Securing the supply chain
Today's supply chain is reliant on a complex network involving the movement of goods, services, funds and information across a range of parties worldwide. This makes the supply chain vulnerable to not only cyber attacks and disruptions, but also cyber espionage.
These were the words of Edna Conway, chief security strategist at Cisco, speaking at the Microsoft Security Development Conference, in San Francisco, on Wednesday.
She said the supply chain is a critical competitive differentiator, and faces many challenges. According to Conway, Cisco has a controlled product model that is 100% outsourced. Other challenges include its wide range of products - most of which are configured to order - the breadth of its customers and acquisition integration, considering Cisco has so far acquired 180 companies.
The challenge is doing the right thing in the supply chain at the right time. "We have to get security right, and apply it across the supply chain. We need to think end-to-end. Introduce a security model that moves away from the endpoint. We need to capture failures within the supply chain, so the customer is never affected."
She said supply chain security has several key focus areas: malicious notifications and substitution of technology; counterfeit products, both raw and finished; security in times of supply chain disruption; and finally, misuse of intellectual property.
Speaking of areas of supply chain security discipline, she says security must be built into development, otherwise the methodology will fail. "A lot is needed: information exchange and access control, physical plant security, talent security and integrity. After all, background checks can be unreliable - drive this yourself; target the integrity and behaviour you want at your organisation."
Next, she said to consider the protection of high-value intellectual property of both components and finished goods. "Logistics security comes next, followed by fabrication security - implement a set of traceability components. Finally, scrap management, as well as service and end-of-life security management."
Conway added that we are starting to see regulation and legislation, and there are several international standards for supply chain security in place, such as ISO 27036, NIST IR 7622, iNEMI Counterfeit Metric Development, O-TTPS COTS ICT Org Level Trust, C-TPAT - AEO PIP Reciprocity, and Common Criteria SC supp. doc.
She explained that all partners across the supply chain - suppliers, providers, integrators and suchlike - can benefit from the implementation of these practices, which span the product life cycle and supply chain stages, from design and planning, to ordering, sourcing, building and disposal and end-of-life management.
"Adopting limited and integrated international standards will prevent 'balkanised' efforts."
Ultimately, she said, it's about the right people, the right place, the right practice and the right time. "Set and communicate goals. Define security practices. Scan your macro environment."