Secure supply chains for ICS


  • Erik Zouave
  • Margarita Jaitner

Publish date: 2019-10-02

Report number: FOI-R--4759--SE

Pages: 52

Written in: Swedish


  • ICS
  • supply chain security
  • cyber security


Examining the recent trends in industrial control systems (ICS) sourcing and maintenance, a trend towards complex supply chains is detectable. Complex supply chains can pose a number of risks to operators of ICS and their ventures. Further, recently surfaced incidents that involve suppliers, further put supply chain security in focus within the area of cyber security. Based on a number of legal stipulations, norms, and industry best practices and advisory documents, such as standards and guidelines, this report compiles and categorizes activities aimed at securing supply chains for ICS. The report also establishes a generic model representing a typical lifecycle for an ICS. The model presents the phases in which the various activities for securing the supply chain should take place. Many of the activities are to be carried out prior to acquisition of an ICS, whilst others are in focus at different stages throughout the lifetime of an ICS. The report suggests that the chosen legal stipulations and best practices include four main areas of measures that can be carried out in order to secure supply chains. These areas are: defining of the relationship between the operator and the supplier; carrying out required analyses; establishing policy and action plans; and specifying security requirements.