Open group backs initiative to protect supply chain from cybercrime

Leading technology businesses are backing an initiative to help organisations secure global supply chains against cybercrime threats.

Leading technology businesses are backing an initiative to help organisations secure global supply chains against cybercrime threats.

The initiative, co-ordinated by an independent consortium of IT users and suppliers, could lead to the development of a series of kite-marks for trusted, secure IT equipment.

The project answers concerns raised by the US and other governments that cyber criminals could introduce security vulnerabilities into IT equipment as it passes through the supply chain.

Boeing, Cisco, IBM, Microsoft, Nasa and the US Department of Defense are among the organisations driving the work, which aims to develop an internationally-agreed framework for manufacturing secure IT equipment.

Andras Szakal, director of software architecture at IBM, and a member of The Open Group, which is co-ordinating the project, said the framework would help suppliers eliminate potential security risks.

"The end user is in pain. The critical infrastructure is under attack. They are looking for someone to blame. We, the vendor community, have to look what we are doing to solve that problem," he said.

The move comes amid concerns that governments may introduce their own, potentially conflicting security requirements for suppliers if they don't take action themselves.

Dave Lounsbury, chief technology officer of The Open Group, said it was important for suppliers to act.

"We do want to make sure there is an industry proposal on the table that governments can point to and use. We have to have that so we don't end up with different regimes for best-practice in different countries," he said.

The group plans to publish a security framework next year which will draw upon existing standards and industry best practice.

"We are looking at the most mature corporations in the world, looking at the practical approaches they have implemented that are effective in reducing the risk of supply chain attack and ensuring the integrity of the network," said Szakal.

The framework be outcome-based, he said, giving organisations flexibility to implement security in the way that best matches their needs.

"Through this initiative, I think you will get more of the industry in-line and help vendors to pull themselves up by their bootstraps."

The framework has grown out of an 18-month project sponsored by the US government, which brought the major IT suppliers together to collaborate and share their experience on securing their supply chains.

"The government is a consumer of these kinds of systems, " said Lounsbury. "They wanted to see if they could get a response from industry that would not require them to put in procurement policy. They wanted to see industry step up to the plate."

Key concepts in securing the supply chain.

  • Supply chain attack: an attempt to disrupt the creation of goods by subverting a commercial manufacturing, ordering or distribution process
  • Technology supply chain attack: an attempt to subvert the hardware, software or configuration of a technology product before customer delivery for the purpose of introducing an exploitable vulnerability.
  • Integrity: Manufacturing and production processes that perform their intended function in an unimpaired manor, free from deliberate or inadvertent manipulation

Source: The Open Group.

Computer Weekly has teamed up with The Open Group to make a comprehensive range of research available to readers. Sign-up to Computer Weekly to download in-depth reports on Security and Risk Management, Cloud Computing and Enterprise Architecture:

Security and Risk Management

Risk Taxonomy Technical Standard

The Open Group Technical Guide: Requirements for Risk Assessment Methodologies

Briefing: The Open Group Security Forum

Cloud Computing

Cloud buyers' requirements questionnaire

The Open Group: Cloud buyers' decision tree

Building return on investment from cloud computing

Enterprise Architecture

Briefing: World Class Enterprise Architecture

The Open Group Architecture Framework (TOGAF™ 9) and the US Department of Defense Architecture Framework

Supporting requirements management in TOGAF

Governance in IT and Architecture - TOGAF

Read more on IT risk management