Supply chain security advice and guidelines
Increased digital connectivity can bring manufacturers great rewards, but with a heightened level of sophistication from bad guys, attacks can come from more directions than anyone has ever thought of before.
Protecting a single organization is difficult enough, but what about the supply chain connected to your organization?
According to a report by Crowdstrike, 33% of organizations are concerned about supply chain attacks. Furthermore, 18% say the risk is high and 38% say it is moderate.
On top of that, almost 66% of respondents said they experienced some form of supply chain attack. The biotechnology and pharmaceutical sector takes the lead with 82% of organizations encountering such an incident, including 45% hit in the last year.
“More and more companies are connected where they are generating data and consuming data. How much risk can they take? How can we protect an environment? Rainer Zahner, global head of cybersecurity for governance at Siemens, asked during a cybersecurity meeting at the Siemens campus in Munich, Germany, last week. “We are coming up with baseline requirements for our suppliers along the supply chain,” he said.
Those baseline requirements are what the Charter of Trust are all about.
Charter of trust
Part of growing into the digital economy was the creation of the Charter of Trust, which is a Siemens initiative that has now grown to 16 companies. Each company follows 10 principles to help ensure a trusted and secure environment.
“The Charter of Trust is something everybody needs to follow,” said Eva Schulz-Kamm, global head of government affairs and leading the Charter of Trust initiative during the Munich meeting. “We see trust as an investment into the future.”
The charter’s core ten principles are:
- Ownership of cyber at IT security
- Responsibility through the digital supply chain where there is identity and access management, encryption, and continuous protection
- Security by default
- Innovation and co-creation
- Certification for critical infrastructure and solutions
- Transparency and response
- Regulatory framework
- Joint initiatives.
Jonathan Sage, government and regulatory affairs executive at IBM and global lead at IBM for the Charter of Trust discussed the second principle in the Charter of Trust, which relates to the supply chain, which has the greatest scrutiny for the most significant risks.
The goal, he said, is to establish risk-based rules to ensure adequate protection across all Internet of Things (IoT) layers with clearly defined mandatory requirements.
“There are 17 baseline requirements for the supply chain,” Sage said. “The goal is to make our products and services more secure and introduce a cybersecurity standard for ourselves and our suppliers by committing to 17 baseline requirements.
Baseline supply chain requirements
The baseline cybersecurity supply chain requirements include:
- Products or services will be designed to provide confidentiality, authenticity, integrity and availability of data
- Data will be protected from unauthorized access throughout the data lifecycle
- The design of products and services shall incorporate security as well as privacy where applicable
- Security polices consistent with industry best practices such as ISO 27001, ISO20243, SOC2, IEC 62443 shall be in effect
- Guidelines on secure configuration, operation and usage of products or services shall be available to customers
- Policies and procedures shall be implemented so as not to consent to include back doors, malware and malicious code in products and services
- For confirmed incidents, timely security incident response for products and services shale be provided to customers
- Measures to prevent unauthorized physical access throughout sites shall be in place
- Encryption and key management mechanism shale be available where relevant to protect data
- Appropriate level of identity and access control and monitoring, including third parties, shall be in place and enforced
- Regular security scanning, testing and remediation of products, services and underlying infrastructure shall be performed
- Asset management, vulnerability management and change management policies implemented are capable of mitigating risks to services
- Business continuity and disaster recovery procedures shall be in place and shall incorporate security during disruption where applicable
- A process shall be in place to ensure products and services are authentic and identifiable
- The support timeframe, specifying the intended supported lifetime of the products, services or solutions shall be defined and made available
- Based on risk, and during the timeframe of support, processes shall be in place for contacting support, security advisories, vulnerability management, and cybersecurity related patch delivery and support
- A minimum level of security education and training for employees shall be regularly deployed.