Transcript IEEE CQR 2007 Software supply chain integrity and security

IEEE CQR 2007
Supply chain integrity and security
Aleksei Resetko, CISA, CISSP
[email protected]
May 2007, Fort Myers
Introduction
In the modern telecommunications world the strong competition, cost
reduction pressure and increased technology complexity requires telecoms to
look for new models to run their business.
One of the ways is outsourcing of network operations to third party service
providers specialized on network management:
 allows a telecom company to concentrate on consumer market and
competitors and
 creates economies of scale by third party
Both together drive to higher specialisation and cost reduction.
The drawback of this trend are possible security and privacy risks. In the
model where network operations and software development are done by third
party, the control over network and network elements is not more in the
hands of actual business owner.
2 | Software supply chain integrity and security | May 2007
All Rights Reserved © Alcatel-Lucent 2007
Real world threat …
In years 2006 and 2007 Bell Labs and Alcatel-Lucent Professional Services
conducted a “Availability and Robustness of Electronic Communications
Infrastructures (ARECI)” study for the European Commission.
Objective of the study was providing a comprehensive analysis of the factors
influencing the availability of Europe’s electronic communications
infrastructures.
One of the areas of the investigation was Supply Chain Integrity. Key findings in
the area have been identified and confirmed during IEEE CQR / Bell Labs
Experts Workshops, personal interviews and survey conducted among more than
200 European Experts.
Resources:
http://www.comsoc.org/~cqr/EU-Proceedings-2006.html
http://ec.europa.eu/information_society/newsroom/cf/itemdetail.cfm?item_id=3334
http://www.bell-labs.com/ARECI
3 | Software supply chain integrity and security | May 2007
All Rights Reserved © Alcatel-Lucent 2007
ARECI KF 66:
Outsourcing of hardware and software development is viewed as a risk
Outsourcing of hardware and software development presents several
problems. These include general lowered levels of control, reduced access
to the developers and exposure to programmer loyalties. In addition,
timeframes for program fixes are less predictable.
Impact: Outage recovery may be impacted by inefficient access to
development teams. Programmers with divided loyalties have opportunities
to undermine system integrity.
4 | Software supply chain integrity and security | May 2007
All Rights Reserved © Alcatel-Lucent 2007
ARECI KF 76:
Third party components may have an adverse impact on networks
The use of third party components makes it difficult for equipment
manufacturers to determine what security standards have been followed,
and the level of security enforced throughout the supply chain. Components
may contain built-in defects, either intentional or unintentional, and it is
more difficult to identify, control, and repair these defects when a third
party supplier is involved.
Impact: Detecting and resolving problems will typically take much longer
when components from third parties are flawed.
5 | Software supply chain integrity and security | May 2007
All Rights Reserved © Alcatel-Lucent 2007
ARECI KF 96:
New equipment vendors may have an adverse impact on the supply chain
Service providers will have an increasingly difficult time verifying the
integrity of the supply chain for future networks, which is composed of
distributed components from multiple vendors. The introduction of
equipment from multiple new vendors increases the risk of unknown
vulnerabilities being introduced into the supply chain, and places the
burden of trouble isolation and resolution between multiple vendors on the
primary service provider.
Impact: New vendors are a potential vulnerability in the supply chain until
they have established themselves and their security processes. Service
providers will need to be vigilant as they integrate equipment from new
vendors into their network.
6 | Software supply chain integrity and security | May 2007
All Rights Reserved © Alcatel-Lucent 2007
ARECI KF 39:
Future networks will be more difficult to manage
Coordination between different networks architectures with equipment from
multiple suppliers and a large number of highly interfaced systems presents
new challenges for managing future networks. Network maintenance and
vendor support procedures will need to accommodate these challenges.
Impact: Coordination between network operators and vendors’ support
becomes increasingly difficult in future networks, and may extend some outage
durations.
7 | Software supply chain integrity and security | May 2007
All Rights Reserved © Alcatel-Lucent 2007
Mitigation strategy:
Collaborative Government / Private sector approach
1. Government should articulate a vision that properly stresses the
importance of trusted hardware, software and networks.
2. Government should encourage, by policy and economic incentive, research
that supports the development and implementation of supply chain
processes and safeguards that provide assurances for technology
trustworthiness.
3. Government should provide incentives for Private Sector investment by
awarding government communications services contracts to those service
providers most aligned with these principles to improve security and
effectively address intrinsic vulnerabilities.
4. The Private Sector needs to continuously pursue technology improvements
in the quality and control of their supply chains across the product lifecycle
to increase the security assurance of information and communications
systems.
8 | Software supply chain integrity and security | May 2007
All Rights Reserved © Alcatel-Lucent 2007
Q&A
9 | Software supply chain integrity and security | May 2007
All Rights Reserved © Alcatel-Lucent 2007