供应链网络安全最佳实践

0

GOODPRACTICESFORSUPPLYCHAINCYBERSECURITY

JUNE2023

GOODPRACTICESFORSUPPLYCHAINCYBERSECURITY

June2023

1

ABOUTENISA

TheEuropeanUnionAgencyforCybersecurity(ENISA)istheEU’sagencydedicatedtoachievingahighcommonlevelofcybersecurityacrossEurope.Establishedin2004andstrengthenedbytheEUCybersecurityAct,ENISAcontributestoEUcyberpolicy,enhancesthetrustworthinessofICTproducts,servicesandprocesseswithcybersecuritycertificationschemes,cooperateswithMemberStatesandEUbodies,andhelpsEuropeprepareforthecyberchallengesoftomorrow.Throughknowledgesharing,capacitybuildingandawarenessraising,theAgencyworkstogetherwithitskeystakeholderstostrengthentrustintheconnectedeconomy,toboosttheresilienceoftheEU’sinfrastructureand,ultimately,tokeepEurope’ssocietyandpeopledigitallysecure.Moreinformationabout

ENISAanditsworkcanbefoundhere:

www.enisa.europa.eu.

CONTACT

Forcontactingtheauthors,pleaseuse

resilience@enisa.europa.eu

Formediaenquiriesaboutthispaper,pleaseuse

press@enisa.europa.eu

AUTHORS

MariaPapaphilippou,KonstantinosMoulinos,MarianthiTheocharidou

ACKNOWLEDGEMENTS

VolkerDistelrath,Siemens

LEGALNOTICE

ThispublicationrepresentstheviewsandinterpretationsofENISA,unlessstatedotherwise.ItdoesnotendorsearegulatoryobligationofENISAorofENISAbodiespursuanttoRegulation(EU)2019/881.

ENISAhastherighttoalter,updateorremovethepublicationoranyofitscontents.Itisintendedforinformationpurposesonlyanditmustbeaccessiblefreeofcharge.AllreferencestoitoritsuseasawholeorpartiallymustcontainENISAasitssource.

Third-partysourcesarequotedasappropriate.ENISAisnotresponsibleorliableforthecontentoftheexternalsourcesincludingexternalwebsitesreferencedinthispublication.

NeitherENISAnoranypersonactingonitsbehalfisresponsiblefortheusethatmightbemadeoftheinformationcontainedinthispublication.

ENISAmaintainsitsintellectualpropertyrightsinrelationtothispublication.

COPYRIGHTNOTICE

©EuropeanUnionAgencyforCybersecurity(ENISA),2023

Unlessotherwisenoted,thereuseofthisdocumentisauthorisedundertheCreativeCommonsAttribution4.0International(CCBY4.0)licence

(/licenses/by/4.0/)

.Thismeansthatreuseisallowedprovidedappropriatecreditisgivenandanychangesareindicated.

ForanyuseorreproductionofphotosorothermaterialthatarenotownedbyENISA,permissionmayneedtobesoughtdirectlyfromtherespectiverightholders.

ISBN978-92-9204-636-1doi:10.2824/805268TP-03-23-145-EN-N

2

TABLEOFCONTENTS

1.INTRODUCTION4

1.1SUPPLYCHAININTHENIS2DIRECTIVE4

1.2AIMANDAUDIENCE5

1.3METHODOLOGYANDSTRUCTURE6

2.CURRENTPRACTICES8

2.1FINDINGS8

2.2SUMMARY17

3.SUPPLYCHAINCYBERSECURITYGOODPRACTICES19

3.1STRATEGICCORPORATEAPPROACH19

3.2SUPPLYCHAINRISKMANAGEMENT21

3.3SUPPLIERRELATIONSHIPMANAGEMENT22

3.4VULNERABILITYHANDLING24

3.5QUALITYOFPRODUCTSANDPRACTICESFORSUPPLIERSANDSERVICEPROVIDERS26

4.CHALLENGES32

REFERENCES33

ANNEXA:RECENTSUPPLYCHAINATTACKS36

ANNEXB:STANDARDSANDGOODPRACTICES38

ANNEXC:TERMINOLOGY39

3

EXECUTIVESUMMARY

Directive(EU)2022/2555(theNIS2directive)

1

requiresMemberStatestoensurethatessentialandimportantentitiestakeappropriateandproportionatetechnical,operationalandorganisationalmeasurestomanagetherisksposedtothesecurityofnetworkandinformationsystems,whichthoseentitiesuseintheprovisionoftheirservices.SupplychaincybersecurityisconsideredanintegralpartofthecybersecurityriskmanagementmeasuresunderArticle21(2)oftheNIS2directive.

ThereportprovidesanoverviewofthecurrentsupplychaincybersecuritypracticesfollowedbyessentialandimportantentitiesintheEU,basedontheresultsofa2022ENISAstudywhichfocusedoninvestmentsofcybersecuritybudgetsamongorganisationsintheEU.

Amongthefindingsthefollowingpointsareobserved.

•86%ofthesurveyedorganisationsimplementinformationandcommunicationtechnology/operationaltechnology(ICT/OT)supplychaincybersecuritypolicies.

•47%allocatebudgetforICT/OTsupplychaincybersecurity.

•76%donothavededicatedrolesandresponsibilitiesforICT/OTsupplychaincybersecurity.

•61%requiresecuritycertificationfromsuppliers,43%usesecurityratingservicesand37%demonstrateduediligenceorriskassessments.Only9%ofthesurveyedorganisationsindicatethattheydonotevaluatetheirsupplychainsecurityrisksinanyway.

•52%havearigidpatchingpolicy,inwhichonly0to20%oftheirassetsarenotcovered.Ontheotherhand,13.5%havenovisibilityoverthepatchingof50%ormoreoftheirinformationassets.

•46%patchcriticalvulnerabilitieswithinlessthan1month,whileanother46%patchcriticalvulnerabilitieswithin6monthsorless.

ThereportalsogathersgoodpracticesonsupplychaincybersecurityderivedfromEuropeanandinternationalstandards.ItfocusesprimarilyonthesupplychainsofICTorOT.Goodpracticesareprovidedandcanbeimplementedbycustomers(suchasorganisationsidentifiedasessentialandimportantentitiesundertheNIS2directive)ortheirrespectivesuppliersandproviders.Thegoodpracticescoverfiveareas,namely:

•strategiccorporateapproach;

•supplychainriskmanagement;

•supplierrelationshipmanagement;

•vulnerabilityhandling;

•qualityofproductsandpracticesforsuppliersandserviceproviders.

Finally,thereportconcludesthefollowing.

•ThereisconfusionwithrespecttoterminologyaroundtheICT/OTsupplychain.

•Organisationsshouldestablishacorporate-widesupplychainmanagementsystembasedonthirdpartyriskmanagement(TRM)andcoveringriskassessment,supplierrelationshipmanagement,vulnerabilitymanagementandqualityofproducts.

•GoodpracticesshouldcoverallvariousentitieswhichplayaroleinthesupplychainofICT/OTproductsandservices,fromproductiontoconsumption.

•NotallsectorsdemonstratethesamecapabilitiesconcerningICT/OTsupplychainmanagement.

•TheinterplaybetweentheNIS2directiveandtheproposalforacyberresilienceactorotherlegislation,sectorialornot,whichprovidescybersecurityrequirementsforproductsandservices,shouldbefurther

examined.

1Directive(EU)2022/2555oftheEuropeanParliamentandoftheCouncilof14December2022onmeasuresforahighcommonlevelofcybersecurityacrosstheUnion,amendingRegulation(EU)No910/2014andDirective(EU)2018/1972,andrepealingDirective(EU)2016/1148(NIS2Directive)(OJL333,27.12.2022,p.80)

.https://eur-lex.europa.eu/eli/dir/2022/2555

4

1.INTRODUCTION

SurveysfromtheWorldEconomicForum(WEF)andAnchorereportthatbetween39%

2

and62%

3

oforganisationswereaffectedbyathird-partycyberincident.Moreover,accordingtoMandiant

4

,supplychaincompromiseswerethesecondmostprevalentinitialinfectionvectoridentifiedin2021.Theyalsoaccountfor17%oftheintrusionsin2021comparedtolessthan1%in2020.

In2021,ENISA’sThreatlandscapeforsupplychainattacksshowsthatin66%ofthesupplychainattacksanalysed,suppliersdidnotknow,orwerenottransparentabout,howtheywerecompromised.Incontrast,lessthan9%ofthecustomerscompromisedthroughsupplychainattacksdidnotknowhowtheattackshappened.Thishighlightsthegapintermsofmaturityincybersecurityincidentreportingbetweensuppliersandend-userfacingcompanies.Around62%oftheattacksoncustomerstookadvantageoftheirtrustintheirsupplier.In62%ofthecases,malwarewastheattacktechniqueemployed.Whenconsideringtargetedassets,in66%oftheincidents,attackersfocusedonthesuppliers’codeinordertofurthercompromisetargetedcustomers.

ThelatestENISAthreatlandscapereport(2022)alsoobservesanincreasedinterestofthreatgroupsinsupplychainattacksandattacksagainstmanagedserviceproviders(MSPs)

5

.Moreover,thereportconsidersitlikelythatwewillseeanincreasedinvestment

6

ofresourcesintovulnerabilityresearchinthesesupplychainsinthenearfuture.Thisisoneofthereasonswhythreatgroupshavebeentargetingsecurityresearchersdirectly.Anothertargetiscommonandpopularopen-sourcerepositorieslikeNPM,Python,andRubyGems,whichareeitherclonedoninfectedwithmalware,withthegoalofinfectinganyonewhoimplementstheseastoolsorpackageswithintheirproject.Asanyonecanpublishpackagestoopen-sourceplatforms,malwareinjectionoftenremainsundertheradarforalongtime.

Itis,therefore,evidentthatcyberrisksarisingfrompartners,suppliersandvendorscouldhavesystemicimplications.ThisisalsoconfirmedbytheresultsofarecentsurveyamongcyberleadersandCEOs

7

–almost40%ofrespondentssaidtheywerenegativelyaffectedbyacybersecurityincidentrelatingtotheirthird-partyvendors/supplychain.TheriseinincidentshasconcernedthemajorityofthesurveyedCEOs(58%),whoindicatedthattheyfeeltheirpartnersandsuppliersarelessresilientthantheirownorganisation.Thiswillresultinthegreatestinfluenceontheirorganisations’approachtocybersecurityinthefuture.

1.1SUPPLYCHAININTHENIS2DIRECTIVE

Inthiscomplexenvironmentofsupplychains,establishinggoodpracticesforsupplychaincybersecurityattheEUlevel

isnowmoreimportantthanever.TheNIS2directiv

e1

enhancessupplychaincybersecurityby:

•eliminatingthedistinctionbetweenoperatorsofessentialservicesanddigitalserviceproviders;

•extendingthecoveragetoalargerportionoftheeconomyandsocietybyaddingmoresectorswiththedifferentiationofessentialandimportantentities;

•addressingsupplychaincybersecurityandsupplierrelationshipbyrequiringindividualentitiestoaddressrespectivecybersecurityrisks;

•introducingfocusedmeasuresincludingincidentresponseandcrisismanagement,vulnerabilityhandlinganddisclosure,cybersecuritytestingandtheeffectiveuseofencryption;

•introducingaccountabilityofeachentity’smanagementforcompliancewithcybersecurityriskmanagementmeasures;

•suggestingthattheNISCooperationGroupmaycarryoutcoordinatedsecurityriskassessmentsofspecificcriticalinformationandcommunicationtechnology(ICT)services,systemsorproducts.

2

3

4

5

6

7

WEF,GlobalCybersecurityOutlook2022

./reports/global-cybersecurity-outlook-2022/

Anchore,‘2022securitytrends:Softwaresupplychainsurvey

./blog/2022-security-trends-software-supply-chain-survey/

Kutscher,J.,‘M-TRENDS2022’,Mandiant

./resources/m-trends-2022

ENISAThreatLandscape2022report.

PWC2022GlobalDigitalTrustInsightsSurvey

./gx/en/issues/cybersecurity/global-digital-trust-insights.html

WEF,GlobalCybersecurityOutlook2022

./reports/global-cybersecurity-outlook-2022/

5

TheNIS2directiverequiresessentialandimportantentitiestoaddresscybersecurityrisksinsupplychainsandsupplierrelationships.ItdoessobyrequestinginArticle21essentialandimportantentitiestotakeappropriateandproportionatetechnical,operationalandorganisationalcybersecurityriskmanagementmeasuresandtofollowanall-hazardsapproach.Thesemeasuresshouldaddress,amongstotherareas,supplychainsecurityincludingsecurity-relatedaspectsconcerningtherelationshipsbetweeneachentityanditsdirectsuppliersorserviceproviders.Moreover,entitiesshouldtakeintoaccountthevulnerabilitiesspecifictoeachdirectsupplierandserviceproviderandtheoverallqualityofproductsandcybersecuritypracticesoftheirsuppliersandserviceproviders,includingtheirsecuredevelopmentprocedures.

MemberStatesshallalsoensurethat,whendefiningappropriatemeasures,entitiesarerequiredtotakeintoaccounttheresultsofthecoordinatedriskassessmentscarriedoutinaccordancewithArticle22(1)

8

.

1.2AIMANDAUDIENCE

TheaimofthisreportistoprovideanoverviewofthecurrentICT/operationaltechnology(ICT/OT)supplychaincybersecuritypracticesfollowedbytheoperatorsintheEUaswellastoidentifygoodpracticesonICT/OTsupplychaincybersecurity.Thereportfocusesprimarilyontherelationshipofessentialandimportantentitieswithdifferentkindsofdirectsuppliersandserviceproviders

9

,e.g.manufacturers,distributors,integrators,MSPs,managedsecurityserviceproviders(MSSPs)orcloudcomputingserviceproviders.Itthusidentifiesgoodpracticesforessentialandimportantentities,andfordifferenttypesofsuppliersandproviders.

Essentialandimportantentitiestypicallyoperatecriticalinfrastructureanduseproducts,systemsandsolutionsfrommanufacturers,distributionchannelproviders,systemintegratorsanddigitalserviceproviders.Someentitiesdomanufacturetheirownproducts(hardwareandsoftware)andcaninthiscasebeconsideredasimportantentitiestoo.Recommendedgoodpracticesformanufacturingcanbeappliedforsuchorganisationsaswell.

Anentitytypicallyhasacontractualrelationwithitsdirectsuppliersandserviceproviderswhereorganisational,processandtechnicalmeasurescanbedefinedforrespectivedeliveryorserviceacquired.Therangeofcontractualagreeablemeasuresislimitedtotheprocurementpowerofanorganisationandthecapabilitiesofasupplierorserviceprovider.Somemeasurescascadealongthesupplychain,buttheoverallcontrolofimplementationbyarespectiveorganisationistypicallynotpossible,asthereisnogeneralcontractualrelationinplacewhichcouldforexampleprovideanauditrightortherighttorequestdetailedinformationonsecuritymeasuresfromallsuppliersalongthesupplychain.Onetypicalexampleofthislackofcontrolinthesupplychainofproductsandcomponentsistheopen-sourcesoftware,whichispubliclyavailableandtherulesofuseofwhicharedeterminedinnon-negotiablelicenseagreements.Anotherexampleoftheneedtomaintaincontroliswhenprocuringservicesfromacloudcomputingserviceprovider,asthisrequiresadditionalefforttoensurethattherequirementsoftheGeneralDataProtectionRegulationaremet.

Table1includesabriefdescriptionoftheroleofthevarioustypesofsuppliersandprovidersintheICT/OTsupplychain.

Table1:Suppliersandproviders

Typeofsupplierandprovider

Function

Manufacturers

10

•Design,develop,manufacture,anddeliverproductsandcomponentstotheircustomers.

•Sourcehardwareandsoftwarecomponentsintheirsupplychain.

•Deliverproductswhichcanservemultiplepurposes;i.e.similarproductsaresoldtodifferentproductuserswithdifferentusescenarios.

•Liablefortheirpartofdeliveryandserviceprovided.

Systemintegrators(serviceproviders

•Engineersystemsthatareusedinproductionenvironments.

•Designanddeploysystems,suchasautomationsolutionsusedinindustriesandcriticalinfrastructure.

8EUcoordinatedriskassessmentsofcriticalsupplychains.

9NIS2directive,Article21(2),point(d).

10Importantentities(NIS2directive,AnnexII).

6

forengineering

services)

•Canincludecivilworksuchasdeploymentofnetworkinfrastructureorpipelinesforexampleinturnkeysolutions.

•Playanessentialpartincybersecuritydesignandimplementationin(critical)infrastructure.

ICTservice

management

ManagedServiceProviders(MSPs)

•Provideservicesrelatedtotheinstallation,management,operationormaintenanceofICTproducts,networks,infrastructure,applicationsoranyothernetworkandinformationsystems,viaassistanceoractiveadministrationcarriedouteitheroncustomers’premisesorremotely.

MSSP

•Assistsentitiesinareassuchasincidentresponse,penetrationtesting,securityauditsandconsultancy(NIS2directive,Article6(40)).

•Offersservices,suchas:

•assessment–e.g.penetrationtesting,orconformancetospecificsecurityrequirementsorstandards;

•implementation–e.g.implementationofsecuritycontrolssuchasmalwaredetectioninaninfrastructure;

•management–e.g.securityoperatingcentre(SOC)servicesforincidentresponse.

Providersofdigitalservices

11

12

Cloudcomputingservices,include:

•infrastructureasaservice,

•platformasaservice,

•softwareasaservice(SaaS),and

•networkasaservice.

Inthisreport,supplychaincybersecuritymeasureswillberecommendedforprovidersofdigitalservicesthatfallintothecategoryofSaaS.Examplesofsuchaservicearedigitaltax-accountingservices

13

,multi-tenantassetmonitoringservices

14

,securityoperatingcentreservices

15

orevensupplychainservices

16

.

Addressingsupplychaincyberrisksrequiresarisk-basedapproachfromorganisationsinthesupplychain.Thisreportwilladdresscybersecurityrisksforthesupplychain,butwillnottouchothersupplychainrisks,suchasgeopoliticalriskslikedependenciesonnon-EUcountryshipments,e.g.photovoltaic(PV)inverterorchipsetforelectronicdeviceswhicharenearlyentirelysourcedinAsia

17

.

1.3METHODOLOGYANDSTRUCTURE

InanefforttoidentifyhowMemberStatesimplementedtheNISdirective’srequirements,andwhethertheyinvestincybersecurity,ENISAsurveyed1081organisationsinall27MemberStates(andtoensurearepresentativeaccount,

11AdigitalserviceisdefinedbyNIS2directive,Article6.

Clause(23):‘digitalservice’meansaservicewithinthemeaningofArticle1(1)(b)ofDirective(EU)2015/1535oftheEuropeanParliamentandofthe

Council.

Clause(28):‘onlinemarketplace’meansadigitalservicewithinthemeaningofArticle2point(n)ofDirective2005/29/ECoftheEuropeanParliamentandoftheCouncil.

Clause(29):‘onlinesearchengine’meansadigitalservicewithinthemeaningofArticle2(5)ofRegulation(EU)2019/1150oftheEuropeanParliamentandoftheCouncil.

Clause(30):‘cloudcomputingservice’meansadigitalservicethatenableson-demandadministrationandbroadremoteaccesstoascalableandelasticpoolofshareablecomputingresources,includingwhenthosearedistributedoverseverallocations.

12Essentialentities(NIS2directive,AnnexI,‘DigitalInfrastructure’).

13Digitaltax-accountingservicesofferingcloud-basedsolutionsforthehandlingoftax,e.g.theEUminiOneStopShopforvalue-added-taxdeclarationissuchanexample.

14Multi-tenantassetmonitoringservicesoffercustomersforexampleahealthstatusserviceforassetsusedintheirrespectiveinfrastructure(e.g.turbines)thatcanoptimisemaintenanceschedulesandreplacements.

15SOCisamanagedsecurityservice;theofferingistypicallyrealisedbyadigitalcloudservicewherecustomersareprovidedwithadashboardonfindingsthatarederivedfromanalyticsonsecurityinformationdeliveredfromthenetworkbyutilisingacloud-basedsecurityinformationeventmanagementsystem.Consequently,aSOCservicebelongsinthecategoryofadigitalserviceprovideraswellasinthecategoryofanMSSP.

16Digitalsupplychainasaserviceofferscustomerstrackingandcontroloptionsviaacloud-basedsolutiontomanagetheirsupplychain.Thisincludestrackingofgoodsthatareenrouteandthemanagementofgoodsinwarehouses.

17China’ssanctionsagainstTaiwanareareminderfortheEuropeanUnionofitsdependencyontheisland,andinparticularontheelectronicchipsproducedbytheworld’sbiggestsemiconductorcompany:TaiwanSemiconductorManufacturingCo.

7

aminimumof40organisationsweresurveyedperMemberState)

18

.Amongotherthings,datawascollectedconcerningICT/OTsupplychaincybersecurity.Organisationswererequestedtoprovideinformationrelatingtotheirimplementedsupplychainriskmanagementpoliciesandwhethertheyallocatebudgetspecifictotheseissues.Theywerealsosurveyedregardingtheirassignedsupplychainriskmanagementrolesandresponsibilities,theimplementedriskmitigationmethodologiesandwhethertheEUcybersecurityrequirementsaffectdigitalproducts.

Chapter2presentstheresultsofthissurveyandprovidesanoverviewofthecurrentpracticesofessentialandimportantentitiesrelatingtosupplychaincybersecurity.ThisallowsforabetterunderstandingofthecurrentsituationintheEU.

Forthisreport,goodpracticeswerecollectedfromrelevantstandardsandguidancethatwouldbeappropriatefortheimplementationoftheNIS2directive’srequirementsbyessentialandimportantentities

19

.Inordertoidentifythesegoodpractices,anextensivedesktopresearchwasperformedonexistingsupplychainnationalstrategies,regulatoryframeworks,standardsandgoodpractices.Asaresult,19relevantdocumentsthataddresssupplychaincybersecuritywereidentifiedandanalysed.TheanalysisreflectsonexistingEuropean,nationalandinternationalframeworksaswellasontheidentifiedmaterial.Thepractices,identifiedduringthedesktopresearch,mostlyfocusontheMemberStatesideandsupplementtheproposedmethodology.Referencestothesedocumentsareavailableattheendofthisreport.

InChapter3,asystematicapproachisprovided,comprisedoffivesteps,forthecybersecuritysupplychainproblemtogetherwithrecommendedsecuritypracticesforeachmethodologicalstep.Itcovers:

•organisationalwideICT/OTsupplychainstrategy;

•technical,operationalandorganisationalmeasuresinsupplychain,consideringarisk-basedapproach

20

;

•thehandlingofvulnerabilities

21

;and

•theoverallqualityofproductsandcybersecuritypractices(includingsecuredevelopmentprocedures)

22

.Movingforward,thisreportconcludesbyprovidinginformationforfurtherconsiderationsonICT/OTsupplychain.

Itwasidentifiedthatdifferenttermsordefinitionsareusedintheinternationalbibliographyforsimilarconcepts,e.g.ICT/OTsupply,digitalchain,thirdpartyriskmanagement(TRM),orcybersupplychainriskmanagement.Inthisreport,thetermICT/OTsupplychaincybersecurityisused,whileaselectionofdefinitionsfrompolicydocumentsisavailableinAnnexC.

18ENISA,NISInvestments:November2022

.https://www.enisa.europa.eu/publications/nis-investments-2022

19Essentialandimportantentitiesaretypicallyoperatorsthatprovideservicesthatareconsideredcriticaltotheeconomyandsociety.EssentialandimportantentitiesareanyentitiesofatypereferredtoinAnnexIandAnnexIIrespectivelyofNIS2directive.

20NIS2directive,Article21(1).