Industrial Internet supply chain security risk identification

From the perspective of enterprises, the risks faced by the industrial Internet supply chain mainly come from the life cycle of products and services, procurement, and operation.

The life cycle risk of products and services refers to the network security risks introduced by enterprises in the process of designing, developing, testing, using, operating, and decomposing software or systems, and accessing platforms. In December 2021, Apache Log4j was revealed to have a remote code execution vulnerability. As an open source logging component, Log4j is widely used by many Java frameworks, and its vulnerability affects all software that uses the component.

Procurement risk, that is, companies purchase products or services with vulnerabilities, malicious code, or “backdoors,” and attackers use the product or service as a springboard for cyberattacks or data theft, posing a risk to the entire industrial Internet supply chain. In 2018, a production line at TSMC was infected with a variant of the WannaCry (a “worm” ransomware) virus. The cause of this incident was that a batch of computers newly connected to the production line had viruses, and the upstream equipment suppliers did not carry out strict security checks and virus scans on the computers, and TSMC did not carry out strict security checks and virus scans on the newly launched equipment, resulting in security accidents, which caused significant losses to TSMC’s production and reputation.

IC752SPL013 Operational risk refers to the risk caused by the lack or imperfection of the management mechanism in the actual operation of the enterprise, resulting in the lack of risk identification, disposal and prevention. In March 2022, cybersecurity company Okta revealed that a vendor (Sitel) had been attacked, resulting in some of the company’s data being stolen. Subsequent investigations revealed that an employee of this supplier was providing services to users from his personal laptop, and that mismanagement of personnel and equipment had a significant impact on supply chain security.

Industrial Internet supply chain security protection system

At present, there are many researches on software supply chain and ICT (Information and communication technology) supply chain security protection. Compared with the software supply chain, the industrial Internet supply chain has more asset elements and diverse industry application scenarios. Compared with the ICT supply chain, the actual operation of the industrial Internet supply chain is more complex, and the supplier’s network security management ability is weak. Therefore, on the basis of referring to software and ICT supply chain security, enterprises should anchor risk points and strengthen the construction of industrial Internet supply chain security protection system from the three aspects of industrial Internet supply chain life cycle security protection, supplier and service provider management, system construction and personnel management.

Industrial Internet supply chain life cycle security

In view of the life cycle risks of products and services, enterprises should take appropriate security protection measures according to the different stages of self-developed products, different sources of code use, and access to services.

For self-developed software and systems, in the design stage, enterprises should analyze security requirements according to typical industry scenarios and actual operation needs of enterprises, adopt secure architecture and design models, and determine identity authentication and access control mechanisms; In the development phase, according to secure coding specifications, in a secure compilation environment, using secure coding tools to prevent the generation of defective code, resulting in vulnerabilities, malicious code or “backdoors”; In the test phase, use secure code audit tools, vulnerability scanning tools, penetration testing tools to conduct code analysis and vulnerability scanning, and timely find code defects, logic problems and vulnerabilities; In the use phase, perform security configuration according to the security design, confirm the identity authentication and access control mechanism based on business, role and permission, periodically or in the event of information security events, carry out virus killing and vulnerability scanning, and timely maintenance after discovering security risks; In the operation and maintenance stage, ensure that the product upgrade, vulnerability repair or security reinforcement is carried out according to actual needs under the premise of security, and carry out the corresponding security test and integrity verification after completion; In the invalidation phase, data processing, software removal and system deactivation are carried out according to the invalidation process, and code and data are safely processed and protected.

IC752SPL013 For open source components, software and systems, enterprises need to review their sources and determine the safety and reliability of the premise, without considering the design security and development security, other life cycle security protection and self-developed software and system security protection process is the same.

For the procurement of components, software and systems, the enterprise shall bind the supplier through contracts or agreements, requiring the supplier to carry out product upgrades, security exception alerts and security maintenance in a timely manner. If the supplier has interrupted the maintenance service, the enterprise should voluntarily and regularly conduct vulnerability scanning and penetration testing, pay attention to the network security events and vulnerability release of the used components, software and systems, and automatically upgrade, repair, and harden the products after discovering vulnerabilities or through third-party service providers.

For the firmware in the purchased hardware, enterprises should also restrict suppliers through contracts or agreements, requiring suppliers to promptly remind and maintain security exceptions. If the supplier has interrupted maintenance services, the enterprise should automatically and regularly conduct vulnerability scanning, pay attention to the release of firmware related network security events, and repair firmware vulnerabilities or improve firmware security capabilities spontaneously or through third-party service providers if necessary.

For the access platform, the enterprise must ensure that identity authentication, access control, transmission security and interface protection meet its own security requirements through configuration verification.