Sup­ply Chain Cybersecurity

Cyber­se­cu­ri­ty in the sup­ply chain is gai­ning importance

While cyber­at­tacks in the past were usual­ly direc­ted against indi­vi­du­al com­pa­nies, sup­ply chains have incre­a­singly been the focus of cybercri­mi­nals for some time now.

Incre­a­sing deman­ds on sup­ply chains

Cyber­se­cu­ri­ty legal requi­re­ments for sup­ply chains are the­re­fo­re beco­m­ing incre­a­singly important. 

1.    ENISA: Thre­at land­s­cape for sup­ply chain attacks

ENISA dis­tin­guis­hes bet­ween two attack sce­n­a­ri­os on sup­ply chains. First, a sup­plier may beco­me an immedia­te vic­tim of a cyber­at­tack, such as an encryp­ti­on Tro­jan (ran­som­wa­re), and as a result the­re may be a pro­duc­tion stop­pa­ge or dis­rup­ti­on at that level of the sup­plier pyra­mid or at the next level. Howe­ver, the impact on the sup­ply chain is more inci­den­tal. On the other hand, the­re are also tar­ge­ted attacks on the sup­ply chain. As matu­re cyber­se­cu­ri­ty mea­su­res make immedia­te attacks against manu­fac­tu­rers and sup­pliers at hig­her levels of the sup­ply chain more dif­fi­cult, the result is a shift of attacks to sup­pliers of the actu­al tar­ge­ted com­pa­ny and the ope­ning of new gate­ways for attackers.

2.    New Quad Alli­an­ce secu­ri­ty standards

To coun­ter­act the­se deve­lo­p­ments, the Quad Alli­an­ce, a stra­te­gic alli­an­ce of the United Sta­tes, Aus­tra­lia, India and Japan, has alrea­dy announ­ced its inten­ti­on to defi­ne new IT secu­ri­ty stan­dards for sup­ply chains. In par­ti­cu­lar, the mer­ger focu­ses on sta­bi­li­sing the sup­ply chains of key pro­duct com­pon­ents, such as chips and rare-earth metals, as well as a joint defen­se against sta­te and non-state cyber­at­tacks. The Quad Alli­an­ce paper makes expli­cit refe­rence to the Euro­pean Union’s (EU) stra­te­gic posi­ti­ons on IT secu­ri­ty and free trade.

3.    NIST: Key prac­ti­ces in cyber sup­ply chain risk management

The Natio­nal Insti­tu­te of Stan­dards and Tech­no­lo­gy (NIST) (PDF) sees the iden­ti­fi­ca­ti­on, assess­ment, and miti­ga­ti­on of cyber­risks in the sup­ply chain as a cri­ti­cal fac­tor to achie­ving an ade­qua­te level of IT secu­ri­ty in orga­ni­sa­ti­ons. This is becau­se glo­ba­li­sa­ti­on, out­sour­cing and digi­ta­li­sa­ti­on are crea­ting incre­a­sing depen­den­cy wit­hin com­plex sup­ply chains. For this pur­po­se, NIST pro­vi­des orga­ni­sa­ti­ons with “key prac­ti­ces” to teach respon­si­ble manage­ment of cyber­se­cu­ri­ty risks.

4.    Pass-through of pro­du­cer obli­ga­ti­ons (UNECE regulations)

All indus­tries face new cyber­se­cu­ri­ty legal chal­len­ges. One examp­le is the auto­mo­ti­ve indus­try. Sin­ce the UNECE regu­la­ti­ons for auto­mo­ti­ve cyber­se­cu­ri­ty manage­ment sys­tems and over-the-air (OTA) updates came into for­ce, new cyber­se­cu­ri­ty and soft­ware stan­dards app­ly to auto­mo­ti­ve manu­fac­tu­rers. Alt­hough the spe­ci­fi­ca­ti­ons pri­ma­ri­ly address only OEMs, they pass the new requi­re­ments through to sup­pliers, who must the­re­fo­re com­ply with them, at least indi­rect­ly, on the basis of con­trac­tu­al arrangements.

Sup­ply chain cybersecurity

Solar­winds and Kaseya high­light the signi­fi­cant risk poten­ti­al of cyber­at­tacks on sup­ply chains. Due to the incre­a­sed shift of attacks to sup­ply chains, IT secu­ri­ty mea­su­res that focus exclu­si­ve­ly on a company’s own ope­ra­ti­ons are no lon­ger suf­fi­ci­ent. In this light, it is clear that the legal requi­re­ments for cyber­se­cu­ri­ty in the sup­ply chain are beco­m­ing incre­a­singly important. Howe­ver, sin­ce legal regu­la­ti­ons and tech­ni­cal mea­su­res can­not ade­qua­te­ly reflect the requi­red level of pro­tec­tion, com­pa­nies must (at least for the time being) resort to con­trac­tu­al pro­vi­si­ons to avoid unre­a­son­ab­le risks. In this con­text, requi­re­ments can be “pas­sed through” wit­hin the sup­ply chain, as is alrea­dy the case in the auto­mo­ti­ve indus­try, and secu­red by lia­bi­li­ty and indem­ni­ty provisions.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.