As part of an ongoing series on applying zero trust best practices, this feature focuses on the fourth principle in Schneider Electric’s Zero Trust Model , Continuous Supply Chain Risk Awareness, and how we apply it within our company. Schneider Electric understands that cybersecurity vulnerabilities in our large and complex supply chain may not only affect the products or services we use internally, but also the offers we sell to our customers. Cyber risks and threats can come from anywhere in our supply chain, and we believe that the companies we interact with must take responsibility in terms of cybersecurity as they partner with us.
Thus, we collaborate with our upstream suppliers and downstream customers to create awareness of any potential supply chain risks so we can proactively take steps to eliminate or minimize those risks. Here is a quick overview of some of the cohesively integrated security policies, processes and controls that help us achieve a more secure supply chain. Supplier verification. A key tenet of zero trust is “never trust, always verify.” One of the ways we apply this tenet to our supply chain is through a supplier qualification process that uses an evidence-based product security assessment.
This assessment aligns with IEC 62443-4-1, an industry standard from the International Electrotechnical Commission’s (IEC) that provides guidance for secure development lifecycle (SDL) for industrial automation and control systems. Wherever applicable, Schneider Electric follows the requirements of this industry standard for our SDL processes—security requirements definition, secure design, secure implementation, verification and validation, defect management, patch management and product end-of-life. By using this standard as a measurement of how secure our vendors are, we can better identify potential cyber vulnerabilities and risks that may arise from a supplier’s product or service offering.
For instance, if a third-party application we want to use internally wasn’t developed using IEC 62443-4-1 standards, it could contain weaknesses that may lead to a threat for our company and potentially create a risk to our customers. For applications like this, we may proactively take steps to identify weaknesses by conducting some of our own rigorous processes for scanning and testing. We then partner with the supplier to proactively strengthen its security to ensure that Schneider Electric and our customers are not at risk. Customer-facing security. Schneider Electric employees who work directly with customers are required to complete a Cyber Badge certification and additional security-related training.
We also require these same measures for customer-facing third parties, which increases our awareness of supply chain risk at customer sites at the point of delivery and throughout the ongoing management of our offers. As an example, through the Cyber Badge program, we ensure the security of any USB tokens or other devices used by third parties at customer sites to avoid any potential compromises. Provenance tracing. Because of our international reach, we comply with the regulations and laws of the countries we work and sell in and respect any requirements individual customers may have regarding certain countries. Provenance is becoming more important in this regard since our products and services are sourced globally.
We continually are increasing our traceability capabilities and data collection on where components are sourced and who made them, which helps honor sanctions, embargoes and other origin-of product-risks that impact our supply chain and customer offers. Monitoring tools. Like any cybersecurity measure, there are tools we can use to provide insights and awareness of potential risks in the supply chain. For instance, threat intelligence can help us be aware of any potential vulnerabilities, such as a data breach, in a particular supplier’s product. Intel could also provide insights on suppliers that have been sanctioned and not allowed for use in certain countries.
Automation and technologies like AI and machine learning can contribute to supply chain awareness and potentially help us mitigate risks more quickly in the future. As an example, a good application of machine learning would be to have an automation identification and mitigation process for fixing vulnerabilities as soon as they are detected.
The key to awareness: It must be continuous
Like all aspects of cybersecurity, the risks to Schneider Electric’s supply chain are always changing and evolving and our approach to detecting and mitigating these potential threats and incidents must continually change as well. Practices like zero trust are a great way to continually attempt to stay ahead of the risks and ensure the most secure delivery of our products and services as possible. You can also read parts one , two and three of this series.