Sup­p­ly Chain Cybersecurity

Cyber­se­cu­ri­ty in the sup­p­ly chain is gai­ning importance

While cyber­at­tacks in the past were usual­ly direc­ted against indi­vi­du­al com­pa­nies, sup­p­ly chains have incre­asing­ly been the focus of cyber­cri­mi­nals for some time now.

Incre­asing demands on sup­p­ly chains

Cyber­se­cu­ri­ty legal requi­re­ments for sup­p­ly chains are the­r­e­fo­re beco­ming incre­asing­ly important. 

1.    ENISA: Thre­at land­scape for sup­p­ly chain attacks

ENISA distin­gu­is­hes bet­ween two attack sce­na­ri­os on sup­p­ly chains. First, a sup­pli­er may beco­me an imme­dia­te vic­tim of a cyber­at­tack, such as an encryp­ti­on Tro­jan (ran­som­wa­re), and as a result the­re may be a pro­duc­tion stop­pa­ge or dis­rup­ti­on at that level of the sup­pli­er pyra­mid or at the next level. Howe­ver, the impact on the sup­p­ly chain is more inci­den­tal. On the other hand, the­re are also tar­ge­ted attacks on the sup­p­ly chain. As matu­re cyber­se­cu­ri­ty mea­su­res make imme­dia­te attacks against manu­fac­tu­r­ers and sup­pli­ers at hig­her levels of the sup­p­ly chain more dif­fi­cult, the result is a shift of attacks to sup­pli­ers of the actu­al tar­ge­ted com­pa­ny and the ope­ning of new gate­ways for attackers.

2.    New Quad Alli­ance secu­ri­ty standards

To coun­ter­act the­se deve­lo­p­ments, the Quad Alli­ance, a stra­te­gic alli­ance of the United Sta­tes, Aus­tra­lia, India and Japan, has alre­a­dy announ­ced its inten­ti­on to defi­ne new IT secu­ri­ty stan­dards for sup­p­ly chains. In par­ti­cu­lar, the mer­ger focu­ses on sta­bi­li­sing the sup­p­ly chains of key pro­duct com­pon­ents, such as chips and rare-earth metals, as well as a joint defen­se against sta­te and non-state cyber­at­tacks. The Quad Alli­ance paper makes expli­cit refe­rence to the Euro­pean Union’s (EU) stra­te­gic posi­ti­ons on IT secu­ri­ty and free trade.

3.    NIST: Key prac­ti­ces in cyber sup­p­ly chain risk management

The Natio­nal Insti­tu­te of Stan­dards and Tech­no­lo­gy (NIST) (PDF) sees the iden­ti­fi­ca­ti­on, assess­ment, and miti­ga­ti­on of cyber­risks in the sup­p­ly chain as a cri­ti­cal fac­tor to achie­ving an ade­qua­te level of IT secu­ri­ty in orga­ni­sa­ti­ons. This is becau­se glo­ba­li­sa­ti­on, out­sour­cing and digi­ta­li­sa­ti­on are crea­ting incre­asing depen­den­cy within com­plex sup­p­ly chains. For this pur­po­se, NIST pro­vi­des orga­ni­sa­ti­ons with “key prac­ti­ces” to teach respon­si­ble manage­ment of cyber­se­cu­ri­ty risks.

4.    Pass-through of pro­du­cer obli­ga­ti­ons (UNECE regulations)

All indus­tries face new cyber­se­cu­ri­ty legal chal­lenges. One exam­p­le is the auto­mo­ti­ve indus­try. Sin­ce the UNECE regu­la­ti­ons for auto­mo­ti­ve cyber­se­cu­ri­ty manage­ment sys­tems and over-the-air (OTA) updates came into force, new cyber­se­cu­ri­ty and soft­ware stan­dards app­ly to auto­mo­ti­ve manu­fac­tu­r­ers. Alt­hough the spe­ci­fi­ca­ti­ons pri­ma­ri­ly address only OEMs, they pass the new requi­re­ments through to sup­pli­ers, who must the­r­e­fo­re com­ply with them, at least indi­rect­ly, on the basis of con­trac­tu­al arrangements.

Sup­p­ly chain cybersecurity

Solar­winds and Kaseya high­light the signi­fi­cant risk poten­ti­al of cyber­at­tacks on sup­p­ly chains. Due to the increased shift of attacks to sup­p­ly chains, IT secu­ri­ty mea­su­res that focus exclu­si­ve­ly on a company’s own ope­ra­ti­ons are no lon­ger suf­fi­ci­ent. In this light, it is clear that the legal requi­re­ments for cyber­se­cu­ri­ty in the sup­p­ly chain are beco­ming incre­asing­ly important. Howe­ver, sin­ce legal regu­la­ti­ons and tech­ni­cal mea­su­res can­not ade­qua­te­ly reflect the requi­red level of pro­tec­tion, com­pa­nies must (at least for the time being) resort to con­trac­tu­al pro­vi­si­ons to avo­id unre­asonable risks. In this con­text, requi­re­ments can be “pas­sed through” within the sup­p­ly chain, as is alre­a­dy the case in the auto­mo­ti­ve indus­try, and secu­red by lia­bi­li­ty and indem­ni­ty provisions.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.