Cybersecurity Risk Management – Blog Series Part 2
Innovative technology and new products mean nothing without cybersecurity protections
The constant influx of news stories about hacking and internet security issues has the general public anxious. Anxious about protecting their legacy assets and anxious that investments in new products can be undermined by a lack of cyber preparedness. In Part 1 of this series I talked about the need for a Cybersecurity Risk Management Plan. In this article we will take a look into how to manage risks from your supply chain.
Continuous innovation is probably one of the more important, if not the most important aspect of a successful company. Our desire to leverage innovative ideas can bring us into risky territory. Understanding processes that produced that new, innovative product will tell a meaningful story in how well that product, your potential new asset, is prepared for today’s cybersecurity sensitive world.
Do not be afraid to ask your supplier about their cybersecurity practices pointedly. Look for the following:
- Do they follow an industry standard that includes cybersecurity practices? Standards can provide a common reference point on language, practices, and processes. If you find a standard that meets your specific needs ask your supplier about their conformance to this standard. Here at Schneider Electric for the industrial control systems products we make, we recommend looking to the IEC 62443 family of cybersecurity. We use these standards daily.
- Look for supplier certifications. If you have a standard that meets your needs (e.g. IEC 62443) and the vendor can demonstrate an independent audit and certification against the standard(s), then you will find significant progress towards gaining confidence that this particular supplier understands your cybersecurity risk management needs.
- Ask about their own vendor qualification program. The chain of components that make up a new product frequently can touch many vendors.
- The threat landscape is constantly evolving. What is not a vulnerability today will become tomorrow’s zero-day. Ask your supplier about their vulnerability management program. Understand their escalation and communication programs, so you are notified when a situation arises.
- Ask about your suppliers R&D secure development lifecycle (SDL). An SDL describes the processes and practices used during the development of a new product. These practices should include a cybersecurity certification program when appropriate, typically all products with communications capabilities.
- Advanced topic – look for your supplier’s involvement in the evolution of cybersecurity standards. Participation in standards indicates that your supplier is at the forefront of the complex and rapidly evolving security field. Yes, Schneider Electric contributes to many standards.
Finally, be patient. Security practices, processes, and technologies are now expanding into all aspects of the supply chain. Be ready to work with your vendors to help them better understand what cybersecurity risks are important to you. Here at Schneider Electric, you will find that we take cybersecurity seriously. We want to hear what is important to you so that we can improve our cybersecurity program.