Sup­p­ly Chain Cybersecurity

Cyber­se­cu­ri­ty in the sup­p­ly chain is gai­ning importance

While cyber­at­tacks in the past were usual­ly direc­ted against indi­vi­du­al com­pa­nies, sup­p­ly chains have incre­asing­ly been the focus of cyber­cri­mi­nals for some time now.

Incre­asing demands on sup­p­ly chains

Cyber­se­cu­ri­ty legal requi­re­ments for sup­p­ly chains are the­r­e­fo­re beco­ming incre­asing­ly important. 

1.    ENISA: Thre­at land­scape for sup­p­ly chain attacks

ENISA distin­gu­is­hes bet­ween two attack sce­na­ri­os on sup­p­ly chains. First, a sup­pli­er may beco­me an imme­dia­te vic­tim of a cyber­at­tack, such as an encryp­ti­on Tro­jan (ran­som­wa­re), and as a result the­re may be a pro­duc­tion stop­pa­ge or dis­rup­ti­on at that level of the sup­pli­er pyra­mid or at the next level. Howe­ver, the impact on the sup­p­ly chain is more inci­den­tal. On the other hand, the­re are also tar­ge­ted attacks on the sup­p­ly chain. As matu­re cyber­se­cu­ri­ty mea­su­res make imme­dia­te attacks against manu­fac­tu­r­ers and sup­pli­ers at hig­her levels of the sup­p­ly chain more dif­fi­cult, the result is a shift of attacks to sup­pli­ers of the actu­al tar­ge­ted com­pa­ny and the ope­ning of new gate­ways for attackers.

2.    New Quad Alli­ance secu­ri­ty standards

To coun­ter­act the­se deve­lo­p­ments, the Quad Alli­ance, a stra­te­gic alli­ance of the United Sta­tes, Aus­tra­lia, India and Japan, has alre­a­dy announ­ced its inten­ti­on to defi­ne new IT secu­ri­ty stan­dards for sup­p­ly chains. In par­ti­cu­lar, the mer­ger focu­ses on sta­bi­li­sing the sup­p­ly chains of key pro­duct com­pon­ents, such as chips and rare-earth metals, as well as a joint defen­se against sta­te and non-state cyber­at­tacks. The Quad Alli­ance paper makes expli­cit refe­rence to the Euro­pean Union’s (EU) stra­te­gic posi­ti­ons on IT secu­ri­ty and free trade.

3.    NIST: Key prac­ti­ces in cyber sup­p­ly chain risk management

The Natio­nal Insti­tu­te of Stan­dards and Tech­no­lo­gy (NIST) (PDF) sees the iden­ti­fi­ca­ti­on, assess­ment, and miti­ga­ti­on of cyber­risks in the sup­p­ly chain as a cri­ti­cal fac­tor to achie­ving an ade­qua­te level of IT secu­ri­ty in orga­ni­sa­ti­ons. This is becau­se glo­ba­li­sa­ti­on, out­sour­cing and digi­ta­li­sa­ti­on are crea­ting incre­asing depen­den­cy within com­plex sup­p­ly chains. For this pur­po­se, NIST pro­vi­des orga­ni­sa­ti­ons with “key prac­ti­ces” to teach respon­si­ble manage­ment of cyber­se­cu­ri­ty risks.

4.    Pass-through of pro­du­cer obli­ga­ti­ons (UNECE regulations)

All indus­tries face new cyber­se­cu­ri­ty legal chal­lenges. One exam­p­le is the auto­mo­ti­ve indus­try. Sin­ce the UNECE regu­la­ti­ons for auto­mo­ti­ve cyber­se­cu­ri­ty manage­ment sys­tems and over-the-air (OTA) updates came into force, new cyber­se­cu­ri­ty and soft­ware stan­dards app­ly to auto­mo­ti­ve manu­fac­tu­r­ers. Alt­hough the spe­ci­fi­ca­ti­ons pri­ma­ri­ly address only OEMs, they pass the new requi­re­ments through to sup­pli­ers, who must the­r­e­fo­re com­ply with them, at least indi­rect­ly, on the basis of con­trac­tu­al arrangements.

Sup­p­ly chain cybersecurity

Solar­winds and Kaseya high­light the signi­fi­cant risk poten­ti­al of cyber­at­tacks on sup­p­ly chains. Due to the increased shift of attacks to sup­p­ly chains, IT secu­ri­ty mea­su­res that focus exclu­si­ve­ly on a company’s own ope­ra­ti­ons are no lon­ger suf­fi­ci­ent. In this light, it is clear that the legal requi­re­ments for cyber­se­cu­ri­ty in the sup­p­ly chain are beco­ming incre­asing­ly important. Howe­ver, sin­ce legal regu­la­ti­ons and tech­ni­cal mea­su­res can­not ade­qua­te­ly reflect the requi­red level of pro­tec­tion, com­pa­nies must (at least for the time being) resort to con­trac­tu­al pro­vi­si­ons to avo­id unre­asonable risks. In this con­text, requi­re­ments can be “pas­sed through” within the sup­p­ly chain, as is alre­a­dy the case in the auto­mo­ti­ve indus­try, and secu­red by lia­bi­li­ty and indem­ni­ty provisions.