Manufacturing supply chains are vital to the development and fulfillment of any modern technology—they change rapidly as sectors overlap, products evolve, and global locations of suppliers change. This dynamic nature of the supply chain exposes enterprises to a wide variety of risks.
Traditionally, industries as diverse as automotive, pharmaceuticals, oil & gas, and food & beverage have invested heavily in documenting traceability in their supply chains. This has helped significantly for product recalls, identification of tampered or counterfeit components, and in projecting potential problems along the supply spectrum. More recently, industrial control vendors and their customers have been bringing similar discipline to cyber security in their supply chains.
The Shamoon virus attack, which affected 30,000 workstations at one oil producer in 2012, highlighted how risk in the supply chain of a system can lead to significant exposure.
Supply chain cyber security risks
Strategic consulting firm Booz Allen Hamilton first coined the term Supply Chain Management in the 1980s. The firm is widely respected for its engagements in the field and recently studied supply chain security risks in what the U.S. Department of Homeland Security calls the “critical manufacturing” sector. Critical manufacturing includes companies like GE, Siemens, ABB, Schneider Electric and others that make industrial automation systems.
Homeland Security has also highlighted the importance of risk management for the “critical infrastructure” – which it defines as “the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.”
Booz Allen has provided a broad assessment of risks across the supply chain including:
• Lack of visibility into the sourcing and tracking of cyber sensitive components throughout the supply chain lifecycle
• Lack of integrated processes leaving cyber-security and accountability gaps between large critical manufacturers and their suppliers
• Limited controls to protect sensitive data and critical transactions between large critical manufacturers and suppliers
Nadya Bartol, Senior Cyber Security Strategist at the Utilities Telecom Council (UTC), is deeply involved in supply chain risks in the infrastructure sector, having been a principal contributor to ISO/IEC 27036-3 that provides guidelines for information and communication technology supply chain security, which also has direct applicability to industrial automation supply chains.
She worries, especially as supply chains become more global, about intentional insertion of malicious functionality, including backdoors, viruses and extra, unrequested features, counterfeit electronics, and software code quality and their impact on cyber security, as her graph below summarizes (source).
The emergence of standards
The good news: as awareness of these risks grows, industry and regional cyber security standards have been evolving. The American Petroleum Institute’s API 1164 guideline addresses security around oil and gas SCADA operations. In the U.K., CPNI has a “good practice” guide around industrial control systems. In Germany, the NAMUR 115 standards focuses on security issues in process industries such as chemicals and energy. In addition, the ISA/IEC 62443 series of standards continues to make headway in defining a set of integrated security standards that span the lifecycle of industrial automation systems.
From a supply chain perspective, the IEC 62443-2-4 standard (security program requirements for service providers of industrial automation and control system) is particularly promising.
The pioneering work for this standard came from the WIB, a group of end users founded in 1962 in the Netherlands to explore manufacturing challenges at large energy and chemical companies like Royal Dutch Shell, BP and Dow. In 2010, the WIB Plant Security Working Group issued a supplier security standard that evolved into the IEC 62443-2-4 standard.
The WIB also included a certification program for their standard that became known as the Achilles Practices Certification (APC). A number of large utilities and oil and gas companies are now requiring key suppliers to become APC certified in order to increase their security posture, including their supply chains.
A growing list of major control systems vendors, including Emerson, GE, Honeywell, Siemens and Yokogawa, have undergone APC certification. This has started a ripple effect from these major suppliers, also referred to as Tier 1 suppliers, to their Tier 2 and subsequent suppliers.
These certifications – with regular re-certifications – and emerging standards are helping to increase confidence in the ability to reduce cyber security risks. Given the challenges facing the supply chain, following standards such as IEC 62443-2-4 will help vendors along with their suppliers be better equipped to protect critical manufacturing and infrastructure assets.
Related: Learn More at the ICS Cyber Security Conference