Visibility & Control: Addressing Supply Chain Challenges to Trustworthy Software-Enabled Things

2020 IEEE Systems Security Symposium (SSS) Pub Date : 2020-07-01 DOI:10.1109/SSS47320.2020.9174365

Robert A. Martin

{"title":"Visibility & Control: Addressing Supply Chain Challenges to Trustworthy Software-Enabled Things","authors":"Robert A. Martin","doi":"10.1109/SSS47320.2020.9174365","DOIUrl":null,"url":null,"abstract":"Software is playing a pivotal role in most enterprises, whether they realize it or not, and with the proliferation of Industrial Internet of Things (IoT) and other cyber/physical systems across our society and critical infrastructure and our collective love affair with automation, optimization, and “smart” devices, the role of these types of systems is only going to increase. This talk addresses the myriad of issues that underlie unsafe, insecure, and unreliable software and provides the insights of the Industrial Internet Consortium and other government and industry efforts on how to conquer them and pave the way to a marketplace of trustworthy software-enabled connected things.As the experience of several sectors has shown, the dependence on connected software needs to be met with a strong understanding of the risks to the overall trustworthiness of our software-based capabilities that we, our enterprises, and our world utilize. In many of these new connected systems issues of safety, reliability, and resilience rival or dominate concerns for security and privacy, the long-time focus of many in the IT world. Without a scalable and efficient method for managing these risks so our enterprises can continue to benefit from these advancements that powers our military, commercial industries, cities, and homes to new levels of efficiency, versatility, and cost effectiveness we face the potential for harm, death, and destructiveness.In such a marketplace, creating, exchanging, and integrating components that are trustworthy as well as entering into value-chain relationships with trustworthy partners and service suppliers will be common if we can provide a method for explicitly defining what is meant by the word trustworthy. The approach being pursued by these groups for applying Software Assurance to these systems and their Supply Chains by leveraging Structured Assurance Cases, Software Bill of Materials (the focus of this paper), and secure development practices applied to the evolving Agile and DevSecOps methodologies, is to explicitly identify the detailed requirements “about what we need to know about something for it to be worthy of our trust” and to do that in a way that we can convey that basis of trust to others that: can scale; is consistent within different workflows; is flexible to differing sets of hazards and environments; and is applicable to all sectors, domains, and industries.","PeriodicalId":210774,"journal":{"name":"2020 IEEE Systems Security Symposium (SSS)","volume":"53 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Systems Security Symposium (SSS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SSS47320.2020.9174365","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

Software is playing a pivotal role in most enterprises, whether they realize it or not, and with the proliferation of Industrial Internet of Things (IoT) and other cyber/physical systems across our society and critical infrastructure and our collective love affair with automation, optimization, and “smart” devices, the role of these types of systems is only going to increase. This talk addresses the myriad of issues that underlie unsafe, insecure, and unreliable software and provides the insights of the Industrial Internet Consortium and other government and industry efforts on how to conquer them and pave the way to a marketplace of trustworthy software-enabled connected things.As the experience of several sectors has shown, the dependence on connected software needs to be met with a strong understanding of the risks to the overall trustworthiness of our software-based capabilities that we, our enterprises, and our world utilize. In many of these new connected systems issues of safety, reliability, and resilience rival or dominate concerns for security and privacy, the long-time focus of many in the IT world. Without a scalable and efficient method for managing these risks so our enterprises can continue to benefit from these advancements that powers our military, commercial industries, cities, and homes to new levels of efficiency, versatility, and cost effectiveness we face the potential for harm, death, and destructiveness.In such a marketplace, creating, exchanging, and integrating components that are trustworthy as well as entering into value-chain relationships with trustworthy partners and service suppliers will be common if we can provide a method for explicitly defining what is meant by the word trustworthy. The approach being pursued by these groups for applying Software Assurance to these systems and their Supply Chains by leveraging Structured Assurance Cases, Software Bill of Materials (the focus of this paper), and secure development practices applied to the evolving Agile and DevSecOps methodologies, is to explicitly identify the detailed requirements “about what we need to know about something for it to be worthy of our trust” and to do that in a way that we can convey that basis of trust to others that: can scale; is consistent within different workflows; is flexible to differing sets of hazards and environments; and is applicable to all sectors, domains, and industries.

查看原文本刊更多论文

可见性和控制:解决供应链挑战，以值得信赖的软件支持的东西

软件在大多数企业中发挥着关键作用，无论他们是否意识到这一点，随着工业物联网(IoT)和其他网络/物理系统在我们的社会和关键基础设施中的扩散，以及我们对自动化、优化和“智能”设备的集体热爱，这些类型的系统的作用只会增加。本次演讲将讨论软件不安全、不可靠和不可靠的诸多问题，并提供工业互联网联盟和其他政府和行业努力的见解，以解决这些问题，并为可信赖的软件连接事物的市场铺平道路。正如几个部门的经验所显示的那样，对连接软件的依赖需要对我们、我们的企业和我们的世界所利用的基于软件的能力的整体可信度的风险有一个强有力的理解。在许多这些新的连接系统中，安全性、可靠性和弹性问题与IT界长期关注的安全性和隐私问题相竞争或占主导地位。如果没有一种可扩展和有效的方法来管理这些风险，我们的企业就可以继续从这些进步中受益，这些进步使我们的军事、商业工业、城市和家庭的效率、多功能性和成本效益达到新的水平，我们将面临潜在的伤害、死亡和破坏性。在这样的市场中，如果我们能够提供一种明确定义“值得信赖”一词含义的方法，那么创建、交换和集成值得信赖的组件以及与值得信赖的合作伙伴和服务供应商建立价值链关系将是常见的。通过利用结构化保证案例、软件物料清单(本文的重点)以及应用于不断发展的敏捷和DevSecOps方法的安全开发实践，这些小组正在追求的方法是将软件保证应用于这些系统及其供应链。就是明确地确定详细的需求"关于我们需要知道什么才能使它值得我们信任"并以一种我们可以向他人传达信任基础的方式来做到这一点，这种方式可以扩展;在不同的工作流程中保持一致;对不同的危险和环境具有灵活性;适用于所有部门、领域和行业。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 IEEE Systems Security Symposium (SSS)

自引率

0.00%

发文量