Upload
isalliance
View
223
Download
0
Embed Size (px)
Citation preview
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
1/21
Brent Pressentin
Director of Membership
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
2/21
About the Internet Security Alliance
The Internet Security Alliance (ISA) seeks tointegrate advanced technology with the economic
realities of its members and partners to create
enlightened public policy that will lead to acoherent and sustainable system of worldwide
cyber security.
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
3/21
About the Internet Security Alliance
ISA is uniquely positioned to represent the security interestsand thought leadership of a number of elite organizationsfrom the following industries: Aviation Banking Communications Defense Education Financial services
Insurance Manufacturing
Security Technology
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
4/21
The Problem
Hostile agents (criminal or military) can infiltratethe supply chain
Circuitry altered or counterfeit circuitry introduced Malicious firmware
Attackers could gain control of systems Logic bombs could be introduced Inopportune Operations
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
5/21
What needs to be addressed
Corruption/subversion of products and/orcomponents
Secure method through which to communicate/collaborate
Governance protections
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
6/21
Economic Obstacles
Severe counter-measures were proposed However:
An entirely domestic supply chain is too expensive Stringent supply chain regulations would cause
companies to stop supplying the government
Imposing costly requirements on American businesseswould limit their ability to compete internationally
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
7/21
What to do?
Secure the entire global supply chain Solve the problem by producing other security
benefits simultaneously
Residual benefits justify expenditures necessary tocombat malicious firmware
Security measures are complementary and need to beapplied together to be effective
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
8/21
Project Overview
Began as a public/private partnership betweenISA and CMU
Held two major conferences Over 100 experts from industry, government, academia Initial report framed the problem of malicious firmware
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
9/21
Project Overview
Currently a joint effort between Internet SecurityAlliance and the United States Cyber
Consequences Unit (USCCU)
Workshops led by Scott Borg, Director USCCU Mr. Borg developed the framework through which to
address these problems
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
10/21
Project Overview
Create a guidelines document for use in doing businesswith the major electronics companies Guidelines to be applied to the following phases of the
Supply Chain:
Design Fabrication Assembly Distribution Maintenance
Recruit subject matter experts for each phase of thesupply chain
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
11/21
Project Overview
Advanced Micro Devices AT&T BAE Systems Boeing
Cisco Systems Dell Ericsson General Dynamics Hewlett-Packard IBM Infineon Technologies Intel Corporation Juniper
Lenovo Lockheed Martin Mitsubishi Electric & Electronics National Assoc. of
Manufacturers
Northrop Grumman Philips Electronics Raytheon Renesas Technology SAIC Siemens Verizon
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
12/21
Guidelines Document
The document crafted through this project will: State the security requirements for each phase of the
supply chain
Serve as a declaration of the conditions for doingbusiness with the major electronics companies
Outline not just security categories or mere formalities,but actual instructions for securing each supply chain
operation
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
13/21
Guidelines Document
Requirements could be individually waved, butonly if a prospective business partner could make
a case for an alternative requirement
Security provisions designed to be complementaryand to operate collectively
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
14/21
Damages Against Which to Guard
Remedies need to be found for the following: Interruption of operations Corruption of operations Discrediting of operations Loss of control of operations
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
15/21
Design Phase
Overall product design Specification of electronic inputs and outputs Specification of overall physical design features
Detailed product design Schematic diagrams using circuit design software Physical circuit layouts using circuit layout software Physical assembly engineering and design
Creation of production masters Wafer mask production Creation of prototypes, templates, and molds
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
16/21
Fabrication Phase
Sourcing of materials & parts Fabrication processes
Receiving of materials and parts Carrying out of fabrication processes Downloading of firmware Quality control and verification tests
Shipping of components Packaging and sealing of shipments
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
17/21
Assembly Phase
Assembly equipment configurations Assembly processes
Receiving of parts and materials Carrying out of assembly processes
Assembly outputs Quality control processes and verification tests Packaging and sealing of products
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
18/21
Distribution Phase
Transport of finished products Large container integrity Large container tracking
Distribution of finished products Breakdown and forwarding of products
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
19/21
Maintenance Phase
After-sale maintenance of product Monitoring of products operational efficiency
Updates to product Destruction of used components
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
20/21
Legal Relationships
There is a need for component suppliers,assemblers and overseeing company to establish
legal relationships
Contracts must: Clearly delineate security requirements Demonstrate long-term compliance interest
Provide verification that security measures have beenproperly implemented
Provide local enforcement agreements and culture-specific remedies for labor/government issues
7/31/2019 2010 00 00 Brent Pressentin Supply Chain Presentation to AIA
21/21
How to get involved
Circulate workshop description within yourorganization
Identify subject matter experts for each individualphase of the supply chain
Contact ISA: Brent Pressentin, Director of Membership
703.907.7799 [email protected]
Marjorie Morgan, Administrative Manager 703.907.7090 [email protected]