Visibility & Control: Addressing supply chain challenges to trustworthy software-enabled things

Presented at LocoMocoSec 2019, April 18, 2019, 4 p.m. (30 minutes).

Software is playing a pivotal role in most enterprises, whether they realize it or not, and with the advent of Industrial Internet of Things (IoT) and other cyber/physical systems across our society and critical infrastructure and our collective love affair with automation, optimization, and “smart” devices that role is only going to increase. This talk addresses the myriad of issues that underlie unsafe, insecure, and unreliable software and provides the insights of the Industrial Internet Consortium and other government and industry efforts on how to conquer them and pave the way to a marketplace of trustworthy software-enabled connected things. As the experience of several sectors has shown, the dependence on connected software needs to be met with a strong understanding of the risks to the overall trustworthiness of our software-based capabilities that we, our enterprises, and our world utilize. In many of these new connected systems issues of safety, reliability, and resilience rival or dominate concerns for security and privacy, the long-time focus of many in the IT world. Without a scalable and efficient method for managing these risks so our enterprises can continue to benefit from these advancements that powers our military, commercial industries, cities, and homes to new levels of efficiency, versatility, and cost effectiveness we face the potential for harm, death, and destructiveness. In such a marketplace, creating, exchanging, and integrating components that are trustworthy as well as entering into value-chain relationships with trustworthy partners and service suppliers will be common if we can provide a method for explicitly defining what is meant by the word trustworthy. The approach being pursued by these groups, leveraging Structured Assurance Cases, Software Bill of Materials and secure development practices, is to explicitly identify the detailed requirements “about what we need to know about something for it to be worthy of our trust” and to do that in a way that we can convey that basis of trust to others that: can scale; is consistent within different workflows; is flexible to differing sets of hazards and environments; and is applicable to all sectors, domains, and industries. We will also consider the challenges of brownfield/greenfield in considering trustworthiness in legacy and new systems.

Presenters:

  • Bob Martin - MITRE
    Robert A. Martin, Senior Principal Engineer of the MITRE Corporation and member of the Industrial Internet Consortium Steering Committee has dedicated his career to working on solving some of the world’s most difficult problems in systems and software engineering – including cybersecurity, supply chain risk management, and assured application security. Much of his work has focused on the interplay of risk management, cybersecurity, and quality assessment and assurance. Over the past 19 years, Robert has applied his expertise to international cybersecurity initiatives such as CVE, CWE, CAPEC, sBOMs, and assurance cases which each have large active vendor and research communities. Robert is currently engaged in the Industrial Internet Consortium, helping craft key portions of the Industrial Internet Reference Architecture, the Industrial Internet Security Framework, and the Vertical Taxonomy Landscape documents. He frequently makes presentations on Supply Chain Risk, IIoT, software security, secure development and test, assurance, computer vulnerabilities management, and related topics, and has authored numerous papers and standards on these subjects.

Links:

Similar Presentations: