In recent years, several vulnerabilities in smart vehicles have been exposed by ethical hackers. Tesla stood out among the affected manufacturers for responding relatively quickly, fixing their cars through software patches installed remotely. The reasons for their agility in comparison to their competitors probably had to do with supply chain management (SCM).
In the world of connected cars, many parts of a system, including software code, are developed by third parties. Tesla, however, has their own supply chain strategy and take ownership of many aspects of their manufacturing process. They develop their own technology, including artificial intelligence and when it comes to relying on suppliers, they pick them extremely carefully. Forbes called this “the 21st century supply chain”.
It is known that third party involvement has several challenges. Even Tesla recently had a set-back in the market caused by a delay in the release of the Tesla 3 because a supplier “dropped the ball”. Other risks can be related to quality: “know how”, ownership or losing control over critical issues. Cyber security is one of those issues.
In today’s economy, most businesses need suppliers to function. Vehicles comprise complex systems of systems that require different sorts of expertise. A similar principle applies to loT consumer devices where many manufacturers are medium or small companies with a limited number of employees and capabilities. While it is important to have a methodology to assess third-party risks, it is also relevant to focus on how relationships with suppliers are managed. A recommended approach to this is to use a SCM (Supply Chain Management) model as a reference. It can be argued that this kind of model will not usually include direct guidelines related to security, and that is fine because it is not that purpose. What they will provide is a backbone to manage relationships with suppliers through different processes.
If security is a priority in a company, it will be very natural for them to reflect this in their SCM processes. For example, a SCM model will establish that suppliers should be selected through a systematic decision-making procedure. Then, certifications and knowledge in cyber security should be a selection criterion in this process. Also, if security features are part of the technical and business requirements, this will be reflected in the requirements development and requirements management processes. As a consequence, verification and validation processes should consider security tests to be consistent with these requirements. Agreements management and defining service levels can additionally be a relevant support to reduce security risks. Fines or penalties for non-compliance with agreements could be established to show that security is taken seriously.
SCM best practices allow the establishment of rules of engagement and set clear goals and expectations with third parties. Furthermore, it would be valuable to team up with suppliers, whenever it is possible, to make sure that security is a shared objective. Another option would be to just get rid of all suppliers. But let’s be real: not every company can be Tesla.
By: Carolina Adaros Boye, Cyber Secuirty PhD Researchers, Birmingham City University
Source: IISP Pulse Magazine Spring Edition