The European Agency for cybersecurity releases its good practices for chain cyber security

June 20, 2023 |

The EU is far ahead of Australia in regulating privacy and cyber security through both the GDPR and rules and guidances for good cyber security practices. The United States is well served by the publications of the National Institute of Science and Technology.

The European Union Agency for Cybersecurity has released Good Practices for Supply Chain Cybersecurity.  It is a long and complex document but particularly relevant given the spate of data breaches in Australia.  It is relevant to note that the document makes regular reference to NIST guidances.  I regularly post on NIST guidances.

Some of the findings included:
  • between 39 %  and 62 %  of organisations were affected by a third-party cyber incident.
  • supply chain compromises were the second most prevalent initial infection vector identified in 2021. and accounted for 17 % of the intrusions
  • in 2021, 66 % of the supply chain attacks the suppliers did not know, or were not transparent about, how they were compromised
  • Around 62 % of the attacks on customers took advantage of their trust in their supplier. In 62 % of the cases, malware was the attack technique employed. When considering targeted assets, in 66 % of the incidents, attackers focused on the suppliers’ code in order to further compromise targeted customers.
  • 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
  • 47 % allocate budget for ICT/OT supply chain cybersecurity.
  • 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
  • 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
  • 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
  • 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.
  • only 24 % of the surveyed organisations have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
  • 59 % of the surveyed organisations that have TRM policies in place also have a dedicated budget or budget line for supply chain security
  • regarding cybersecurity risk mitigation techniques:
    •   61 % of the surveyed organisations preferred security certificates,
    • 43% preferred  security risk rating services
    • 37% used due diligence or risk assessments
    • 9 % did not evaluate their supply chain security risks in any way.
The Report summarised the situation as:
  1. Although organisations understand the significance of supply chain security, they do not allocate the necessary resources for ICT/OT supply chain cybersecurity.
  2. Even when they invest in ICT/OT supply chain cybersecurity projects, the majority do it without clear governance corporate structures which ideally should take into account the costs and benefits of implementing ICT/OT supply chain cybersecurity practices and controls.
  3. Organisations with formalised ICT/OT supply chain cybersecurity corporate procedures are the minority of the surveyed sample.
  4. Banking is the sector with most established ICT/OT supply chain cybersecurity policies and dedicated budget and FTEs
  5. Classification of a supply chain incident as such is cumbersome due the lack of concrete criteria.
  6. Certifications are the most preferred way for organisations to follow suppliers’ cybersecurity practices; however, they are accompanied by high costs, especially for non-cybersecurity relevant vendors.
  7. The surveyed organisations agree that common cybersecurity requirements for products and services would be beneficial for the market.
  8. There is room to improve the visibility of the organisations over their information assets.
  9. The majority of surveyed organisations do not have a vulnerability management system which covers all organisational assets.
  10. Vulnerability management and testing of products contribute to better ICT/OT supply chain cybersecurity posture.
Supply chain cybersecurity is enhanced by:
  • eliminating the distinction between operators of essential services and digital service providers;
  • extending the coverage to a larger portion of the economy and society by adding more sectors with the differentiation of essential and important entities;
  • addressing supply chain cybersecurity and supplier relationship by requiring individual entities to address respective cybersecurity risks;
  • introducing focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing and the effective use of encryption;
  • introducing accountability of each entity’s management for compliance with cybersecurity risk management measures;
  • suggesting that the NIS Cooperation Group may carry out coordinated security risk assessments of specific critical information and communication technology (ICT) services, systems or products.

The Report found that although operators understand the cybersecurity risks stemming from the supply chain and its role in the larger ecosystem, they evaluate risks on an ad hoc basis without internal structures to manage cybersecurity risks throughout the supply chain.  Organisations commonly do not have  capabilities to engage and share information with entities in the broader ecosystem.

The Report recommends that organisations develop a strategy that ensure:

  • establishing ICT/OT supply chain cybersecurity are established, followed, maintained and documented.
  • creating up-to-date policies or other organisational directives that define requirements for activities on ICT/OT supply chain cybersecurity.
  • commit adequate resources (people, funding and tools) to support ICT/OT supply chain cybersecurity activities.
  • create supply chain risk teams that include executives from across the organisation (e.g. cyber, product security, procurement, legal, privacy, enterprise risk management, business units, etc.)  (NISTIR 8276 24). Personnel should have skills and knowledge relevant to ICT/OT supply chain cybersecurity
  • assign responsibility and authority for the performance of activities relevant to ICT/OT supply chain cybersecurity to personnel. That means stating explicit collaborative roles, structures, and processes for supply chain, cybersecurity, product security, and physical security functions (NISTIR 8276).
  • that the Executive Board is involved in ICT/OT supply chain cybersecurity through regular risk discussions and sharing of measures of performance (NISTIR 8276).

Once having defined the strategy, the organisation needs to assess the risks related to the cyber supply chain of the entity. This requires entities to implement a risk-based approach which ‘shall ensure a level of security of network and information systems appropriate to the risk presented’.  ICT/OT supply chain cybersecurity should be done in coordinated manner. Entities should follow a risk-based approach when trying to assess the security of their cyber supply chains via ICT/OT supply chain cybersecurity.

ICT/OT supply chain cybersecurity needs to address:

  • supply chain risk management;
  • supplier relationship of essential and important entities with different kinds of suppliers and service providers;
  • vulnerability handling in products and components;
  • quality of products and cybersecurity practices of suppliers and service providers.
  • good practices to also identify dependencies on third-party suppliers of these services and assets, and make sure that:
    • important IT and OT supplier dependencies are identified (i.e. external parties on which the delivery of the function depend, including operating partners);
    • important customer dependencies are identified (i.e. external parties that are dependent on the delivery of the function, including operating partners);
    • critical software dependencies are mapped – down to the level of packages, libraries and modules;
    • single points of failure and other essential dependencies are identified.
  • at the end of the identification process a list with all suppliers, especially those responsible for products or services with security enforcing functions, privileged access or that handle particularly sensitive information
  • entities identify and assess supplier risk as an integral component of their risk management approach, taking into account:
    • risk factors and results of coordinated risk assessments,
    • restrictions or exclusions posed by a relevant national authority, e.g. in critical equipment or for high-risk suppliers;
    • information stemming from known incidents or cyber threat intelligence;
    • the characteristics of each supplier, such as the quality of its security practices, the level of transparency
    • an assessment of the risk profile of all relevant potential or existing suppliers of critical ICT/OT services, systems or products This assessment should be done in collaboration with other entities, if they are part of the same supply chain, or in collaboration with national authorities.
  • manage vulnerabilities in the ICT/OT product used in networks and (critical) infrastructure. Vulnerabilities should be managed by suppliers which eventually leads to patches that need to be applied at the product user’s network or (critical) infrastructure components. If vulnerabilities are reported in supplied components of a product, the supplier of the product itself need to analyse the vulnerability and patch for applicability and incorporation which eventually can lead to a patch for the affected product.
  • software products that are running on standard operating systems like Windows or Linux require a compatibility test of operating system patches to avoid compatibility issues.
  • planning deployment of patches in operational infrastructure under consideration of complex roll-out and maintenance schedules. Patch deployment times differ for IT networks
  • as vulnerabilities are typically classified according to their potential impact and exploitability there is a risk potential of a vulnerability that also defines how a vulnerability is treated. Vulnerabilities for products that can be remotely exploited are typically of higher risk and should be treated with higher priority than vulnerabilities that require physical access for exploitation.
  • the handling of vulnerabilities has two aspects:
    • the monitoring of vulnerabilities which leads to an analysis on the vulnerabilities identified up to a patch delivered and deployed; and
    • the publishing of advisories.
  • a vulnerability notification has the objective to warn product users of critical vulnerabilities and might recommend alternative mitigation measures to minimise the likelihood of an exposure.
  • a supplier has the infrastructure and organisation relevant for the design, development, manufacturing and delivery of products and components managed by the requirements of ISO/IEC 27001. A quality management system ISO 9001 is implemented to continuously improve the quality.
  • a system integrator should have processes in place which ensure that cybersecurity requirements for systems are taken into consideration. A system integrator has the infrastructure and organisation relevant for the design and deployment of a system managed by requirements of ISO/IEC 27001:2022.

Leave a Reply