The UL Supplier Cyber Trust Level analyzes suppliers' security practices across multiple trust categories resulting in a documented supplier Trust Level rating. This rating, says the organization, demonstrates the trustworthiness of a supplier's security practices across the software and hardware development lifecycle, hosted systems, information management systems, and their third-party management.
"Cybersecurity for connected technologies is a major risk that impacts manufacturers, service providers, suppliers and end product ecosystems," says Isabelle Noblanc, global vice president and general manager of the Identity Management and Security division at UL. "A supplier's security-oriented culture, security processes and practices and secure R&D environments are all critical when validating supplier security. UL understands this significance and continues to help organizations with IoT cybersecurity offerings that address end products, ecosystems and now — with the launch of our Supplier Cyber Trust Level — supply chains."
Currently, says the organization, there is no single certification or framework on the market that adequately addresses the complexities of securing an enterprise wide supply chain. Individual, separate security industry standards and certifications often addressed only a portion of the overall cybersecurity posture, which means they do not address other security aspects that are often critical for the supply chain.
Leveraging security controls from many well-known industry best practices, standards, and frameworks, the UL Supplier Cyber Trust Level assessment is offered as enabling a holistic view of a supplier's security posture, while providing a fair and consistent evaluation for organizations of the cybersecurity posture from supplier to supplier. It also helps suppliers implement and strengthen continuous improvement plans and demonstrate and differentiate security strengths to multiple customers and groups of stakeholders.
The solution leverages industry standards and frameworks including the following:
- NIST cyber supply chain risk management
- ENISA supply chain attacks
- METI Society 5.0
- NERC CIP-013-1UK
- Supplier Assurance
- ISO/IEC 20243-1
- IEC 62443-4-1 & 62443-2-4
- ISO 27001
This comprehensive approach in working with both organizations and suppliers, says the organization, helps holistically