Security Requirements for Supply Chain Services
Supply Chain Services (SCS) are used every day by many sectors, but also by critical sectors (e.g., transport, energy, health, economy). The systems of an SCS Business Partner (BP) or even the goods themselves can be targeted, jeopardizing their delivery to the end consumer. Especially in the maritime sector, there are many examples of well-known cybersecurity incidents in large companies or ports (e.g., Maersk, COSCO, Ports of Antwerp, Barcelona, San Diego). Small and medium-sized ports (SMPs) are no different, as they may use similar types of systems, and software, and even share the same SCS as the larger ones.
In order to avoid such incidents, special regulations and directives are created, which define legal requirements to be applied also by SCS providers and BPs:
- General Data Protection Regulation (GDPR): a European Union (EU) regulation (not a directive) adopted in April 2016 and came into force in May 2018. It addresses issues of privacy and human rights law both inside and outside the EU as well as European Economic Areas (EEA).
- Directive on Security of Network and Information Systems (NIS Directive): joined policy in July 2016 with the aim of raising the level of cyber security in the EU, leading digital service providers (DSPs) and operators of essential services (OES) to create and maintain Computer Security Incident Response Teams (CSIRTs).
- NIS 2.0 Directive: proposed in June 2022 with the aim of extending security requirements and making EU Member States consistent and compatible with incident notifications and information sharing.
In addition, relevant standards and frameworks are being developed, which SCS providers and BPs should consider:
- Risk Management standards and frameworks:
- ISO/IEC 27000:2018, which mainly provides the overview of information security management systems (ISMS)
- ISO 31000-series, which provides a framework for risk management and treatment
- NIST SP 800-37 Rev.2, a framework, which provides a process for managing security and privacy risk
- SCS Security standards:
- ISO 28000-series, which sets out the requirements for a security management system, also addressing aspects related to the supply chain
- IT Security Evaluation standards:
- ISO/IEC 15408 (Common Criteria), which designates the general principles and model for evaluating the security properties of IT products
- ISO/IEC 18045:2008, which is a companion standard of the previous one that can help an IT security evaluator to conduct a CC evaluation by defining the minimum actions to be performed according to the provided methodology
More details on this topic are shared in the CYSMET paper entitled “Cybersecurity Certification Requirements for Supply Chain Services” (Zenodo link).
Additionally, CYSMET deliverable 2.1 (Deliverable link) further analyzes the current state and shortcomings of existing regulations, directives, standards, frameworks, etc.