structured Assurance Cases Metamodel Task Force. Martin joined MITRE in 1981 with a B.S. and M.S. in EE from RPI, later earning an MBA from Babson College. He is a member of the ACM, AFCEA, NDIA, the Open Group, and the IEEE Computer Society.