UL helps mitigate supply chain cyber-security risks
May 20, 2020
Underwriters Laboratories (UL) has announced a way to help organisations mitigate supply chain cyber-security risk.
The Illinois-based safety science organisation has announced the Supplier Cyber Trust Level, which helps organisations reduce supply chain cyber-security risk by focusing on the trustworthiness of suppliers' security practices.
It analyses a supplier's security practices across multiple trust categories resulting in a documented supplier trust-level rating. This rating demonstrates the trustworthiness of a supplier's security practices across the software and hardware development lifecycle, hosted systems, information management systems, and their third-party management.
There is currently no single certification or framework on the market that adequately addresses the complexities of securing an enterprise wide supply chain. Individual, separate security industry standards and certifications often address only a portion of the overall cyber-security posture, which means they do not address other security aspects that are often critical for the supply chain.
The UL assessment enables a holistic view of supplier's security posture, while providing a fair and consistent evaluation for organisations of the cyber-security posture from supplier to supplier.
"Cyber security for connected technologies is a major risk that impacts manufacturers, service providers, suppliers and end product ecosystems," said Isabelle Noblanc, global vice president at UL. "A supplier's security-oriented culture, security processes and practices, and secure R&D environments are all critical when validating supplier security. UL understands this significance and continues to help organisations with IoT cyber-security offerings that address end products, ecosystems and now – with the launch of our Supplier Cyber Trust Level – supply chains."
The offering leverages security controls from many well-known industry best practices, standards and frameworks, including National Institute of Standards & Technology (Nist) cyber supply chain risk management, European Union Agency for Cybersecurity (Enisa) supply chain attacks, North American Electric Reliability Corporation (Nerc) CIP-013-1 critical infrastructure protection standard, IEC 20243-1, 62443-4-1 and 62443-2-4 standards, and ISO 27001.
Helping suppliers to understand gaps in their security posture, the offering also lets them implement and strengthen continuous improvement plans and demonstrate and differentiate security strengths to multiple customers and groups of stakeholders. This approach in working with both organisations and suppliers helps holistically strengthen the security of supply chains and the digital economy.
It joins a growing list of UL IoT security offerings, including the UL IoT Security Rating, services for IEC 62443 and UL 2900 standards, and security by design training, advisory and testing services, that address secure product development, cyber security in smart ecosystems and supply chain risk management.
"The Covid-19 outbreak has made it clear how vulnerable supply chains can be," Noblanc said. “Although the Covid-19 situation has exposed vulnerability related to the availability of supply chains, it has also raised further awareness that cyber security is another prominent threat to supply chains worldwide. The UL Supplier Cyber Trust Level will help companies globally to better secure their supply chains and help bring safer products to the market.”