What's next for industrial supply chain security?
By Patrick Miller
Critical infrastructure needs to focus on supply chain security. Watch this interview with Ampere's Patrick C. Miller about what is next and how to prepare.
Keysight Sr. Industrial Solutions Manager Gail Ow interviews Ampere CEO Patrick Miller about supply chain security. Interview edited for length and clarity.
GAIL:
There's been an awful lot of talk about industrial cybersecurity lately, and one of the things that I keep hearing an awful lot about is supply chain security. What supply chain are we talking about?
PATRICK:
We are talking about the supply chain for critical infrastructure. These are the important machines that keep our world running, our electricity, water, gas, chemical, those kinds of things. Supply chain for those is really the hardware and software components in those. We're worried about how the hardware is going to work. And we're worried about how the software is going to work. And did anybody in the process, insert anything into that that could cause really bad problems? That's really what we're looking for.
GAIL:
What's wrong with the supply chain now and why do we care?
PATRICK:
It's not that there's anything really wrong with it. It's gone a long time without a lot of checks and balances is what's happened.
We've gone a long time where everything in the critical infrastructure space was really physical. It operated based on physics, like pneumatics, or electromechanical. We've recently, in the last ten to twenty years, made all that stuff transition from the physical world into the digital world.
We're still using some of the physical components. But as we insert more and more of that digital stuff, it's good. It does an even better job in a lot of cases than the original physical stuff. But it's also connected now because it is digital.
And we want the data out of it. So now that we've kind of built all these new digital things, and got them all for all of our infrastructures, we're coming back at this, as usual with security, after the fact and saying, 'Whoa, what about securing all these things, by the way?' That is where we are at this point.
At the same time, we've gone into less of a localized manufacturing perspective to a global perspective. It's really difficult to buy any digital components today that are really made in one place. 'Made in' usually means 'assembled in' whatever country or location that might be. Because the parts that go to make all that up came from all over the world, in almost every case.
GAIL:
Coming from product management, I sure know that I sure know that situation very, very well. What can we do to limit our risk?
PATRICK:
Limiting the risk is difficult. If this were an easy problem to solve, it would have been done already, right? We're in the situation we're in because it's hard to solve. We're coming at it in a reverse perspective.
I think the best way to limit the risk on this is, we found the sweet spot: given all the challenges we've seen trying to get where we are now, the 'bill of materials' is probably the best.
A hardware bill of materials, a software bill of materials. And this just tells you basically what's inside, so you can check to make sure. The best analogy is the can of soup. There's a list of ingredients on the outside. And that had better be what's inside that can of soup.
With that we can see: did the manufacturer give us exactly what we expected? And then we can check to see if that's what we have. At that point, we at least know what our risks are. We can decide based on what's in there where to put it from an architecture perspective, how isolated it has to be, how to manage it, how to do incident response, those kinds of things as well.
Right now, that's probably our best approach, given our current situation.
GAIL:
That makes a lot of sense. It also sounds like an awful lot of work. Is anyone requiring us to take action right now?
PATRICK:
Yes and no. It depends on what infrastructure you're in. In the electric sector, there's NERC CIP and there are some supply chain regulations there. There are some newer supply chain components built into the TSA pipeline safety and security elements as well, the guidelines and the directives. And in chemical and in water. We're seeing it at least in those infrastructures.
It's in other places as well, but not so much as a mandate or a directive, or even built into what would be a standard, for example. It's getting more and more and more attention. It's in every executive order. It's in the National Security Memorandum. It's in everything right now.
Being required to do it is one thing, but also knowing that it's the right thing to do is the other thing.
So, yes, there are some that are required. I think more and more over time are going to get requirements to do this as well.
GAIL:
How far do we have to go to get to where we want to be?
PATRICK:
I think it's going to happen pretty quick. We've hit an inflection point. It was in NERC CIP and it's been seen in other areas, and it's getting that standardization. It's normalizing a little bit. But with the Executive Order 14028, it was actually mandated in order to sell to the federal government. So the federal acquisition regulations, basically the FARS and the DFARS for defense as well. If you want to sell products to the federal government, you have to have some supply chain component like an SBOM [software bill of materials] and some other things as well.
That's a pretty large amount of organizations. A lot of companies sell to the federal government. If they sell in the electric sector, they're required to for NERC CIP in a similar way. More and more manufacturers are really being forced into this one way or another. Not the least of which is if you want cyber insurance, this is likely going to get asked of you as well.
And PR, front page. There's other motivators or business drivers that would get people on board for this as well. This is not easy, and it's going to take some work, but I think there are some pretty strong motivators to get everyone in line.
GAIL:
What risks are we going to be taking if we choose not to or if we don't have time to do this right now?
PATRICK:
I don't think there's much of an option. Your risks are pretty big. We're talking about critical infrastructure. If we don't do this, we end up with probably things going 'boom' and possible loss of life. That's the extreme case, of course. We could have everything from large scale equipment damage and long term outages, for example. If we do have somebody --- some determined party, adversary, whatever that might be --- that is able to insert bad things into our supply chain, and those bad things make it into the critical infrastructure, that's a problem.
So, not doing it isn't just a matter of having some sort of PR nightmare on your hands. It would likely be lawsuits and loss of insurance and credit rating and dragged in front of the federal government, and many other kinds of really bad problems you don't want to have. In addition to whatever issue you caused. I think it's a pretty strong motivator.
GAIL:
That is a strong motivator. I sure appreciate your time today, Patrick. This was informative. I sure hope our audience appreciates it as well. Thank you very much.
PATRICK:
Thank you.
Gail Ow’s Keysight Technologies companion blog for this video
