When we think about supply chains, we might visualize various images such as a large fleet of trucks traversing our countries, and ships sailing the seas full of containers. Yet the reality of supply chain networks is much more complex.
They are comprised by multiple tiers of public and private stakeholders (e.g., manufacturers, suppliers, integrators, end consumers, supervisory agencies) engaged in the production, integration, and distribution of products – which can be physical (e.g., a photovoltaic plate), digital (e.g., a smart grid software component), or a combination of both.
Such a complex global ecosystem requires the use of multiple information technologies (IT) and operational technologies (OT), which facilitate the management and cooperation between all stakeholders. However, this increasing complexity of supply chains makes the protection of each of its elements extremely difficult. In fact, the number and impact of attacks that specifically target supply chains (e.g., data breaches, service disruptions, and manipulation of products) is on the rise.
For this very reason, one of the goals of the CyberSec4Europe project is to create a security-oriented roadmap that not only outlines the most important challenges related to the security of supply chains, but also describes the methods, mechanisms and tools that should be researched and developed.
Challenges and opportunities
Although it is impossible to achieve perfect cybersecurity resilience against supply chain threats, we must strive to create an environment where operations are performed in a secure and private way, where vulnerabilities are minimised, and where attacks are promptly discovered and managed. In order to achieve this goal, we must address the following major challenges:
- Detection and management of supply chain security risks
Existing supply chain risk management (SCRM) strategies could be enhanced with automated, context-based risk assessment approaches, which could make more accurate decisions and provide better protection against unforeseen situations and new threat vectors.
- Security hardening of supply chain infrastructures, including cyber and physical systems
Beyond the integration of traditional security mechanisms within IT / OT networks, it is necessary to implement distributed detection, continuous monitoring and incident management systems, where multiple stakeholders can exchange sanitised threat intelligence information to adequately react against global events.
- Security and privacy of supply chain information assets and goods
All stakeholders must access and exchange multiple types of information assets and goods. It is then necessary to deploy secure and private systems that not only provide a digital profile for all actors and products, but also automatically register and share supply chain events while streamlining compliance requirements and clearance processes.
- Management of the certification of supply partners
Certification processes improve trust between supply chain partners, as they ensure that all services are working as intended and that all products have their advertised features. In order to improve such processes, it is necessary to provide automated mechanisms that not only can analyse standard requirements and partner infrastructures, but also can continuously monitor for compliance with standards and recommendations.
In addition, the recent pandemic has reminded us that the security of the supply chain is of paramount importance for both Europe and the world: fake medicines, unavailable services, and buggy or tampered software are only the tip of the iceberg that could cripple the delicate web of the global supply chain. We see here a clear opportunity for Europe to move in, promoting a global approach and a supply chain security standardisation effort.
More information on the research and development roadmap where not only supply chain but also other verticals are discussed can be found here.
Rodrigo Roman and Cristina Alcaraz, University of Malaga