April 2022 / Vol. 27 No. 4

By Steve Griffith, PMP, Senior Industry Director, Transportation Systems and Cybersecurity, NEMA

The supply chain ecosystem is transforming. Trends such as digitalization, machine learning, artificial intelligence, and the Internet of Things (IoT) allow manufacturers to restructure supply chains within their respective organizations. Devices and systems that are manufactured and subsequently deployed are dynamic and capable of evolving, even into unanticipated use cases. In addition, threats from external malicious actors explicitly target the supply chain of critical infrastructure providers and medical imaging manufacturers.

The electroindustry is serious about its role in strengthening the cybersecurity of the products it produces. NEMA manufacturers have developed and implemented industry best practices to secure their supply chains, operations, and products by minimizing cybersecurity risks. One such document is the recently revised NEMA Supply Chain Best Practices document (NEMA CPSP 1-2021). This document identifies a recommended set of best practices and guidelines that electrical equipment manufacturers can implement during product development to minimize the possibility that bugs, malware, viruses, or other exploits can be used to impact product operation negatively.

A key addition in the latest revision of the document is a new section describing how manufacturers work with their suppliers to assess, mitigate, respond, and remediate associated risks in the supply chain. Manufacturers utilize several techniques to manage dependencies in their supply chain. It starts with gathering information and establishing trusted communication with suppliers. This can be done via the following methods: classifying supplier types/categories, a vetting questionnaire, continuous monitoring using security ratings that dynamically measure an organization’s security performance, and Statements of Work (SOW) and Service Level Agreement with suppliers. Manufacturers also have continuous monitoring and vulnerability response programs for their supplier’s products.

The cybersecurity supply chain risk management topic is something that the National Institute of Standards and Technology (NIST) is considering in the update of its NIST Cybersecurity Framework (CSF). Specifically, NIST is asking for the following:

• Approaches, tools, standards, guidelines, or other resources necessary for managing cybersecurity-related risks in the supply chain in narrowly defined areas or sectors that can be used more broadly across diverse disciplines
• Gaps in existing supply chain risk management guidance, including how they apply to information and communications technology, operational technology, IoT, Industrial IoT, and open-source software
• Integration of the CSF and Cybersecurity Supply Chain Risk Management Guidance. Should this guidance be integrated into the CSF, or would it be better in a separate framework?

NEMA will provide comments on the Request for Information by the April 25, 2022, closing date. A public workshop on the CSF is being planned for later this year. ei