2010 00 00 Brent Pressentin Supply Chain Presentation to AIA

7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA

1/21

Brent Pressentin

Director of Membership


2/21

About the Internet Security Alliance

The Internet Security Alliance (ISA) seeks tointegrate advanced technology with the economic

realities of its members and partners to create

enlightened public policy that will lead to acoherent and sustainable system of worldwide

cyber security.


3/21

About the Internet Security Alliance

ISA is uniquely positioned to represent the security interestsand thought leadership of a number of elite organizationsfrom the following industries: Aviation Banking Communications Defense Education Financial services

Insurance Manufacturing

Security Technology


4/21

The Problem

Hostile agents (criminal or military) can infiltratethe supply chain

Circuitry altered or counterfeit circuitry introduced Malicious firmware

Attackers could gain control of systems Logic bombs could be introduced Inopportune Operations


5/21

What needs to be addressed

Corruption/subversion of products and/orcomponents

Secure method through which to communicate/collaborate

Governance protections


6/21

Economic Obstacles

Severe counter-measures were proposed However:

An entirely domestic supply chain is too expensive Stringent supply chain regulations would cause

companies to stop supplying the government

Imposing costly requirements on American businesseswould limit their ability to compete internationally


7/21

What to do?

Secure the entire global supply chain Solve the problem by producing other security

benefits simultaneously

Residual benefits justify expenditures necessary tocombat malicious firmware

Security measures are complementary and need to beapplied together to be effective


8/21

Project Overview

Began as a public/private partnership betweenISA and CMU

Held two major conferences Over 100 experts from industry, government, academia Initial report framed the problem of malicious firmware


9/21

Project Overview

Currently a joint effort between Internet SecurityAlliance and the United States Cyber

Consequences Unit (USCCU)

Workshops led by Scott Borg, Director USCCU Mr. Borg developed the framework through which to

address these problems


10/21

Project Overview

Create a guidelines document for use in doing businesswith the major electronics companies Guidelines to be applied to the following phases of the

Supply Chain:

Design Fabrication Assembly Distribution Maintenance

Recruit subject matter experts for each phase of thesupply chain


11/21

Project Overview

Advanced Micro Devices AT&T BAE Systems Boeing

Cisco Systems Dell Ericsson General Dynamics Hewlett-Packard IBM Infineon Technologies Intel Corporation Juniper

Lenovo Lockheed Martin Mitsubishi Electric & Electronics National Assoc. of

Manufacturers

Northrop Grumman Philips Electronics Raytheon Renesas Technology SAIC Siemens Verizon


12/21

Guidelines Document

The document crafted through this project will: State the security requirements for each phase of the

supply chain

Serve as a declaration of the conditions for doingbusiness with the major electronics companies

Outline not just security categories or mere formalities,but actual instructions for securing each supply chain

operation


13/21

Guidelines Document

Requirements could be individually waved, butonly if a prospective business partner could make

a case for an alternative requirement

Security provisions designed to be complementaryand to operate collectively


14/21

Damages Against Which to Guard

Remedies need to be found for the following: Interruption of operations Corruption of operations Discrediting of operations Loss of control of operations


15/21

Design Phase

Overall product design Specification of electronic inputs and outputs Specification of overall physical design features

Detailed product design Schematic diagrams using circuit design software Physical circuit layouts using circuit layout software Physical assembly engineering and design

Creation of production masters Wafer mask production Creation of prototypes, templates, and molds


16/21

Fabrication Phase

Sourcing of materials & parts Fabrication processes

Receiving of materials and parts Carrying out of fabrication processes Downloading of firmware Quality control and verification tests

Shipping of components Packaging and sealing of shipments


17/21

Assembly Phase

Assembly equipment configurations Assembly processes

Receiving of parts and materials Carrying out of assembly processes

Assembly outputs Quality control processes and verification tests Packaging and sealing of products


18/21

Distribution Phase

Transport of finished products Large container integrity Large container tracking

Distribution of finished products Breakdown and forwarding of products


19/21

Maintenance Phase

After-sale maintenance of product Monitoring of products operational efficiency

Updates to product Destruction of used components


20/21

Legal Relationships

There is a need for component suppliers,assemblers and overseeing company to establish

legal relationships

Contracts must: Clearly delineate security requirements Demonstrate long-term compliance interest

Provide verification that security measures have beenproperly implemented

Provide local enforcement agreements and culture-specific remedies for labor/government issues


21/21

How to get involved

Circulate workshop description within yourorganization

Identify subject matter experts for each individualphase of the supply chain

Contact ISA: Brent Pressentin, Director of Membership

703.907.7799 [email protected]

Marjorie Morgan, Administrative Manager 703.907.7090 [email protected]

Documents

2010 00 00 Brent Pressentin Supply Chain Presentation to AIA