strategy - security world 2017security.org.vn/docs/2017/k4-mr.donald_purdy_huawei.pdf · page 1...
TRANSCRIPT
Page 1 HUAWEI TECHNOLOGIES CO., LTD.
Enterprise Risk Management and Supply Chain Risk
Strategy
April 4, 2017
www.huawei.com
Security World 2017
Andy Purdy
CSO, Huawei Technologies USA
Page 2 HUAWEI TECHNOLOGIES CO., LTD.
INTRODUCTION
• Managing enterprise risk requires:
o organizational commitment and governance, and
o a comprehensive end-to-end risk management approach, based on
standards and best practices with independent verification.
• Organizations need to consider the risk from third-party providers –
including the risk of tainted and counterfeit products in the supply
chain.
• Buyers should use their purchasing power to require more secure
products and services from suppliers.
Page 3 HUAWEI TECHNOLOGIES CO., LTD.
Managing Cyber Security Risk Critical Success Factors for Global Assurance
• Organizational commitment
• Risk management strategy based on addressing current and future
challenges
• Clear governance roles and responsibilities
• Consistent, repeatable processes
• Robust verification -- “assume nothing, believe no-one and check everything.”
Plan, Do, Check, Act.
• Openness and transparency regarding progress, successes, and failures
• Continuous improvement
3
Page 4 HUAWEI TECHNOLOGIES CO., LTD.
Cyber Security International Contributions Security Test Methods & Tools
Penetration Simulation Tools
Source Code Audit
System Security Audit
TFN Attack Simulation Tools
Scanning Tools
Managing Cyber Security Risk Cyber Security International Cooperation
Page 5 HUAWEI TECHNOLOGIES CO., LTD.
Managing Cyber Security Risk Contributions to Standard Organizations
Participate in and make contributions to standard organizations
SA3 Deputy Chairman
Drive the SDN NBI standardization
3 workgroup draft,
Lead and chaired DOTS
and I2NSF WG
Proposals ranked
No.1
Drive the LTE-V
security project
initiation
Rapporteur
•IETF: Internet Engineering Task Force
•DSL Forum:Digital Subscriber Line Forum
•IMS Forum: IP Multimedia Subsystem Forum
•ETSI: European Telecommunications Standards
Institute
•WiMAX:Worldwide Interoperability for Microwave
Access
•WG: Work Group
•SA: Service and System Aspects
•x.fsspvn:Framework of the Secure Service Platform for Virtual
Network
•X.oacms:Overall Aspects of Countering Message Spam in
mobile networks
•I2NSF:Interface to Network Security Functions
•DOTS:Ddos Open Threat Signaling
•NBI: Northbound Interface
Page 6 HUAWEI TECHNOLOGIES CO., LTD.
Organization and Competence
Openness, Transparency and
Cooperation
Emergency Response
No “Back Door” and Tamper
Proof
Traceability
Compliance with Laws and
Regulations
Proactive E2E Assurance
Verified by Independent Third-
parties
Managing Cyber Security Risk Huawei Security Assurance Approach
Work with customers and stakeholders to meet and resolve the security
challenges and concerns.
Monitor threats of all kinds, including security vulnerabilities to be in a position to
pre-warn our customers, respond quickly to threats and apply appropriate
security patches to protect our customers.
Implemented measures to protect the integrity of software to protect against
unauthorized tampering and potential breach using technologies such as digital
signatures.
Traceable delivered products, solutions, services and components through the
complete product life cycle.
Comply with security and privacy standards and laws and imbedding these
requirements into the way we do business.
Address cyber security needs and risks in design, development and operation to
eliminate weakness and enhance robustness.
Global capability to support independent testing, verification and certification of
our products using approved third-parties.
Page 7 HUAWEI TECHNOLOGIES CO., LTD.
Managing Cyber Security Risk “Built-in” Strategy
HR Finance IT Quality Control consulting
MM IPD
ISC Order Related Process
Operation & Maintenance Process
Cu
sto
mers
Cu
sto
mers
consulting
CRM/ LTC
Customer
Requirement
Leading/Opportunit
y/ Contract
Issues
Charter Requirement
Realization
Product/
Service
Service
Contract
consulting
Service Engineering
Input / Market Input
Manufacture NPI
Sourcing Plan
consulting consulting
MM: Market Management | IPD: Integrated Product Development | ISC: Integrated Supply Chain | LTC: Lead To Cash
Page 8 HUAWEI TECHNOLOGIES CO., LTD.
Managing Cyber Security Risk Every process and part, including suppliers
Organization and Competence
Management and Control
Vision, Mission, Strategy, Policy, Instruction, Culture
R&D, Sales & service, Procurement, Supply Chain, JCOR, Legal affairs, PR and MKT
Operating
Enabling
Supporting
Au
dit
secu
rity
baseli
ne
Cooperation and Contribution
Corporate Business Process
Commercial Ecosystem
Execute security baseline
Security
objective
Continuous
improvement
Requirement
Expectation
Challenge
Solution
Product
Service
Laws and regulations,
security agreement,
inquiry,
security concern,
verification and audit,
security issues
Security statement, white
paper, clarification,
verified product ,
communication for
transparency and mutual
trust, audit findings
security resolution
Completeness of security
requirement collection
mechanism
Awareness of
requirements to establish
baseline Closed-loop management Execution of baselines
Cu
sto
me
r s
ec
uri
ty r
eq
uir
em
en
t
Go
vern
men
t O
pera
tor
Oth
er
Sta
keh
old
ers
E
nd
user
Cu
sto
me
r s
ec
uri
ty r
eq
uir
em
en
t
Go
vern
men
t O
pera
tor
Oth
er
Sta
keh
old
ers
E
nd
user
Esta
bli
sh
secu
rity
baseli
ne
IPD (Idea
to
Market)
Market
to Lead
Lead to
Cash
Issue to
Resolution
Develop
Strategy to
Execute
Manage
Capital
Investme
nt
Manage
Client
Relation
Service
Delivery
Supply Procureme
nt
Manage
Partner
Relation
Manage
HR
Manage
Finances
Manage
BT&IT
Manage
Business
Support
Page 9 HUAWEI TECHNOLOGIES CO., LTD.
Implement corporate cyber security policies & requirements
and make continuous improvement
Security
requirements Continuous
improvement
An
aly
ze
cyb
er s
ec
urity
thre
ats
, risk
s a
nd
req
uire
me
nts
Bu
ild tru
st re
latio
ns
hip
, fac
e c
yb
er s
ec
urity
ch
alle
ng
e to
ge
the
r
Network attack
Malicious tampering
& implanting
Tracing/Audit
Legal Compliance
Government
Requirements
Build security into IPD process to integrate security requirements into IPD process by adding security mgmt. requ
irements and activities to current process management system
and business decision-making system.
Configuration
Management
3-Party Software
Management
R&D Tools
Management Building Management
Governments
Carriers
Enterprises
End-users
Stakeholders …
Security
Requirement Security Design
Security
Develop Security Test
Sec Delivery
Maintenance
Managing Cyber Security Risk R&D Cyber Security Assurance System
Build security into enabling processes and management mechanisms to support IPD
Improve long-term security capability to support process implementation
With relevant organizations, ensure long-term accumulation and transfer of security
capabilities
Philosophy: Enhance product security based on the main R&D process with enabling processes, capability building
and organization establishment to support implementation
Page 10 HUAWEI TECHNOLOGIES CO., LTD.
Addressing Supply Chain Risk Huawei’s Global Supply Network
China
Mexico
Europe
Dubai (United Arab
Emirates )
Netherlands
China (Delivery for the globe)
Europe (Delivery for West Europe
&North Africa)
Mexico (Delivery for North America &
Latin America)
Brazil (Delivery for South Latin America )
India (Delivery for India)
Brazil , Mexico, India and
Hungary supply centers
work with local partners to
do manufacturing and
make delivery
Supply Center Regional Hub Reverse Center Local EMS
Mexico
Brazil
China
Hungary Netherland
Dubai India Panama HUB TBD
Reverse center
Supply center
Regional hub
Chengdu
Beijing
Shanghai
Regional hub Under feasibility
Source:
US:32%,the largest material source,
ROC, Japan & Korea:28% (components);
Europe:10%
Mainland China:30% (cable, battery, mechanical parts, cabinet etc.)
Page 11 HUAWEI TECHNOLOGIES CO., LTD.
Tainted Counterfeit
Upstream Downstream Upstream Downstream
Malware √ √ √
Unauthorized “Parts” √ √ √
Unauthorized Configuration √
Scrap/Sub-standard Parts √
Unauthorized Production √ √
Intentional Damage √ √
Integrity Availability Traceability Confidentiality Authenticity
Stakeholders Main Threats
Courtesy of The Open Group
Addressing Supply Chain Risk Threats in technology development/supply chains
Page 12 HUAWEI TECHNOLOGIES CO., LTD.
Description Supplier Management Model
1. Technology: Technological edge, open resources, and capabilities of early
involvement in R&D, innovation, and technical service capabilities
2. Quality: Quality system, quality performance, response speed in problem
handling, and capabilities of continuous quality improvement.
3. Response: Lead time, supply flexibility, market information sharing,
promptness in capacity preparation, and response to orders.
4. Delivery: timely, accurate, and complete delivery
5. Cost: Price competitiveness, capabilities of continuous price reduction,
contribution to the TCO, and preferential commercial clauses and conditions.
6. Environment: Establishment of an environmental system, including removing
harmful substances and controlling and reducing pollution and greenhouse
gases
7. CSR: Establishment of the occupational health and safety management
system (OHSMS), including labor standards, health and safety, and business
ethics
8. Cyber security: policy, baseline, process, agreement, training,
test, emergency response
Supplier management includes eight elements: Technology, Quality, Response, Delivery, Cost, Environment, CSR, and Cyber Security.
Security, as one of the special elements of procurement supplier management, has been integrated into the procurement business
processes, including procurement cyber security policies, baseline, and process criteria.
Addressing Supply Chain Risk Eight Elements of Supplier Management: TQRDCESS
Supplier
Managemen
t Model
Technology
Cost
Delivery
CSR Response
Cyber
Security
Quality
Environment
CSR: customer satisfaction representative
TCO: total cost of ownership
Page 13 HUAWEI TECHNOLOGIES CO., LTD.
Trusted
manufacturing
Trusted SW
delivery Trusted logistics Trusted material
Trusted regional
Warehouses &
distribution
Customer
E2E assurance of security in all stages of supply chain
Based on the overall corporate security strategy, we are committed to a supply
chain with the following DNA, which we believe is quite consistent with the O-
TTPS approach:
Efficiency
Security
.
Resilience
Addressing Supply Chain Risk
Page 14 HUAWEI TECHNOLOGIES CO., LTD.
Supplier Performance Management System:
Evaluate supplier’s performance and contribution to
Huawei TCO through T,Q,R,D,C,E,S,S
Sign quality assurance agreement
Define Huawei PCN requirement
Quarterly quality grade appraisal
Supplier independent quality improvement
Periodic on-site inspection and SCAR & Score
card system mgmt.
Daily record in systems & KPI monitoring
Addressing Supply Chain Risk Supplier Cyber Security Review
PCN: product change notice
AVL: Approved Vendor List
SPE: Supplier Performance
Evaluation
KPI: Key Performance Index
SCAR: Supplier Correct Action Request
Page 15 HUAWEI TECHNOLOGIES CO., LTD.
Baseline
Mgmt.
Addressing Supply Chain Risk Cyber Security Baseline Management
Identify
risks
Develop
baselines
Improve
continuously
Check the
implementation
Integrate
into
processes
Page 16 HUAWEI TECHNOLOGIES CO., LTD.
Physical security
Prevent tampering and
implanting in logic through
preventing unauthorized
physical access
Integrity
Authenticity
Traceability
Ensure SW integrity by E2E
prevention of unauthorized
physical access and technical
verification methods
Software delivery security
Establish baselines based on risk
analysis and embed baselines into
daily operation of processes
Organization, process and
awareness
Addressing Supply Chain Risk Framework of SCM Cyber Security Baselines
Page 17 HUAWEI TECHNOLOGIES CO., LTD.
Addressing Supply Chain Risk Why The Open Trusted Technology Forum
•A Common View of the Challenges:
• Need to secure our Technology Development and Global Supply Chains
• Need to develop and agree on risk-informed, objective standards and
best practices for all constituents
• Need a full lifecycle approach
• Need certification to help assure conformance to the standard
• Need public registry to identify trusted/certified providers
• Need customers to reward trusted/certified providers through
procurement
•
Page 18 HUAWEI TECHNOLOGIES CO., LTD.
A global industry-led initiative defining best practices for secure engineering and supply chain
integrity so that you can “Build with Integrity and Buy with Confidence™”
The Open Group Trusted Technology Forum
18
Page 19 HUAWEI TECHNOLOGIES CO., LTD.
Addressing Supply Chain Risk The O-TTPS: Mitigating Risk of Malicious Taint/counterfeit
• Recognized in 2015 by the International Standards Organization as ISO 20243.
• The result of over 3 years of collaborative consensus-based effort
• Applies across product life cycle.
• Some highly correlated to threats of maliciously tainted and counterfeit products - others more
foundational but considered essential
• 2 areas of requirements – often overlap depending on product and provider:
› Technology Development - mostly under the provider’s in-house supervision
› Supply Chain activities mostly where provider interacts with third parties who contribute their piece
in the product’s life cycle
Sourcing Design Sustain-
ment Disposal
Technology Development
Supply Chain
Distribu-tion
Fulfillment Build
Page 20 HUAWEI TECHNOLOGIES CO., LTD.
Addressing Supply Chain Risk The O-TTPS Accreditation Program
• The O-TTPS Accreditation Program provides structure and discipline to a set of benchmarks and requires independent confirmation of conformance based on evidence
• Process promotes self evaluation of operations
• Identifies necessary processes for technology development and supply chain
• Organization needs to determine scope sought for accreditation: organization-wide, a business unit(s), product line, or products.
• Company must determine:
› What products are made in what region and nation?
› Do the required processes exist everywhere that is relevant?
› Are the processes implemented as required, and what evidence is there to confirm
that? Are there gaps? What needs to be done to fill the gaps?
Page 21 HUAWEI TECHNOLOGIES CO., LTD.
Addressing Supply Chain Risk EWI: “Purchasing Secure ICT Products and Services”
• EastWest Institute (EWI) Buyers Guide will help buyers of Information and
Communication Technologies (ICT) in Managing Cybersecurity risks
When Buying Technology Products and Services
o Enterprise security governance
o The Product and Service Lifecycle – from Design through Sustainment
and Response
https://www.eastwest.ngo/sites/default/files/EWI_BuyersGuide.pdf
Page 22 HUAWEI TECHNOLOGIES CO., LTD.
Addressing Supply Chain Risk EWI Draft Set of Principles for Intl Consideration
• An open, global ICT market that fosters innovation and competition
• A commitment by governments and ICT providers to avoid requirements or
behavior that undermines trust in ICT
• A level playing field for ICT providers, regardless of country of origin, which is
characterized by transparency
• Broader use of standards and best practices for security and integrity
• Streamlined, agile, and scalable international standards and approaches to
conformance
• Encouragement to buyers of ICT – whether governments or private organizations --
to use procurement processes that utilize fact-driven, risk-informed, and
transparent requirements.
Page 23 HUAWEI TECHNOLOGIES CO., LTD.
Promoting a risk-informed, level playing field for ICT Premises Underlying Huawei Cyber Security Activities
The global cyber security landscape shows that government and private
sector stakeholders agree that:
(1) virtually all systems and networks are vulnerable to a range of malicious
attackers; and
(2) it is important for governments and private stakeholders to seek
agreement on standards, best practices, and norms of conduct to address
global cyber risk.
Page 24 HUAWEI TECHNOLOGIES CO., LTD.
Promoting a risk-informed, level playing field for ICT Huawei Global White Papers
Goal: to strengthen -- and promote transparency about – Huawei global and US
assurance programs among customers and stakeholders.
Huawei has released four global cyber security white papers:
• 21st century technology and security – a difficult marriage (September 2012)
http://www.huawei.com/ilink/en/download/HW_187368
• Making cyber security a part of a company’s DNA - A set of integrated processes,
policies and standards (October 2013)
http://www.huawei.com/en/cyber-security/hw_310548
• Top100 cyber security requirements – important to inform ICT buyers (Dec. 2014)
http://pr.huawei.com/en/connecting-the-dots/cyber-security/hw-401493.htm
• The Global Cyber Security Challenge – It is time for real progress in addressing
supply chain risk (June 2016).
http://telecomtiger.com/Corporate_fullstory.aspx?storyid=21967§ion=S162
Page 25 HUAWEI TECHNOLOGIES CO., LTD.
Promoting a risk-informed, level playing field for ICT Huawei Cyber Security Activities
• Supply Chain Risk – Huawei is working with the Open Group Trusted Technology Forum and
other major companies and government to gain additional international support for The Open
Group supply chain standard and accreditation program recognized by ISO in 2015.
https://www2.opengroup.org/ogsys/catalog/c139
• EastWest Institute Cyber Initiative - Pursuit of Global Agreement. EWI is working with key
companies and governments (US, China, Russia, UK, Germany, India, etc.) to seek agreement
on contentious cyber issues, including the global availability of more secure ICT products (led
by Huawei, Microsoft, and the Open Group), and to create an ICT Buyer’s Guide, which was
released on September 13 in New York. http://www.ewi.info/department/cyberspace-
cooperation
• Top 100 Requirements. To incentivize producers of ICT products and services to provide more
secure products, Huawei launched the Top 100 Requirements to encourage buyers of ICT
products to be more informed, consistent, and organized regarding what they should ask of, or
require from, their vendors/suppliers. The Top 100 Requirements are referenced in the EWI
ICT Buyers. http://www.ewi.info/idea/bruce-mcconnell-speaks-huawei-technologies-white-
paper-release
Page 26 HUAWEI TECHNOLOGIES CO., LTD.
CONCLUSION AND SUMMARY
• Responsible organizations – providers and users – will address security and
privacy risk as part of enterprise-wide risk management.
• Organizations should address cyber risk by using a comprehensive end-to-end
approach that relies on standards and best practices, and a targeted program to
manage this risk.
• Critically important for organizations to consider the risk from 3rd party
providers of products and services, including technology development and
supply chain risk.
• Providers and users of Information and Communication Technologies (ICT) --
should address the risk of counterfeit and maliciously tainted products.
• Providers need recognized standards and agreed-upon mechanisms to establish
trust.
• Buyers of ICT need risk-based security requirements for their procurements,
and should use their collective purchasing power to incentivize raising the bar.
Page 28 HUAWEI TECHNOLOGIES CO., LTD.
Cyber security is a Huawei crucial company strategy
Mr. Ren
Huawei
CEO
Our Cyber security vision and mission focusing on the needs of our
customers
Vision To provide secure, easy and equal access to information
services.
Mission
Working internationally to develop the most effective approach to cyber security,
establishing and implement an end-to-end customer-oriented cyber security
assurance system within Huawei, which is transparent and mutually-trusted, so that
we ensure customer's long-term security trust.
As a leading global ICT solutions provider, we provide
information network products and services. The global network
needs to be stable at all times. It is our primary social
responsibility to support stable and secure networks for
customers in any time.
“Huawei hereby undertakes that as a crucial company
strategy... Taking on an open, transparent and sincere
attitude, Huawei is willing to work with all governments,
customers and partners to jointly cope with cyber security
threats and challenges ... Our commitment to cyber security
will never be outweighed by the consideration of commercial
interests.”
Mr. Ren
Huawei
CEO