Businesses face various risks when deploying external products and services. Among them is the possibility of cyber intrusion which can pose a major challenge to the company’s infrastructure and require a re-think of cybersecurity strategy. A well thought-out and properly structured management of a supplier base classified as trustworthy is just as much a part of this discipline as the use of standardized certification procedures for such products. In this panel we will discuss the importance of cyber supply chain risk management (C-SCRM) and its effect on resilience of a digital business.
Thank you, Matthias. So my name is Vanel. I work for Hui I'm chief architect for I UT security. What does that mean? So responsible for the technology roadmap when it comes to the common security parts of IOT systems and services and products, so across the solution portfolio. So that goes from devices to gateways, to IOT cloud platforms. And I also involved in that capacity into standardization and expert groups like the IOT security expert group.
Okay, great. Thank you. And the same question of course to you. McKinna
Hi. Thanks. Thanks everybody for having me here. My name ISTI. I work with ATA foundation. I'm mainly work as a technical architect for theta foundation. ATA foundation is my for-profit organization that develop and implement the distributor ledger that is behind our technology. And my main role is to bring that security that the distributor ledger technology can provide to supply chain mainly, and the orders smart cities scenario. So in that capacity, I work with different partners in try to understand how their business can be announced by using visibility, electric technology like ours.
Great. That sounds interesting. So we, we are, we are getting to the topic from two different angles and that's perfect. So maybe my first questions to, to ALS as, as the number of IOT devices is increasing, of course also the amount of, of data collected is, is exploding. So what steps do you, and does technology provide in general need to make sure to ensure the resistance of, of its products to cyber attack? So what do you actually implement and maybe also from the process point of view, how do you work towards more security for your devices?
Thank you, Matthias. That's an excellent question. Well, first of all, I would like to point out that in IOT, when we talk about IOT, the security does not end at the devices. So it goes also to possibly supporting gateways. And when it comes to the data which are possibly shared to a cloud platform, an IOT platform, then there's also the security of the cloud infrastructure itself and of the IOT platform typically hosted on there now in terms of what Huawei does and the way we approach it, we follow principles based standard based approach. So in case you're not familiar, there have been activities lately in the standardization, which are addressing explicitly the improvement of the security of IOT devices. They have been activities for instance, which have started actually in the UK under the DCMS support to improve, let's say the practice of IOT security and that's span off the, a code of practice for IOT security with 13 principles that later on, that was adopted in the European telecommunication standards Institute BTSI and it became a technical specification, which reflected those 13 practices.
And quite recently, since 2019, actually July, 2019, there has been a joint standardization effort between your U E TSI, which I mentioned, and since Senec, so these are the three main standardization organization to take these 13 principles and produce a European standard, the em, three or three, six for five, which will be, is being developed and is now in the process of being finalized to provide security requirements, Fort devices that will be applied across the entire European market. So these standard of course is voluntary, but it has in there in security requirements that apply for instance, to the kind of passwords and how passwords are treated. If they are applicable in IOT devices, to the security of the data that are being handled by IOT devices, what kind of data should be handled more securely than others? For instance, sensitive security parameters should be handled by devices in a more secure manner than typical configuration settings. And so on. It covers a wide range of concerns. And the idea is that this standard is going to uplift the entire level of I IOT security across the market in Europe.
Okay. And so, so that also aims at certification afterwards, once the standard is approved, that would be basis for an in depend certification of products. Is that the way to go forward then,
Although this, the scope of certification is not included in the standard itself. There has been a report from Anisa where it is acknowledged that this standard is considered as the baseline for a possible cyber security certifications came in the context of the sales best security act that Anissa has been mandated to pro to pro to provide the certification schemes. So already it has been acknowledged at least by the European network information security agency as a strong candidate for that role
In the, the IOT space. Okay, great. Thank you very much. Thank you. First of all, for, for that first part, then I would like to hand over to Mikayla. You mentioned you work for Iotta. How, what is IOT? How does it work and what role can it play when it comes to implementing this cyber supply chain risk management thing?
Yeah. Thank you for the question. Yeah, indeed. ATA is not a, a producer of I IOT device, but it can provide infrastructure where this I IOT device can talk each other and share data in order to make supply chain more, more secure in particular, a distributed ledger technology, not a blockchain in the sense of the blockchain world. So it doesn't use cryptocurrency and minor inside this protocol, but it provide the same, the same functionality, basically a distributed ledger that can guarantee security. The, of the data that are shared to this distributed lecture, we don't provide IOT device itself, but the technology is lightweight enough to be able to, from the one side receive data that are generated by IOT device. So you don't need complex protocol to generate this data and share to, to the ledger. And it's also lightweight enough to support the volume of data that IOT data IOT scenario can, can generate.
There are few ways in which a distributed ledger can play a role in make supply chain more secure. First of all, it's about data integrity and Providence. So by having a distributed ledger across the supply chain, you can know the source of the data where the data actually create and generator who actually is injecting data into the ledger in a way that this data will be seen from there, immutable and won't change anymore. So for instance, we are implementing some scenario working with some brand across the supply chain that use this kind of technology to share data about the product they inject in the supply chain to allow consumer to always be sure that they get the right authentic product in their end. So there is not no fake product in the supply chain. That's that's one way on which a dis be ledger can guarantee disability, integrity of data.
The other ways, basically coming back to IOT device, one of the problem we know about IOT device, especially in the supply chain, the manufacturing, if you think about industry 4.0 scenarios, one of the issues that this device might be not updated, the F might be not updated. So lack of the full visibility in the supply chain from you as a user of this supply chain, it's about what the other are doing, what actually your manufacturer are doing in terms of their equipment is up to date can suppose flow back doors and things like this. So a distributed ledger can become a platform where everybody share information about how data are their IOT device in terms of security feature security patch. So that flows in the supply chain can always be visible to everybody in the supply chain. So for instance, we have done something similar working with Volkswagen back in 2018.
So where all the film for their connected car was actually show and maintaining a distributed ledger. So every manufacturer that was operating on that car can know what is the latest filmer on the car. If there are ratio can call for a recall of that current on and so forth to make all that, for instance, supply chain more secure, and the last element where a distributed ledger can, can play a role, especially in the context of IOT is giving an identity to this IOT device. So, you know, that IOT device generating information is actually the authentic one, Delta authorized one to generate information and using this edge of technology, we can move toward the centralized identity system where every party that is part of the supply chain can, you know, the centralized way, verify identity using cryptographic technique of a device that is generating data for the supply chain. So this prevent the risk of having fake device or compromising the security of supply chain by replacing device that actually have to monitor the supply chain and they don't compare to standards and things like this. So that's few of the way we are working with this different partners, a different scenario in order to test the value of distributor ledger that is said shared platform that provide integrity of data, motor bit of data on how this can play a role in making more secure supply chains.
Okay, great. Thank you. So when I understand it correctly, on the one hand, it's something like a, a growing immutable reference database of devices and software patch levels, for example, and on the other hand, it's really a ledger where you can register your device to, to, for later purposes to understand what it is. So the threats that the, that are when we look from the other side would be on the one hand, as you said, fake devices, not well patched devices and just unknown devices. If we think of, of other threats, what are weak spots of a cyber supply chain and what can an organization do to prevent that on that basis? Maybe again, starting with Bangals.
Yes. Thank you. So looking beyond the, let's say the, the scope of a device, one concern that a lot of stakeholders have in, in software supply chain, particularly, and it's not just the security, the concern it has to do with the overall consistency of the product is the management of third party components, open source components, an increasing part of the software these days is being reliant upon use of open source components and the ability to consistently manage and maintain the configuration of the software, the kind of libraries that you use in its version, the version of those libraries, the particular software artifacts that you include in your packages and so on and so forth. That's one of, let's say the main concerns for security. And I say that because that's what the data shows. If we look at are the most known, let's say reports on data breaches or security incidents among the top three reasons for the incident has been poor configuration management.
So this applies to good software configuration applies to software packages, configuration, and it's in most cases, it boils down to the involvement of humans in the process rather than having completely automated operations. So it's no surprise that in my mind, I would put that as the number one concern, and it has to do then also from the perspective of the customer of the consumer of the software, not just from the side of the pro of the producer of the software, but also from the customer side, there are requirements that relate to the ability to be able to get a software bill of materials, to understand and have transparency about what is included in the software that is being provided at its version of the product or the service, and then to have also, you know, consistency guarantees and assurances attached to that, which has to do with, for instance, a com community effort, which is known and goes around reproducible bills.
Reproducible bills is the ability to be able to have a bit for bit proof of equivalent between the software that you get and the source code from which that software is a tested to have originate. So these are some of the, the main concerns that I would see right now be beyond the device space. And the reason is that I see this as our main concerns is because first of all, the, the development of the automation infrastructure that is required to actually be able to provide those kind of assurances, those kind of guarantees has a cost takes time, takes effort, and in a market where, you know, the first mover advantage exists like in the ICT market, this is a counter incentive actually to the development on those automation infrastructures, because when it comes to automation, you either have it, or you don't, you, you don't have like 95% automation, you need to have a hundred percent automation in order to be able to provide reliable proofs and guarantees and so on. And it of course that when we look at on the cloud's service side, that goes and reflects upon the whole infrastructure code, builder code and so on, you know, practices and principles, right? So it's really about that's
Well done software engineering in the end. So it's really to apply well, well defined processes to the overall chain also when, when, when getting to the final product, which is, which is software that you, that you verify that you, you assess the software at each step and make sure that you're using only assessed once. Yeah.
And maybe, do you want to, to that as well?
Yeah. I just want to build on what van said and what I said already before as well. Yes, absolutely. The security in the supply chain and a connected supply chain is start from the security of the device of the single device. And that's been proved already in the past that most of these device, if you're not patch, or even when they use the standard password, they become also a risk, not only for that supply chain, but also for other supply chain. So has been known that some of IOT device been used for providing the denial of service attack as for the poor maintenance of this device that were able to expose back doors to, to attacker to so just want to build on that and explain why this ledger can play this role. We said before that yes can be a ledger of full device, film or patch and things like this, which is good because in the end, I think in this kind of scenario, there is also some kind of confidentiality that the different part in the supply chain want to maintain and managing all this kind of information to a centralized system might create some reluctance from the different part.
So when we start to share this information on this ledger, it doesn't mean that it's visible to everybody, but it's that and becomes immutable. This course also best practice, better management of device on the, on the, on the, on, on the inside of the supply chain of the provider side. So provider knows that at some point, when a risk is exposed, they can be always traced back and information can be founded, was in the distributor, ledger was immutable. So this somehow exposed their reputation. So having this information still in a way that is mutable doesn't change, but still in encount of who actually is responsible of this information, the, the device manufacturer create a bit of more responsibility from that and, and the possibility to need this, this information always up to date. So I think this that's what distributed leisure we can play at all and increasing somehow the reputation and the best practice to be followed by the different part in the supply chain.
Okay, great. Thank you. Time flies. Maybe one, one question, very quick answer to the, both of you. We've heard Christopher give his presentation on cyber secure cyber supply chain, risk management. What would you recommend with just one or two sentences for an organization who has not yet started on their journey towards implementing such a set of processes and, and measures? What would you recommend to start with? What would be the first recommendation, maybe starting with you? Just a quick answer. We are almost out of time already.
I would say that know your system, but also know your party system, because supply chain is done of many parties and your flow can post flow for somebody else, or somebody else can be a flow for you. So know your, yeah, let's say, know your customer very well. So know all the security practice that are in place. So having that again, a distributed repository where what every part is doing in the supply chain, you want to connect is a good starting point for knowing the other. So I dispose the other to the same risk, the same reputation, risk that according to be the best in class. So not only look at you, but look at the other, you are connecting to.
Okay, great. Final words. Bangals from your side, what would you recommend?
Yeah, I, instead of the technology, I would recommend that for an organization that wants to address cyber supply risk, that they would focus on the framework through which they, they do that. So usually there are five, let's say avenues where that are parts of that framework that organizations can do work to improve their awareness of cyber supply chain risk. First one is, would be the risking form to procurement requirements so that they understand what is the risk in their procurements. The other one would be buyer led security requirements for ICT vendors, so that they can understand, for instance, things like software, bill of materials, vulnerability, remediation, and so on. And then they would be vendor led assurance and transparency requirements. Another area of activities has to do with the transparency centers, which actually provide a venue and an instrument to improve transparency among all the stakeholders. And then of course there is the instrument of conformance programs where our stakeholders come together and agree to a particular set of conformance to be mutually respected.
Okay, great. Thank you very much to the both of you. We're already out of time that wasn't, I would love to continue this, but I'm, I'm already pressed to stop. Thank you very much for the, for your time and thank you very much for your insights. Have a great day. Thank you. Thank
You very much.
Have a good continuation. Thank you. Bye
How can we help you