Secure Your Plant’s Supply Chain

The level of risk that is appropriate for your systems and to what level you want to qualify that risk will be different for each supplier.

Management support is a key component to establishing a system that effectively evaluates risks and sustains security at all levels.

By Andrew Jamieson, UL

In the race to manufacture systems and produce raw materials with less cost, in less time, with less resources, it’s often easy to let things slide into less secure. This is especially true in today’s interconnected world, where software is not so much written as assembled from various sources, with a thin veneer of customization across the top of a vast and unseen iceberg of open-source software, board-support package code, and third-party modules. In factories, increased focus on automation adds complexity to the manufacturing process, increasing the security risk to the assembly process.

In a world of razor-thin margins, how do we manage this level of complexity without destroying the efficiency gains we’ve made along the way? Supply-chain risk does not need to be an intractable problem, but it is a problem that must be confronted and addressed. It cannot be ignored or wished away, and only those companies that properly address this risk will continue to be successful into the future.

Trickle-Down Security

Although the obvious first step in ensuring you have sufficient control over the security of your supply chain is understanding your supply chain, there is perhaps a “step 0” that’s even more important: Getting buy-in from the highest levels of your management. Without everyone on board for the process, it’s very unlikely that you will achieve success. The only way to get everyone on board is to have a mandate from management. This will assure that everyone is pulling in the same direction.

Having management buy-in also helps assure that, when systems-procurement decisions are made, security is considered. Note that it’s not as simple as having “must be secure” as an item to check off when validating a new supplier, subcomponent, or supervisory control and data acquisition (SCADA) system. Security is not a binary factor and “secure” can mean different things to different people or companies. If you ask any supplier if their systems are secure, the answer is almost always going to be yes, but how much faith can you put in that answer?

The flip side is, if security decisions are not made, there may be more long-term costs to bear. Security can easily be seen as a blocking factor, but it can also be an enabler if managed correctly. That management aspect cannot be understated.

Sufficient Security

You need to have a clear understanding of what “secure” means to you. This answer will depend on your industry and vertical market, your target customers, and the way that you market your products. Obviously, a company producing systems or materials for the military will have a different concept of secure than a company making consumer goods.

The other aspect of this question is what everyone else thinks “secure” means. This is perhaps a much more difficult question, as it speaks to not only the opinions of your suppliers, but also the ability to validate that opinion.

The concept of secure cannot be measured in a single dimension. It has technical and subjective aspects—how much risk are you willing to accept and how much time and cost do you want to spend qualifying systems to that level? Many security-assessment programs, including those that assess the security of supply chains, account for this by having a security level and a level of assurance. For example, an assessment that returns a low level of risk based on a supplier answering a questionnaire on their own provides a different and less-rigorous level of assurance than one that provides a low level of risk through a third-party audit.

In plant and facilities management, it’s important that you understand what level of risk is appropriate for your systems and to what level you want to qualify the risk. It may be that the answer to this is different depending on the supplier, i.e., a supplier of boxes may be assessed differently than a company that supplies the operating system that controls all of your operational technology (OT) or SCADA systems.

Finding a Level

This nuance of security level, along with assurance level, speaks to another need when assessing the risk of your supply chain—that of ensuring comparability. Most companies will have many, many different suppliers and it’s reasonable to consider the security risk for each differently. However, this is only possible when there is a sufficiently similar method of assessment used, so that comparisons can actually be made.

Trying to compare the output of different supply-chain assessment programs, or even the same program/standard assessed by different people, introduces additional complexity into the process.

To this end, a standard process should be determined and established for all suppliers. This may include a determination that no assessment is necessary or that the cost of risk assessment is higher than any expected value in determining the actual level. As long as an assessment is consistently applied, you can have confidence in an apples-to-apples comparison.

The difficulty is, of course, knowing how to establish this process and what levels and decisions are appropriate for your company. Several standards exist for security assessment, including the NIST Cyber Security Framework, ISO 27001, and IEC 62443. Aligning with these makes a lot of sense. There remain, however, subjective aspects to these programs, as many of the controls are risk based and that risk is determined by the individual companies, which brings us back to differing interpretations of secure. Seeking independent, third-party, expert help to filter this into something that makes sense for your organization is strongly encouraged.

Time Heals All Wounds

How long should all of this take? The “step 0” should probably give you some indication of that; management buy-in is required for a reason, and that reason is seldom that the process is quick and easy.  We’re slowly moving toward a world where legislation and industry requirements are mandating levels of security that are appropriate for various manufacturing verticals. Although familiar with safety standards, much of the industrial sector has not had to deal with this type of mandate until now and working through the complexity of supply chains to determine the specific aspects of risk that are involved in any individual product is going to take time.

This is exacerbated by the cascading nature of today’s supply chains. A single subassembly, automation system, or SCADA point of presence on any network segment may introduce a whole new supply chain itself, for the software and subcomponents that it uses, the remote connections it may have, and the other systems to which it interfaces. It may not be an intractable problem, but the complexity cannot be understated. Unfortunately, we are unable to simply cut through this Gordian knot and start again, so we have to patiently unpick the individual strands one at a time.

But the knot can be untied. We can provide more transparency into our supply chains and, with that transparency, more understanding of the risk. It’s likely that a new program started today will take years to come to full fruition, but value can be harvested much sooner than that. Building out a program that is not only effective but designed for a range of results that can be made use of as soon as possible is definitely the best practice. EP

Andrew Jamieson is Director of Security and Technology at UL, Northbrook, IL (ul.com). He has worked with the security of embedded systems for more than 25 years and helped create the UL IoT Top 20 Design Principles to inform manufacturers about best practices that secure their devices from attack.