O-TTPS Consensus!

It's always a heartening moment when the consensus of leading industry experts is reached. Achieving consensus is a process that can sometimes take years. A period in which world-class experts thought and "fought,"  researched, discussed, and drank a lot of coffee. Sometimes it seemed that consensus might never be achieved as the application of collective expertise and coordination of the many different "agendas" associated with a difficult and developing subject area were brought together to synthesize  a new industry norm.

We did it !

 

Thanks to the members of The Open Group Trusted Technology Forum (OTTF), the Open Trusted Technology Provider Standard  (O-TTPS)  has been published. A set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software Commercial Off The Shelf (COTS) Information and Communication Technology (ICT) products throughout the product life cycle.
Public News Release:

Threats of counterfeit and maliciously tainted products

After consulting with several key users of COTS ICT products it was apparent that the initial release of O-TTPS should address the worrying threats of maliciously tainted and counterfeit products. These two threats are identified as key threats to users of COTS ICT products which are often deployed in the world's critical infrastructures.

It is important to understand the O-TTPS definitions of these two terms as they are key to understanding the entire standard:

• Maliciously tainted product - the product is produced by the provider and is acquired through a provider’s authorized channel, but has been tampered with maliciously.
• Counterfeit product - the product is produced other than by, or for, the provider, or is supplied to the provider by other than a provider’s authorized channel and is presented as being legitimate even though it is not.

How does O-TTPS fit into a complete real-world supply chain?

Before you throw up your hands in horror at the observation that O-TTPS does not address everything to do with a complete real-world supply chain you should consider that no single standard can expect to address everything at once. The OTTF has and continues to work very closely with other organizations that focus on different views of the supply chain. The topic is large, complex and dynamic. To be successful, coordination from many viewpoints is extremely important. What is included in O-TTPS is coverage of the essential interfaces to both upstream and downstream entities which will allow for a chain of assurance to be built.

For example, downstream from the O-TTPS:

• NIST is drafting a special publication, NIST Special Publication 800-161, Supply Chain Practices for Federal Information Systems, which plans to address supply chain issues from the government acquirers viewpoint and relating it to the end-user viewpoint. The latter is already addressed in Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations, and the supporting documents.
• ISO is working on related standards including ISO/IEC 27036, Information Security for Supplier Relationships, which will be a multi-part standard including sections titled Overview and Concepts, Common Requirements, Guidelines for ICT Supply Chain Security and Guidelines for Security of Outsourcing; all of which are currently under development in ISO's IT security techniques sub-committee (27).

Upstream from O-TTPS are a plethora of standards, both published and in the process of being drafted, which are appropriate to the gamut of industry segments, from aerospace to utilities. These are often very specialized and focused on particular technologies. As a single example, the NASPO standard addresses supply chain security issues related to security documents, such as passports, tamper labels, credit cards, money, and so on. 

The OTTF also identified and worked on the relationship to product and component certifications, such as Common Criteria, FIPS 140-2, and others. These product security assurance standards already address some of the requirements identified in the O-TTPS and the OTTF has been working hard to discover where such existing assurance may be meaningfully reused.

O-TTPS does not promise total freedom from the existence of counterfeit or maliciously tainted products

Of course it would be ridiculous to think that it could! What O-TTPS does promise is that an organization which implements the requirements of O-TTPS will have reduced the risks associated with the threats of counterfeiting and maliciously tainted products or components.
The OTTF's trademarked tagline says it all:

"Build with integrity buy with confidence"TM

However, even with the development of standards and guidelines addressing this topic, the principle of "caveat emptor" must still apply.

About the O-TTPS

I'm not going to reproduce the standard here. It is freely available direct from The Open Group. Here I will give a very high level overview of what is included. Perhaps it will be enough to whet your appetite and encourage you to find out more about the O-TTPS.

The first sections introduce the standard, provide context and overview, precisely define the terms that are used, as well as describe the specific threats that the standard addresses. These are always the most important sections of a standard to read if you really expect to have a full understanding of how the standard is expected to work.

Next, the O-TTPS builds a framework upon which the various best practices for supply chain security (known as "requirements") are organized. All of the requirements given in the O-TTPS have been considered as contributing to countering the risks associated with the above threats.

The diagram below shows the O-TTPS defined Framework Model:

In the following diagram you can see how the requirements are identified and presented in O-TTPS framework.

What is next?

Currently the O-TTF is working on a proposed accreditation program for the standard. Such a program will allow organizations to demonstrate that they conform to the  requirements of the standard, and hence build products with integrity and as a consequence provide an opportunity for acquirers to buy with confidence.

Already some forward thinking acquirers have recommended the O-TTPS to their suppliers. This is a good sign for the future.