Supply Chain Security, a Charter Requirement

Wednesday, December 5, 2018 @ 04:12 PM gHale

By Gregory Hale
Increased digital connectivity can bring manufacturers great rewards, but with a heightened level of sophistication from bad guys, attacks can come from more directions than anyone has ever thought of before.

Protecting a single organization is difficult enough, but what about the supply chain connected to your organization?

RELATED STORIES
Siemens Boosting Security Presence
ROK: Security’s ‘Tower of Babel’
USB Drives Loaded with ICS-Based Malware
Russia Behind Triton Attack: Report

Indeed, just looking at a supply chain report by security provider, Crowdstrike, it found 33 percent of organizations are concerned about supply chain attacks, with 18 percent saying the risk is high and 38 percent saying it is moderate.

On top of that, almost 66 percent of respondents said they experienced some form of supply chain attack. The biotechnology and pharmaceutical sector takes the lead with 82 percent of organizations encountering such an incident, including 45 percent hit in the last year.

“More and more companies are connected where they are generating data and consuming data. How much risk can they take? How can we protect an environment? Rainer Zahner, global head of cybersecurity for governance at Siemens, asked during a cybersecurity meeting at the Siemens campus in Munich, Germany, last week. “We are coming up with baseline requirements for our suppliers along the supply chain,” he said.

Those baseline requirements are what the Charter of Trust are all about.

Charter of Trust
Part of growing into the digital economy was the creation of the Charter of Trust, which is a Siemens initiative that has now grown to 16 companies that follow 10 principles to ensure a trusted and secure environment.

“The Charter of Trust is something everybody needs to follow,” said Eva Schulz-Kamm, global head of government affairs and leading the Charter of Trust initiative during the Munich meeting. “We see trust as an investment into the future.”

The ten principles at the core of the Charter include:
1. Ownership of cyber at IT security
2. Responsibility through the digital supply chain where there is identity and access management, encryption, and continuous protection
3. Security by default
4. User-centricity
5. Innovation and co-creation
6. Education
7. Certification for critical infrastructure and solutions
8. Transparency and response
9. Regulatory framework
10. Joint initiatives

Jonathan Sage, government and regulatory affairs executive at IBM and global lead at IBM for the Charter of Trust discussed the second principle in the Charter of Trust, which relates to the supply chain, which has the greatest scrutiny for the most significant risks.

The goal, he said, is to establish risk-based rules that ensure adequate protection across all Internet of Things (IoT) layers with clearly defined mandatory requirements.

“There are 17 baseline requirements for the supply chain,” Sage said. “The goal is to make our products and services more secure and introduce a cybersecurity standard for ourselves and our suppliers by committing to 17 baseline requirements.

Baseline Supply Chain Requirements
The baseline cybersecurity supply chain requirements include:
1. Products or services shall be designed to provide confidentiality, authenticity, integrity and availability of data
2. Data shall be protected from unauthorized access throughout the data lifecycle
3. The design of products and services shall incorporate security as well as privacy where applicable
4. Security polices consistent with industry best practices such as ISO 27001, ISO20243, SOC2, IEC 62443 shall be in effect
5. Guidelines on secure configuration, operation and usage of products or services shall be available to customers
6. Policies and procedures shall be implemented so as not to consent to include back doors, malware and malicious code in products and services
7. For confirmed incidents, timely security incident response for products and services shale be provided to customers
8. Measures to prevent unauthorized physical access throughout sites shall be in place
9. Encryption and key management mechanism shale be available where relevent to protect data
10. Appropriate level of identity and access control and monitoring, including third parties, shall be in place and enforced
11. Regular security scanning, testing and remediation of products, services and underlying infrastructure shall be performed
12. Asset management, vulnerability management and change management policies shall be implemented that are capable of mitigating risks to services
13. Business continuity and disaster recovery procedures shall be in place and shall incorporate security during disruption where applicable
14. A process shall be in place to ensure that products and services are authentic and identifiable
15. The timeframe of support, specifying the intended supported lifetime of the products, services or solutions shall be defined and made available
16. Based on risk, and during the timeframe of support, processes shall be in place for 1) contacting support, 2) security advisories, 3) vulnerability management, 4) cybersecurity related patch delivery and support
17. A minimum level of security education and training for employees shall be regularly deployed

Siemens talked about embedding the security process into each of its development lifecycle stages.

“Before a product is built, we build in security levels and decide what level of security it needs,” said Harry Brian, Siemens U.S. manager for industrial security services team. “We are following those requirements all the way through to deployment or release of the product. We want to make sure the requirements were not overridden by product managers to add in other features. We do a threat and risk analysis on each product before it is developed. We are also looking at the supply chain during development. It is up to the Product Solutions and Security (PSS) organization to publish and train developers on guidelines. We check our suppliers to ensure they are following guidelines.”



Leave a Reply

You must be logged in to post a comment.