Supply Chain Cybersecurity

Stefan Hessel

Cybersecurity in the supply chain is gaining importance

While cyberattacks in the past were usually directed against individual companies, supply chains have increasingly been the focus of cybercriminals for some time now.

Increasing demands on supply chains

Cybersecurity legal requirements for supply chains are therefore becoming increasingly important. 

1.    ENISA: Threat landscape for supply chain attacks

ENISA distinguishes between two attack scenarios on supply chains. First, a supplier may become an immediate victim of a cyberattack, such as an encryption Trojan (ransomware), and as a result there may be a production stoppage or disruption at that level of the supplier pyramid or at the next level. However, the impact on the supply chain is more incidental. On the other hand, there are also targeted attacks on the supply chain. As mature cybersecurity measures make immediate attacks against manufacturers and suppliers at higher levels of the supply chain more difficult, the result is a shift of attacks to suppliers of the actual targeted company and the opening of new gateways for attackers.

2.    New Quad Alliance security standards

To counteract these developments, the Quad Alliance, a strategic alliance of the United States, Australia, India and Japan, has already announced its intention to define new IT security standards for supply chains. In particular, the merger focuses on stabilising the supply chains of key product components, such as chips and rare-earth metals, as well as a joint defense against state and non-state cyberattacks. The Quad Alliance paper makes explicit reference to the European Union's (EU) strategic positions on IT security and free trade.

3.    NIST: Key practices in cyber supply chain risk management

The National Institute of Standards and Technology (NIST) (PDF) sees the identification, assessment, and mitigation of cyberrisks in the supply chain as a critical factor to achieving an adequate level of IT security in organisations. This is because globalisation, outsourcing and digitalisation are creating increasing dependency within complex supply chains. For this purpose, NIST provides organisations with "key practices" to teach responsible management of cybersecurity risks.

4.    Pass-through of producer obligations (UNECE regulations)

All industries face new cybersecurity legal challenges. One example is the automotive industry. Since the UNECE regulations for automotive cybersecurity management systems and over-the-air (OTA) updates came into force, new cybersecurity and software standards apply to automotive manufacturers. Although the specifications primarily address only OEMs, they pass the new requirements through to suppliers, who must therefore comply with them, at least indirectly, on the basis of contractual arrangements.

Supply chain cybersecurity

Solarwinds and Kaseya highlight the significant risk potential of cyberattacks on supply chains. Due to the increased shift of attacks to supply chains, IT security measures that focus exclusively on a company's own operations are no longer sufficient. In this light, it is clear that the legal requirements for cybersecurity in the supply chain are becoming increasingly important. However, since legal regulations and technical measures cannot adequately reflect the required level of protection, companies must (at least for the time being) resort to contractual provisions to avoid unreasonable risks. In this context, requirements can be "passed through" within the supply chain, as is already the case in the automotive industry, and secured by liability and indemnity provisions.

[October 2021]