Senior information security experts from the aviation and energy sectors recently took part in a panel discussion about the challenges of securing the critical supply chain. They were taking part in a Financial Times cyber security conference in London.
The speakers gave details of the challenges they face and the solutions they deploy to meet them, bearing in mind that safety is also a major concern for them. Airbus Head of cyber security architecture Dr Kevin Jones explained that Airbus had three main activities: manufacturing commercial aircraft, helicopters and defence equipment.
“This gives Airbus a very large supplier base at a time when it is going, like many other manufacturers through a huge transformation programme,” he said.
To protect its supply chain, Airbus introduced a number of measures that include secure remote access for suppliers and a certain degree of access segregation, full audit of Airbus’s and suppliers’ production facilities and the identification of vulnerabilities. Suppliers have to review their process and make sure they meet Airbus standards.
As regards coding for safety environments, Airbus has internal teams with experts in code reverse engineering and in reliability assessment. “A lot of money, time and efforts are invested in making sure that any code we have is well validated. As any large organization, we have a very complex and extensive supply chain and the ways we handle it very much depend on the risks this supply chain poses to our business,” Jones said.
Peter Merker, CISO for Skyguide, which provides air navigation services for Switzerland and certain adjacent parts of neighbouring countries, explained that the entire air traffic control sector was going through a huge technological transformation driven by digitization. This digital transformation means moving away from a monolithic equipment base with a lifecycle of over 20 years to systems coming from the IT environment and “introducing commercial off-the-shelf software when we can, due to cost pressures and flexibility.
The entire air navigation control system is managed centrally and increasingly integrated across the continent within Eurocontrol, which means the digital transformation and the way the air traffic control sector uses suppliers are happening everywhere.”
“Skyguide buys software directly so we’re looking at contractual aspects, at source code reviews, which is new for us since we developed the codes ourselves.” Skyguide owns SkySoft, a software development company, which specializes in air traffic control management systems. “We manage what we develop ourselves together with what we buy off-the-shelf,” Merker said.
Dexter Casey, Group CISO for Centrica, a British-based multinational energy and services company, explained that Centrica had two main divisions, the first one, British Gas, for energy [gas and electricity] “has very large equipment, gas platforms and stations, thus facing challenges similar to those mentioned by the previous speakers.” The second Centrica division, he added, is Connected Home, an IoT company, “which has similar problems too with chips and chipsets coming from one place.
It is proving extremely difficult contractually to ask suppliers to change configuration or make these components unique,” Casey said, adding that Centrica had 30,000+ suppliers, and a team of some 15 staff reviewing contracts and performing security assessments. “What Centrica has to do is to focus its efforts on the 100-200 suppliers that have a critical impact on delivering its services,” he explained.
Several speakers mentioned the risks posed by “watering hole” attacks, in which malware is planted in certain websites of suppliers that are likely to be visited by the organizations being targeted. Software supply chain is an attractive target for attackers.
A July 2018 report by the US National Counterintelligence and Security Center (NCSC) warns that “software supply chain infiltration already threatens the critical infrastructure sector and is poised to threaten other sectors.” All panellists agreed that they faced similar challenges with infrastructures and processes relying more and more on both information and communication technology (IT) and operational technology (OT), making it much more complex than before to manage supply chains when digitization was less widespread and cyber threats were not an issue.