August 24, 2021
By Steve Griffith, Industry Director, NEMA
Managing cybersecurity supply chain risk requires a collaborative effort and open lines of communication across electrical equipment owners and operators, the manufacturers themselves, and relevant government entities. NEMA Member companies play an indispensable role in strengthening the cybersecurity supply chain across all critical and non-critical infrastructure sectors. They understand that cybersecurity aspects are built into—not bolted onto—their equipment.
NEMA CPSP 1-2021 Supply Chain Best Practices identifies a recommended set of best practices and guidelines that electrical equipment manufacturers can implement during product development to minimize the possibility that bugs, malware, viruses ,or other exploits can be used to negatively impact product operation.
The document addresses U.S. supply chain integrity through four phases of a product’s life cycle:
1) An analysis of the manufacturing and design process to detect and eliminate any anomalies in the embedded components of a product’s supply chain
2) Tamper-proofing products to ensure that their manufactured configuration has not been altered between the production line and the ultimate operating environment (another term used in the same context is tamper resistance.)
3) Ways that the manufactured device enables asset owners to comply with the security requirements and necessities of the regulated environment
4) A decommissioning and revocation process designed to prevent compromised or obsolete devices from being used to penetrate active security networks
Key additions to the latest version of the document are the following new Sections.
Cyber insurance is a type of insurance designed to cover expenses, business losses, business interruption, and fines and penalties should a data breach happen to a company.
Market expectations describe how trends such as digitalization, machine learning, artificial intelligence, and the Internet of Things (IoT) are restructuring manufacturers’ supply chains. Devices and systems that are manufactured and subsequently deployed are dynamic, capable of evolving, even into unanticipated use cases. There is also a movement in the broader marketplace toward the concept of “trust but verify” concerning supply chain cybersecurity compliance. Ideally, this should be market-driven with some degree of regulatory oversight; however, manufacturers need to be aware of the increasing legislation and regulations targeting the supply chain.
Vendor dependencies describe how manufacturers should work with their suppliers to assess, mitigate, respond, and remediate associated risks in the supply chain. Manufacturers utilize several techniques to manage dependencies in their supply chain. It starts with gathering information and establishing trusted communication with suppliers. This can be done via the following: classifying supplier types/categories, a vetting process that includes a questionnaire, continuous monitoring using tools such as security ratings that dynamically measure an organization’s security performance, and Statements of Work (SOW) and Service Level Agreement with suppliers.