Supply Chain Security Best Practices
TDL Webinar
The second webinar in the autumn TDL programme which took place on 10 October 2024 was a discussion on supply chain cybersecurity best practices amongst a group of experts with considerable experience from a range of different backgrounds. They were:
Ian Oliver, Professor of Cybersecurity, University of Oulu
Paul Dorey, Director and CEO, CSO Confidential and Visiting Professor at Royal Holloway, University of London
The session was moderated by Steve Purser, the former Head of Operations at ENISA and a TDL Strategic Advisor.
1. Introduction
Steve opened the webinar by explaining the EU's legislative and regulatory framework, which he divided into three streams: resilience and critical information infrastructure protection, data protection, and targeted policies. He highlighted the importance of resilience and critical infrastructure protection, mentioning the NIS directive and its origins in a 2009 communication from the European Commission. Steve also mentioned the cyber attack on Estonia in 2007 as a significant event that led to increased focus on cybersecurity.
2. Supply chain security evolution in the EU
Steve discussed the evolution of supply chain security in the EU, starting with the publication of the first paper on the topic in 2015, which went largely unnoticed. He highlighted the development of the Network Information Systems (NIS) 2.0 Directive, which came into force in January 2023, and its key role in dictating the approach to supply chain security. Steve also mentioned the Cyber Resilience Act (CRA), which addresses secure products and supply chain security, and the possibility of certification against supply chain requirements becoming obligatory. He noted that the maturity of supply chain security implementation is low, with only 47% of surveyed organisations allocating budget to the issue and 76% lacking dedicated roles and responsibilities for supply chain security.
3. Supply chain challenges and opportunities
Steve initiated a discussion on key challenges and opportunities in the supply chain area. Paul, who works predominantly in sectors like financial services, aviation, and energy, highlighted three main challenges: the asymmetrical relationships between suppliers and consumers, the lack of understanding of the impact of a cyber problem on a service, and the difficulty in sharing sensitive information. He also pointed out the complexity of sharing security state and the inefficiency of the current processes for supply chain assurance. Ian, who has a technical background, agreed with Paul's points and added that there's a need for better attestation mechanisms and a shift from process-based solutions to engineering-based solutions. Both Paul and Ian emphasised the importance of understanding the technical aspects of supply chain management.
4. Supply chain security challenges and solutions
Ian, Steve and Paul discussed the challenges and potential solutions in supply chain security. They agreed that certification, while useful, can be misleading and that people often focus on easy solutions rather than understanding the problem. They also discussed the need for testing and prioritising suppliers, with Paul suggesting that the aviation industry's approach to supply chain management could be a good model to follow. Ian highlighted the importance of risk management and the need for a more nuanced approach to auditing suppliers, rather than a checkbox exercise. The team concluded that there is a need for better criteria for evaluating suppliers and a shift from compliance to risk management.
5. Discussing aviation principles in the software industry
Paul and Steve discussed the challenges of applying aviation principles to the fast-paced software industry. They agreed that the aviation model, which emphasises common understanding and strict processes, may not be directly applicable to software development due to its chaotic nature. Ian added that the aviation model works well in industries with fixed processes, such as aviation, but not in software engineering. They concluded that the software industry needs to simplify processes and focus on mutual trust and understanding among stakeholders. Steve suggested that a clear understanding of client needs, a stable process environment, and prevalent standards, methodologies, and techniques are necessary for success.
6. Discussing identity tracking and SBOM potential
Ian discussed the importance of having identities for hardware, software or components to enable referencing and tracking. He noted that some manufacturers may not see a need for this due to lack of reported problems. Steve suggested the concept of 'proof of origin' and the potential for the software bill of materials (SBOM) to solve this issue. Paul agreed, highlighting the need for curation and the potential for improved code quality. Ian emphasised the importance of customer trust and the potential for customers to ask for more information if they receive a bill of materials. The team agreed on the need for further discussion and exploration of these ideas.
7. Discussing SBOM complexity and supply chain security
Steve expressed concerns about the complexity of the SBOM and suggested a simpler declarative language for it. Paul agreed with the need for completeness in SBOM and suggested simpler tools like the ETSI standards for IoT. Steve also highlighted the importance of secure software coding cycles and coding standards. The discussion then shifted to the topic of supply chain security, with Ian mentioning the use of Sigstore for container technologies and the potential for attaching SBOM to it.
8. Exploring standards and automation in domains
Ian, Steve, and Paul discussed the need for practical standards in their respective domains. They agreed that there are numerous standards available, but the choice of which ones to use could be problematic. Paul suggested that the IEC 62443 standard, which came from an engineering background, could be a good starting point. Ian mentioned the work being done in the IETF for supply chain attestation and the use of TCG (Trusted Computing Group) for things like TPM (trusted platform module). Steve proposed a sectorial approach, suggesting that different standards might be needed for different industries. The team also discussed the potential of automation tools like SPDX (system package data exchange) plugins for software development. They concluded that there is still work to be done in this area, and the Commission's right to ask for certification against supply chain could be an interesting development.
9. Supply chain implementation strategies discussed
Steve asked each participant for their most fundamental advice for a company starting to implement a supply chain approach. Paul suggested starting with a supplier review, identifying dependencies, and then forming relationships with the most important suppliers. He also emphasized the importance of discovering all suppliers, even if it means going deeper than initially planned. Ian, on the other hand, proposed a more organic approach, suggesting that companies should provide their customers with information about the materials they are shipping, such as the endorsement key and PCR (platform configuration register) values for hardware, or the software bill of materials in the SPDX format for software. Both Paul and Ian agreed that a combination of their approaches could be effective.
10. Automated software updates risks and challenges
Steve, Paul, and Ian discussed the risks and challenges associated with automated software updates, particularly in the context of a recent outage. They emphasized the importance of thorough testing and understanding the complexity of environments where the software is deployed. They also highlighted the need for a systems view when updating software and the importance of having a suitable business continuity plan in place. The conversation underscored the importance of not being overly reliant on automated processes and the need for more cautious and controlled approaches to software updates.
11. Supply chain security: practical approach and governance
Steve, Paul and Ian discussed the need for a more practical approach to supply chain security, emphasising the importance of understanding and communication over formal procedures. They agreed on the need for collective conversations and sector-specific approaches, with universities playing a crucial role in testing and experimentation. The group also stressed the importance of governance, simplicity and flexibility in supply chain security. They ended the conversation with a call to action for companies to start preparing their approach immediately and to keep the discussions going.
To listen to the discussion itself and deep-dive into all the detail,