Analysts estimate that up to 80% of cyber breaches may originate in supply chains—attacks where hackers sabotage software or hardware before it’s sent to the customer. Protecting supply chains is therefore an absolute priority for all organizations.
Cyber attacks on businesses and industry may have disastrous consequences for the companies affected. Ultimately, they may even force some businesses or industries to close.
However, the most serious cyber threats at national level concern critical infrastructure, which covers assets and systems that are essential to the functioning of a country’s society and economy. Damage to power utilities, transport, health, and telecommunications systems, for example, could have wide and disruptive implications for societies.
The IT supply chain consists of a set of organizations with linked sets of resources and processes, each of which acts as an acquirer, supplier, or both to form successive supplier relationships established upon placement of a purchase order, agreement, or other formal sourcing agreement.
A definition of supply chain for industrial and other physical assets, such as power grids, transportation systems, smart manufacturing, etc. is more complex as it comprises not only IT, but also the operational technology (OT) supply chain. This includes personnel (developers, suppliers, vendors and staff working on OT) and processes, as well as products—components and systems central to OT, such as industrial automation and control systems (IACS) and increasingly, internet of things (IoT) elements.
The IEC’s very extensive work on cyber security includes Standards, Technical Requirements and Specifications and, increasingly, conformity assessment (CA) and certification.
In addition to the ISO/IEC 27000 family of Standards for IT service management, and to the IEC 62443 series of horizontal publications for industrial communication networks and IACS, relevant to many domains, a number of IEC Technical Committees (TCs) and Subcommittees (SCs) have developed specific Standards, Technical Specifications and Requirements for certain sectors.
The IEC Standardization Management Board (SMB) has set up an Advisory Committee on Security (ACSEC). Its scope includes:
- Dealing with information security and data privacy matters which are not specific to a single IEC Technical Committee (TC);
- Coordinating activities related to information security and data privacy;
- Providing guidance to TCs and subcommittees (SCs) for the implementation of information security and data privacy in a general perspective and for specific sectors.
In parallel, the IEC works on CA and global certification schemes through Working Groups (WGs) set up by the Conformity Assessment Board (CAB) and by the Certification Management Committee (CMC) of IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components.
The tasks of WG 17 include investigating the market needs and timeframe for CA services (global certification schemes) for products, services, personnel and integrated systems in the domain of cyber security. They exclude the scope of industrial automation applications covered by IECEE CMC WG 31. CAB WG 17 also communicates to other industry sectors the generic cyber security approach taken by IECEE CMC WG 31 and how this may apply to their sectors.
The IEC is also working with the United Nations Economic Commission for Europe (UNECE) to create a common regulatory objectives document focusing on conformity assessment and cyber security.