Due to the rising impact of information security incidents on global supply chains, many governments and regulatory bodies have increased the requirements on product vendors that sell into critical infrastructure sectors. Most recently President Joe Biden issued an executive order on improving the US cybersecurity and supply chain resilience.
It is a fact that downstream suppliers remain to be a very sought-after target for threat actors today. They can provide easy access to large enterprise organizations and government agencies - and cause massive disruptions - if critical suppliers are taken down. If we want to ensure the global digital economy is protected, these suppliers must take steps to improve their information security posture.
Vendors should demonstrate the transparency of their information security practices with internationally recognized product validations and business practice certifications. This can help demonstrate transparency of the vendor’s products and business practices.
In the same way we look for “EnergyStar” ratings on appliances, we need to create a “CyberStar” program that provides objective, independent, apolitical third-party validation of technologies and business practices to demonstrate suitability for critical infrastructure supply chains. This could translate into an international compliance passport allowing them to contribute to the critical infrastructure supply chains in all nations.
A program such as this would also support product labelling - all consumers of these products could be protected. This program could be a method of strengthening the resilience of global supply chains while fostering the growth and stability of these vendors. This can be achieved by requiring, requesting, or supporting adoption of a transparency initiative to demonstrate:
Products would need to have code validated based on best practices in information security hardening, respective of the type of product and the sector it supports. Validations would demonstrate the current versions and firmware of the offering and would need to be maintained with future revisions and updates.
Cybersecurity certification is the best way to ensure best practices in cyber resilience are followed within downstream suppliers and contractors. Certification can ensure these agencies and external providers have the basic protections in place to prevent cyber incidents and have a plan on how to respond in the event of an incident.
Certification supports the audit of the supplier’s infrastructure by an accredited third-party auditor. Ensuring the correct implementation for maximizing information security.
Cybersecurity certification could also be the best way for insurers to de-risk cyber insurance policies. With certification, organizations can clearly demonstrate third-party audits are conducted routinely, which in turn should classify them as lower risk to support Cyber Insurance eligibility.
Privacy reviews of the vendors business practices must be factored into supplier transparency. We must ensure the vendors have privacy programs supporting secure collection, storage, transmission, and proper deletion of the personal information of its customers.
A third-party review of the privacy programs currently employed with these vendor organizations will help ensure vendors are following the highest bar in protecting the confidentiality of personal information.
Vendor organization should also be ensuring the implementation of control requirements and privacy programs are secure by routinely testing the perimeter for weaknesses with penetration testing and vulnerability scanning.
If there are any critical or high-risk vulnerabilities detected they should be addressed immediately, and medium to low risks should be corrected when possible.
Openly sharing Transparency
If each jurisdiction creates their own framework and regulations regarding supply chain security and compliance, this can create barriers to trade. Forcing vendors to comply with multiple frameworks based on the location a product is being sold can cause extreme cost and overhead increases to these vendors which in turn will translate to higher prices on products and services.
The recommended path forward would see vendors openly share any validations, business process compliance and/or certification, and perimeter scan regime openly and freely. If these products demonstrate clear compliance with internationally recognized frameworks, it should act as a passport for the sale of their products internationally.
Author: Brendan Dunphy
Director, Trust and Compliance | Directeur, Confiance et de Conformité