UL announced the debut of its Supplier Cyber Trust Level solution, which the organization says helps organizations minimize supply chain cybersecurity risk by focusing on the trustworthiness of suppliers' security practices.
Suppliers’ security practices are analyzed across multiple trust categories resulting in a "documented supplier Trust Level rating." This rating is intended to demonstrate the trustworthiness of a supplier's security practices across the software and hardware development lifecycle, hosted systems, information management systems, and their third-party management.
There is currently no single certification or framework on the market that adequately addresses the complexities of securing an enterprise-wide supply chain, reports the company. Individual, separate security industry standards and certifications often address only a portion of the overall cybersecurity posture, which means they do not address other security aspects that are often critical for the supply chain. The goal of the assessment is to enable a holistic view of supplier's security posture, while providing a "fair and consistent" evaluation for organizations of the cybersecurity posture from supplier to supplier.
"Cybersecurity for connected technologies is a major risk that impacts manufacturers, service providers, suppliers, and end product ecosystems," said Isabelle Noblanc, Global Vice President and General Manager of the Identity Management and Security division at UL. "A supplier's security-oriented culture, security processes and practices, and secure R&D environments are all critical when validating supplier security. UL understands this significance and continues to help organizations with IoT cybersecurity offerings that address end products, ecosystems, and now—with the launch of our Supplier Cyber Trust Level—supply chains."
The rating uses security controls from various industry best practices, standards, and frameworks, including National Institute of Standards and Technology (NIST) cyber supply chain risk management, European Union Agency for Cybersecurity (ENISA) supply chain attacks, North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)-013-1 standard, International Electrotechnical Commission (IEC) 20243-1, 62443-4-1, and 62443-2-4 standards, and International Organization for Standardization (ISO) 27001 standard, among others.
Another goal of the endeavor is to help suppliers "implement and strengthen" continuous improvement plans and demonstrate and differentiate security strengths to multiple customers and groups of stakeholders. According to the company, this approach in working with both organizations and suppliers helps holistically strengthen the security of supply chains and the digital economy. For automotive and mobility applications, the solution aims to provide a way for manufacturers to require suppliers to test the parts for cybersecurity protocols being provided to the OEM.
The UL Supplier Cyber Trust Level joins a growing list of IoT security solutions, including the UL IoT Security Rating, services for IEC 62443 and UL 2900 Series of Standards, and security by design training, advisory, and testing services that address secure product development, cybersecurity in smart ecosystems, and supply chain risk management.
"The COVID-19 outbreak has made it clear how vulnerable supply chains can be,” said Noblanc. “Although the COVID-19 situation has exposed vulnerability related to the availability of supply chains, it has also raised further awareness that cybersecurity is another prominent threat to supply chains worldwide. The UL Supplier Cyber Trust Level solution will help companies globally to better secure their supply chains and help bring safer products to the market.”
For more information, visit UL.com.