Cyber security for supply chains: as strong as the weakest links

Supply chains vulnerabilities make them targets of choice for attacks

As up to 80% of cyber breaches may originate in supply chains, protecting these is an absolute priority for all organizations. Industrial and critical infrastructure assets are most at risk. The IEC has developed many Standards for these. It works also on conformity assessment (CA) and global certification schemes through Working Groups (WGs) set up by its Conformity Assessment Board (CAB) and by the Certification Management Committee (CMC) of IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components. Both should help better protect supply chains.

Mobile tooling platform A320
Airbus A320 mobile tooling platform (Photo: Airbus Group)

Critical infrastructure matters most

The overall impact and severity of cyber attacks vary according to targets. Cyber attacks on businesses and industry may have disastrous consequences for the companies affected, and sometimes on society. They may ultimately force some businesses or industries to close. However, the most serious cyber threats at country level concern the critical infrastructure, which cover assets and systems that are essential to the functioning of a country’s society and economy. They include essentially similar sectors in many countries. Damage to any of these can have wide and very serious disruptive implications for societies.

Supply chain, a flexible and yet comprehensive concept

ISO/IEC 27036-1:2014, IT Security techniques — Information security for supplier relationships — Part 1: Overview and concepts, gives a very comprehensive definition of the ICT supply chain. It consists, it says, of a “set of organizations with linked set of resources and processes, each of which acts as an acquirer, supplier, or both to form successive supplier relationships established upon placement of a purchase order, agreement, or other formal sourcing agreement. (…)

A definition of supply chain for industrial and other physical assets, such as power grids, transportation systems, smart manufacturing, etc. would be more comprehensive and complex as it would comprise not ICT only but also the operational technology (OT) supply chain, which includes personnel (developers, suppliers, vendors, installers, staff working on OT), processes as well as products, i.e. components and systems central to OT, such as industrial automation and control systems (IACS) and, increasingly, internet of things (IoT) elements. Digitization in all industrial sectors means more vulnerabilities for industrial supply chains.

Different sectors and activities, but facing similar challenges

A recent conference on Managing Cyber Risk in Critical Infrastructure organized by the Financial Times in London, and attended by e-tech, held a panel session on Securing the critical supply chain. Panellists included Chief Information Security Officers (CISOs) and Chief Information Officer (CIOs) from the aviation and energy sectors who explained how they manage their supply chain and suppliers. They gave details of the challenges they face and the solutions they deploy to meet them, bearing in mind that safety is also a major concern for them. Airbus Head of cyber security architecture Dr Kevin Jones explained that Airbus had three main activities: manufacturing commercial aircraft, helicopters and defence equipment.

“This gives Airbus a very large supplier base at a time when it is going, like many other manufacturers through a huge transformation programme,” he said.

To protect its supply chain, Airbus introduced a number of measures that include secure remote access for suppliers and a certain degree of access segregation, full audit of Airbus’s and suppliers’ production facilities and the identification of vulnerabilities. Suppliers have to review their process and make sure they meet Airbus standards.

As regards coding for safety environments, Airbus has internal teams with experts in code reverse engineering and in reliability assessment. “A lot of money, time and efforts are invested in making sure that any code we have is well validated. As any large organization, we have a very complex and extensive supply chain and the ways we handle it very much depend on the risks this supply chain poses to our business,” Jones said.

Peter Merker, CISO for Skyguide, which provides air navigation services for Switzerland and certain adjacent parts of neighbouring countries, explained that the entire air traffic control sector was going through a huge technological transformation driven by digitization. This digital transformation means moving away from a monolithic equipment base with a lifecycle of over 20 years to systems coming from the IT environment and “introducing commercial off-the-shelf software when we can, due to cost pressures and flexibility. The entire air navigation control system is managed centrally and increasingly integrated across the continent within Eurocontrol, which means the digital transformation and the way the air traffic control sector uses suppliers are happening everywhere.”

“Skyguide buys software directly so we’re looking at contractual aspects, at source code reviews, which is new for us since we developed the codes ourselves.” Skyguide owns SkySoft, a software development company, which specializes in air traffic control management systems. “We manage what we develop ourselves together with what we buy off-the-shelf,” Merker said.

Dexter Casey, Group CISO for Centrica, a British-based multinational energy and services company, explained that Centrica had two main divisions, the first one, British Gas, for energy [gas and electricity] “has very large equipment, gas platforms and stations, thus facing challenges similar to those mentioned by the previous speakers.” The second Centrica division, he added, is Connected Home, an IoT company, “which has similar problems too with chips and chipsets coming from one place. It is proving extremely difficult contractually to ask suppliers to change configuration or make these components unique,” Casey said, adding that Centrica had 30,000+ suppliers, and a team of some 15 staff reviewing contracts and performing security assessments. “What Centrica has to do is to focus its efforts on the 100-200 suppliers that have a critical impact on delivering its services,” he explained.

Several speakers mentioned the risks posed by “watering hole” attacks, in which malware is planted in certain websites of suppliers that are likely to be visited by the organizations being targeted. Software supply chain is an attractive target for attackers. A July 2018 report by the US National Counterintelligence and Security Center (NCSC) warns that “software supply chain infiltration already threatens the critical infrastructure sector and is poised to threaten other sectors.”

All panellists agreed that they faced similar challenges with infrastructures and processes relying more and more on both IT and OT, making it much more complex than before to manage supply chains when digitization was less widespread and cyber threats were not an issue.

CA and certification work will have a growing impact on cyber security

IEC very extensive work on cyber security includes Standards, Technical Requirements and Specifications and, increasingly, CA and certification.

In addition to the ISO/IEC 27000 family of Standards for IT service management, and to the IEC 62443 series of horizontal publications for industrial communication networks and IACS, relevant to many domains, a number of IEC Technical Committees (TCs) and Subcommittees (SCs) have developed specific Standards, Technical Specifications and Requirements for certain sectors.

IEC CAB set up WG 17: Cyber security. WG 17 tasks include investigating the market needs and timeframe for CA services (global certification schemes) for products, services, personnel and integrated systems in the domain of cyber security. However, they exclude the scope of industrial automation applications covered by IECEE CMC WG 31: Cyber security. CAB WG 17 also communicates to other industry sectors the generic cyber security approach taken by IECEE CMC WG 31 and how this may apply to those other sectors.

IECEE CMC WG 31 main task is to “make a unique approach for CA to the IEC 62443 series.” To do this it prepared OD-2061, a guidance Operational Document, published in June 2018, to describe how the conformity assessment can be handled and applied to certain Standards in the IEC 62443 series.

Additionally, this OD explains under which conditions IECEE Cyber Certificates of Conformity – Industrial Cyber Security Capability can be delivered. They are valid only when “signed by an approved Certification Body (CB) Testing Laboratory and appended to a Certificate issued by a National CB (NCB).”

These certificates are defined currently for the following assessments: product capability, process capability, product application of capabilities, process application of capabilities and solution application of capabilities, each applying to one or more Standards in the IEC 62443 series.  

Together with IEC cyber-related security Standards the recent introduction of comprehensive CA / certification schemes should ensure that systems, which rely on industrial communication networks and IACS, including supply chains, will be better protected against cyber threats.