Governments and Industry Must Collaborate to Address Third-Party Security Threats

By Christophe Blassiau, Senior Vice President, Cybersecurity & Global CISO at Schneider Electric

Schneider Electric joined the Cybersecurity Tech Accord in February 2020 because we believe that collaboration between customers, businesses and governments is necessary to address cyberthreats. The commitment to greater collaboration within the technology industry and with other stakeholders on cybersecurity issues is one of the group’s four foundational principles. Such commitment is especially important in the area of supply chain security where digital connections to external third-parties can increase your own enterprise risk. At Schneider Electric we operate in over 100 countries, source goods and services from five continents and manage more the 50,000 unique suppliers.  All of this increases the cyber complexity under which we all operate.

These risks have pushed us to consider new solutions to address dynamic threats. In August 2020, we issued our own Third-Party Security Principles that govern how we engage suppliers on their cybersecurity posture.  These core principles include:

  1. Embed security and privacy in the procurement process and life cycle to ensure clear cybersecurity requirements for all relevant suppliers.
  2. Take a risk-based approach in assessing third parties to ensure an accurate appreciation of risk and require an appropriate set of controls based upon this level of risk.
  3. Implement a source code policy and secure-by-design development approach that emphasizes security, quality and trust in our products and systems. 

Governments, like companies, play a critical role in ensuring the global digital economy is safe and secure for everyone.  Governmental activity to address supply chain security threats has increased in recent years.  Policies ranging from the European Union proposed update to the Network and Information Security (NIS2) Directive, the United States Executive Order on Improving the Nation’s Cybersecurity and the China Cybersecurity Review Measures all aim to address these threats in their own way. 

At Schneider Electric, we urge our government partners around the world to address supply chain security threats in the same spirit of collaboration that drives Cybersecurity Tech Accord signatories.  It is through collaboration that we will establish mutual trust and understanding.  Specifically, we strongly recommend governments consider the following efforts when crafting new policy in the supply chain security space:

  1. Ensure industry and private society groups have formal mechanisms to provide thoughtful feedback and recommendations to governments on proposed policies.
  2. Incentivize improved cybersecurity practices by rewarding vendors for voluntary adherence to existing international cybersecurity standards (e.g., IEC 62443 and ISO 27000).
  3. Establish and enhance programs that rely on objective analysis and technical rigor to establish trust in vendor products and systems.  An example of such an approach is the U.S. Department of Energy Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program.  Schneider Electric was the first equipment manufacturer to participate in this program, which relies on independent cybersecurity testing of products to build trust between government agencies and key suppliers.

It is through these principles, efforts and constructive collaboration that we will address this increasingly evolving landscape.