90 likes | 206 Views
IEEE CQR 2007 Supply chain integrity and security. Aleksei Resetko, CISA, CISSP resetko@alcatel-lucent.com May 2007, Fort Myers. Introduction.
E N D
IEEE CQR 2007Supply chain integrity and security Aleksei Resetko, CISA, CISSP resetko@alcatel-lucent.com May 2007, Fort Myers
Introduction • In the modern telecommunications world the strong competition, cost reduction pressure and increased technology complexity requires telecoms to look for new models to run their business. • One of the ways is outsourcing of network operations to third party service providers specialized on network management: • allows a telecom company to concentrate on consumer market and competitors and • creates economies of scale by third party Both together drive to higher specialisation and cost reduction. The drawback of this trend are possible security and privacy risks. In the model where network operations and software development are done by third party, the control over network and network elements is not more in the hands of actual business owner.
Real world threat … • In years 2006 and 2007 Bell Labs and Alcatel-Lucent Professional Services conducted a “Availability and Robustness of Electronic Communications Infrastructures (ARECI)” study for the European Commission. • Objective of the study was providing a comprehensive analysis of the factors influencing the availability of Europe’s electronic communications infrastructures. • One of the areas of the investigation was Supply Chain Integrity. Key findings in the area have been identified and confirmed during IEEE CQR / Bell Labs Experts Workshops, personal interviews and survey conducted among more than 200 European Experts. • Resources: • http://www.comsoc.org/~cqr/EU-Proceedings-2006.html • http://ec.europa.eu/information_society/newsroom/cf/itemdetail.cfm?item_id=3334 • http://www.bell-labs.com/ARECI
ARECI KF 66:Outsourcing of hardware and software development is viewed as a risk • Outsourcing of hardware and software development presents several problems. These include general lowered levels of control, reduced access to the developers and exposure to programmer loyalties. In addition, timeframes for program fixes are less predictable. • Impact: Outage recovery may be impacted by inefficient access to development teams. Programmers with divided loyalties have opportunities to undermine system integrity.
ARECI KF 76:Third party components may have an adverse impact on networks • The use of third party components makes it difficult for equipment manufacturers to determine what security standards have been followed, and the level of security enforced throughout the supply chain. Components may contain built-in defects, either intentional or unintentional, and it is more difficult to identify, control, and repair these defects when a third party supplier is involved. • Impact: Detecting and resolving problems will typically take much longer when components from third parties are flawed.
ARECI KF 96: New equipment vendors may have an adverse impact on the supply chain • Service providers will have an increasingly difficult time verifying the integrity of the supply chain for future networks, which is composed of distributed components from multiple vendors. The introduction of equipment from multiple new vendors increases the risk of unknown vulnerabilities being introduced into the supply chain, and places the burden of trouble isolation and resolution between multiple vendors on the primary service provider. • Impact: New vendors are a potential vulnerability in the supply chain until they have established themselves and their security processes. Service providers will need to be vigilant as they integrate equipment from new vendors into their network.
ARECI KF 39:Future networks will be more difficult to manage • Coordination between different networks architectures with equipment from multiple suppliers and a large number of highly interfaced systems presents new challenges for managing future networks. Network maintenance and vendor support procedures will need to accommodate these challenges. • Impact: Coordination between network operators and vendors’ support becomes increasingly difficult in future networks, and may extend some outage durations.
Mitigation strategy: Collaborative Government / Private sector approach • Government should articulate a vision that properly stresses the importance of trusted hardware, software and networks. • Government should encourage, by policy and economic incentive, research that supports the development and implementation of supply chain processes and safeguards that provide assurances for technology trustworthiness. • Government should provide incentives for Private Sector investment by awarding government communications services contracts to those service providers most aligned with these principles to improve security and effectively address intrinsic vulnerabilities. • The Private Sector needs to continuously pursue technology improvements in the quality and control of their supply chains across the product lifecycle to increase the security assurance of information and communications systems.