UL, Northbrook, Illinois, the global safety certification company, says the novel coronavirus (COVID-19) has increased cybersecurity problems for manufacturers.
SME Media conducted an interview with Laurens van Oijen, UL's cybersecurity solution leader, to discuss the issues involved.
QUESTION: There are reports that during the COVID-19 pandemic that cyberattacks against companies and their supply chains have increased. Is there a cause and effect? Why the increase?
VAN OIJEN: Supply chains are generally susceptible to cyberattacks. Half of all cyberattacks are aimed at supply chain partners. Attackers want to gain access to your entire system, including partners and suppliers, and/or exploit partners and suppliers in order to gain entry to your internal systems.
Cyberthreats are one of the biggest issues facing global supply chains in 2020 following the uptake of connected technologies and the subsequent expansion and diversification of supply chains.
COVID-19 has made clear how dependent and vulnerable supply chains are with regards to the availability of partner and supplier organizations. Due to COVID-19, supply chain disruption has meant that organizations have either limited or no access to certain suppliers anymore, have to find new suppliers and vet them, or move supply chain operations to other regions.
The scramble of getting supply chains up and running again, while minimizing further loss of revenue, may come paired with the risk of organizations temporarily underprioritizing their cybersecurity efforts, leaving a possible window of opportunity for attackers.
A second factor that contributes to the uptake in cyberattacks is the fact that a large number of people are now working from home, or at least no longer from the traditional office.
With working from home policies, organizations are facing a larger attack surface as essentially each employee is now connected to a different network, rather than an organization’s own IT infrastructure. Similarly, any contractors or vendors are required to work remotely. Moreover, organizations are leveraging additional apps and services to facilitate remote communication and collaboration.
QUESTION: How well prepared are companies for such cyberattacks on their supply chain?
VAN OIJEN: Although effectively all organizations are aware of the fact that they might be at risk through a third party, the majority of them doesn’t yet deem vetting a supplier’s security posture a critical necessity.
That doesn’t necessarily mean that organizations today don’t make an effort to inventory their supply chain’s security posture, but such information may only be minimally consulted for internal decision-making to manage suppliers and/or procure third-party services.
Also when supply chain security information is consulted, coverage of suppliers may be less than desired, value of the information and its trustworthiness not ensured, and/or consistency in ranking or deriving supplier decisions lacking.
QUESTION: What should companies do to be better prepared?
VAN OIJEN: It’s paramount for organizations in coming months to assess internal and supply chain security and start internal conversations with affected departments, such as procurement.
Organizations should standardize and align their vendor assessment questionnaires with any chosen risk management framework and use it to establish a common security and risk understanding with suppliers.
This should facilitate the identification of vulnerabilities and supply chain security gaps, and organizations should similarly have a dedicated policy to define the need for, and measure the effectiveness of, any following mitigation.
QUESTION: How is UL involved with cybersecurity issues?
VAN OIJEN: UL is a global leader in payments security, identity management and cybersecurity, with many years of experience working with manufacturers, financial institutions, product designers, standards bodies and industry stakeholders to help drive the increased adoption, security, safety and digitization of electrical and electronic products around the world.
With more than two decades of cybersecurity experience, UL is a recognized leader in markets regulated for cybersecurity, including payments and federal procurement. UL also has a rapidly growing IoT & IIoT (Industrial Internet of Things) security practice, built organically over the last five years based on its cybersecurity expertise.
UL has extensive expertise in creating security frameworks, having co-authored over 25 cybersecurity standards and frameworks, and has nine IoT security labs globally, located in the U.S., Europe and Asia-Pacific.
UL structures cybersecurity programs, advises device manufacturers and ecosystem stakeholders on technology and cybersecurity strategy, develops security test tools and platforms, performs functional security tests, security evaluations and offers compliance and certification to various industry standards and frameworks. This helps companies strengthen and validate their cybersecurity posture, and provide safer and more secure products and ecosystems.
UL’s portfolio of IoT security solutions includes the UL IoT Security Rating, UL Supplier Cyber Trust Level, services for IEC 62443 and UL 2900 Series of Standards, and security by design training, advisory and testing services, that address secure product development, cybersecurity in smart ecosystems and supply chain risk management.
As IoT products are not yet regulated at scale, UL also helps companies understand and navigate the evolving landscape of IoT security regulations and frameworks, including the State of California IoT Security Bill, State of Oregon IoT Security Bill, several pending U.S. states IoT security bills, U.K. Code of Practice for Consumer IoT Security and many other emerging regional and industry security frameworks.
Earlier this year, UL launched its Supplier Cyber Trust Level solution aimed at supporting OEMs and other purchasing organizations with the strategic vendor security due diligence efforts of their connected technology supply chains.
UL developed a security assessment framework based on leading industry standards such as ISO 27001, IEC 62443-4-1 and Common Criteria (EAL-4) that results in a tiered rating of a supplier’s organizational security maturity. This allows purchasing organizations to make the security posture of their supply chain more transparent and better manageable.
Additionally, UL is recognized by IECEE for IEC 62443-2-4, IEC 62443-3-3, IEC 62443-4-1 and IEC 62443-4-2 certification, which in combination can result in an effective certification solution for industrial and building automation supply chains.
UL offers related advisory and certification solutions to help manufacturing and other industrial organizations meet buyer and/or regulatory requirements and to help them demonstrate their security maturity efforts externally.
QUESTION: How long does it take for a company to improve the security of its supply chain?
VAN OIJEN: Improving the security posture of a supply chain takes time and is effectively a never-ending effort if executed appropriately. As cybersecurity is a dynamically moving target, a well-maintained cybersecurity management system is needed to ensure continued protection of operations and business.
As large manufacturers have several thousands of third-party partners, a first step in establishing a supply chain cybersecurity management system is to classify categories of suppliers and identify those which require enhanced security due diligence at the earliest opportunity.
In parallel, organizations are advised to set up an awareness campaign for their suppliers, to inform them of the change in due diligence effort and communicate expectations towards the suppliers as well as the purchasing organization’s motivations and related business objectives. Regardless of what additional due diligence measures are taken, the impact on suppliers must be managed carefully.
UL would therefore recommend a phased approach, where suppliers consider the initial enhancements as manageable and reasonable, for example, and the priority lies with onboarding as many suppliers as possible to create a common supply chain “security baseline”. After that, the goal would be to raise the “security bar” step by step, allowing suppliers to catch up in a manageable manner each time.
Supply chain security is a collective effort; if an organization helps suppliers become more secure, then in return, so will the organization become more secure.