How to Effectively Manage ICT Supply Chain Security: Onward Security Reveals Critical Cybersecurity Strategies

The notorious SolarWinds attack in 2020 triggered global concern about supply chain security. SolarWinds, a key provider of network, systems, and IT infrastructure management solutions was widely used by 425 Fortune 500 companies at the time, underscoring its broad impact. The systematic breach of SolarWinds conducted by the hackers ultimately compromised over 10,000 corporate clients, marking it as one of the most significant supply chain cyber attacks in recent history.
 

Since the SolarWinds breach, supply chain attacks—those that exploit the inherent trust within the supply chain—have become increasingly prevalent. In the highly specialized modern economy, it is challenging for companies to independently manage the full cycle of product or service delivery. They must rely on upstream and downstream partners, outsourced manufacturers, and even open-source software and components, thus creating vulnerabilities that malicious actors can exploit. This has heightened global attention on supply chain cybersecurity.

Jasper Liu, Chief RD Officer and Director of Cybersecurity Compliance at Onward Security, noted that concerns about supply chain security are not new, which had first emerged in the public eye at the beginning of the century. However, the primary focus back then was not on cybersecurity, but rather on mitigating disruptions in the wake of the 9/11 attack. The attack made industries around the world acutely aware that a single incident could severely disrupt business operations globally, leading to the development of the ISO 28000 supply chain security management system standard. However, cybersecurity was not yet a focal point of these discussions at that time.

As businesses increasingly rely on information technology (IT) and geopolitical risks continue to rise, the scope of supply chain security has significantly evolved. In response, the Biden administration in the United States has issued executive orders including EO 14017 and EO 14018, aimed at gradually driving the standardization and regulation of software supply chain security.
 

As a compliance service provider under DEKRA, Onward Security understands that the first step in conducting a corporate cybersecurity risk assessment is to define the scope and identify potential risks. The scope of cybersecurity protection can be categorized into three aspects: the internal ICT environment of the company, the environment provided by service providers, and the security of supply chain partners.

Liu emphasized that the first step in securing the supply chain is to review data flows based on key indicators including sensitivity, integrity, and availability, to identify potential risks. A critical focus here is understanding what sensitive data is involved, where it flows to, and subsequently defining appropriate management policies and processes. At this stage, businesses can look to management systems established by leading national organizations. For example, guidelines issued by the US National Institute of Standards and Technology (NIST) often serve as the foundation for international standards. Relevant examples include NIST SP 800-171, NIST SP 800-172, and the Cybersecurity Maturity Model Certification (CMMC), which addresses cybersecurity concerns from the U.S. military-industrial complex supply chain. These frameworks provide valuable standards for companies to follow.
 

In summary, while supply chain security initially focused on "cargo security," only  in recent years the emphasis had increasingly shifted toward "software security.” Liu highlighted that although discussions on supply chain cybersecurity often start at the application layer, the root cause of all ICT security issues lies in the security of software and firmware. As a result, it is imperative for companies to strengthen the security of their software development supply chain. To address this trend, organizations should prioritize compliance with NIST SP 800-218, which evaluates how businesses implement secure development practices through the Secure Software Development Framework (SSDF). This involves ensuring that companies allocate the necessary resources, personnel, and policies to promote secure development while establishing mechanisms to protect the software, ultimately ensuring the security of the final product.

When implementing NIST SP 800-218, Liu recommended referencing the CIS Software Supply Chain Security Guide for key areas of focus. First, environmental control: companies must properly control their development environments, including the environments for source code storage, compilation processes, and packaging. Second, automation: as the Software Bill of Materials (SBOM) becomes increasingly important for secure software development, companies must utilize automation tools to list software components, as manual processes are no longer sufficient. Third, integrity: it is essential to verify that downloaded packages and libraries are secure. Fourth, accountability: organizations must maintain immutable records of who committed, reviewed, and is responsible for the source code to ensure transparency and security.
 

In Taiwan, two key industries have been actively advancing supply chain cybersecurity efforts. The first one is the industrial control systems (ICS), which encompasses critical infrastructure and cannot tolerate any security vulnerability, as any compromise can have a significant impact on public welfare. Consequently, the ICS industry adheres to the IEC 62443 standard, which provides comprehensive cybersecurity guidelines tailored to asset owners, service providers, system integrators, and component suppliers. The design of the IEC 62443 framework integrated all functions and entities to construct a secure supply chain.

The second is the auto industry. Although people joke about how insignificant the Taiwanese auto industry is, as Onward Security promotes automotive cybersecurity compliance services, many Taiwanese ICT companies are keen to acquire verification for promoting their products to automotive applications, which requires them to meet the security standards of the auto supply chain. There is a complex web of related regulations and standards, but the keys include the EU R155 regulation on vehicle cybersecurity, the R156 on software update security, and the corresponding extensive ISO/SAE 21434 and ISO 24089 standards. All vehicles must comply with these regulations before receiving type approval and entering the market, prompting automakers to demand secure products from their suppliers, thereby fostering a comprehensive secure supply chain.