Supply chain security and resilience remain key challenges of our globally connected economy. Two years after the attack on SolarWinds, little progress has been made in addressing the fundamental issues enabling this type of exploits. Although, this is not to say that nothing is being done. In this month’s newsletter, we take a look at the latest developments in supply chain security.
Quad to collaborate on information security
At the end of May, leaders of the Quad countries —Australia, India, Japan, and the United States— met in Tokyo to discuss strategic initiatives of their collaboration. Among those are also information security and supply chain resilience which the four will cooperate on, for example, by setting a standard for government software procurement.
Industry knows it has a problem
Supply chain security is by no means a novel problem. In fact, a recent survey among 1000 CIOs found that 82% believe their organization to be vulnerable to cyberattacks on their software supply chains. The report identifies internal bureaucracy and lack of enforcement as some of the causes for this bleak outlook.
Structured guidance from MITRE
In order to support organizations tackling the supply chain security challenge, MITRE has developed the so-called System of Trust (SoT) prototype framework. A structured methodology for evaluating suppliers and service providers, the framework is aimed not only at infosec teams, but may also support supplier selection processes across the organization.
Jointly improving open-source security
One particular concern with regard to software supply chains is open-source software. In order to improve the security of OSS components —estimated to be part of 70-90% of all software stacks— the Linux Foundation and the Open Source Security Foundation introduced the Open Source Software Security Mobilization Plan.
Individual efforts to the OSS security challenge
Another approach to securing software supply chains is Google’s Assured Open Source Software service. Rather than addressing the issue during the development of open-source components, this service provides Google Cloud customers with regularly scanned and analyzed software packages.
Cybersecurity Magazine Editorial Team
IEC 62443 is a series of standards that provide power grid operators with a robust framework to manage and mitigate the security vulnerabilities in their industrial control systems. Implementing IEC 62443 is now everyone’s responsibility and must be fully understood and embraced by power grid operators, technology suppliers and system integrators alike, to realise its full benefits.
This week-long event provides a thorough exploration of IEC 62443 concepts, frameworks and controls with an accurate representation of cybersecurity risk to the operations.
By the end of this week-long event, power grid cybersecurity leaders will be equipped and prepared to adopt IEC 62443 as part of their broader security management system, to work more systematically and cost efficiently to minimise their security risks, and to more easily achieve their security goals.
For our latest video discussion on the security and production systems please see the River Publishers YouTube.
The latest journal articles from River Publishers in all areas of cyber security can be found on the River Publishers website.