Cybersecurity Compliance in Product Value Chains

CPS security is now being treated as a national resilience issue, not a technical one. When an IT system fails, you lose data. When a CPS system fails, you lose operations, revenue, safety, and in some sectors, human life. That distinction is finally shaping policy. Across regions and industries, new rules are converging around a shared reality: A few examples: ↳ NIS2 (EU) Expands cybersecurity obligations to industries that operate physical-world systems: transport, healthcare, energy, manufacturing, water, and more. Boards are now personally accountable for CPS risk. ↳ FDA 21 CFR (Healthcare) Mandates software bill of materials (SBOM), vulnerability management, and lifecycle monitoring for connected medical devices treating them as safety-critical. ↳ TSA Pipeline & Rail Directives (US) Requires operators of physical infrastructure to implement continuous monitoring, segmentation, and incident response for CPS environments. ↳ IEC 62443 (Global Standard) Increasingly required by regulators, insurance providers, and large industrial OEMs. The standard recognizes that CPS risk is a function of configuration, exposure, and physical consequence not IT-style vulnerability counts. ↳ Sector-Specific Rules (Energy, Pharma, Utilities) Each new framework shares the same message: Organizations must prove that they understand their CPS risk and can reduce it. Three structural changes are increasing urgency: 1. CPS Attacks Have Real-World Consequences Power outages, halted manufacturing lines, delayed patient care, and compromised transportation systems. You cannot “restore from backup” when factories or hospitals go offline. 2. Global Supply Chains Depend on CPS Compromised PLC can stall a pharmaceutical plant, and vulnerable sensor can shut down logistics operations. Regulators now see CPS security as an economic stability issue. 3. Air-Gapped Systems No Longer Exist Even industries that believe they are isolated now rely on: Cloud analytics, remote maintenance, IoT sensors, vendor access and wireless mesh networks. The boundaries have dissolved. Regulators are effectively asking: → What CPS assets do you have? → How are they connected? → How do you mitigate without disrupting operations? → Can you demonstrate risk reduction over time? These are safety engineering, operations management, and national resilience questions. And they are now mandatory. CPS protection can no longer sit on the sidelines of cybersecurity strategy. It requires: → unified asset intelligence → vulnerability and risk scoring tailored to CPS → environmental context → governance models that bridge IT, OT, IoT, and safety teams Regulators are responding to a world where the systems we defend are no longer digital abstractions, they are physical dependencies that keep economies running. CPS security is becoming one of the defining resilience challenges of the next decade.

FTC Highlights Key Practices to Mitigate Cybersecurity Risks in Product Development As technology evolves, so do digital threats. The Federal Trade Commission (FTC) recently released vital recommendations to address cybersecurity risks linked to the development of AI, targeted advertising, and other data-intensive products. These risks stem from companies creating "valuable pools" of personal information that bad actors can exploit. Core Recommendations: Data Management - Enforce data retention schedules to limit unnecessary data storage. - Mandate deletion of improperly collected or retained data, including algorithms trained on such data. - Encrypt sensitive data to prevent unauthorized access. Secure Software Development: - Adopt “secure by design” principles, such as using memory-safe programming languages. - Conduct rigorous pre-release testing to identify vulnerabilities early. - Secure external product access with monitoring and intrusion detection systems. Human-Centric Product Design: - Implement phishing-resistant multi-factor authentication (MFA). - Enforce least-privilege access controls for employees handling sensitive data. - Avoid deceptive design patterns (e.g., "dark patterns") that compromise user privacy. The FTC underscores the importance of addressing systemic vulnerabilities and safeguarding consumers from digital security threats. With these actionable steps, companies can better protect data, ensure privacy, and enhance trust. Read the full details and explore related enforcement actions here: https://buff.ly/3PpuavB

🚀 𝐍𝐞𝐰 𝐏𝐮𝐛𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧! 𝐈𝐧𝐭𝐞𝐠𝐫𝐚𝐭𝐢𝐧𝐠 𝐭𝐡𝐞 𝐂𝐑𝐀 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐈𝐨𝐓 𝐋𝐢𝐟𝐞𝐜𝐲𝐜𝐥𝐞: 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞𝐬, 𝐒𝐭𝐫𝐚𝐭𝐞𝐠𝐢𝐞𝐬, 𝐚𝐧𝐝 𝐁𝐞𝐬𝐭 𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐞𝐬 Proud to share our newest peer-reviewed article in Information (MDPI), co-authored with Miguel Ángel Ortega Velázquez, Iris Cuevas Martinez, and Dr. Antonio J. Jara (myself as ISACA CISM/CISA/AAIA). 𝘛𝘩𝘪𝘴 𝘸𝘰𝘳𝘬 𝘢𝘳𝘳𝘪𝘷𝘦𝘴 𝘢𝘵 𝘢 𝘤𝘳𝘶𝘤𝘪𝘢𝘭 𝘮𝘰𝘮𝘦𝘯𝘵, 𝘢𝘴 𝘵𝘩𝘦 𝘌𝘜 𝘊𝘺𝘣𝘦𝘳 𝘙𝘦𝘴𝘪𝘭𝘪𝘦𝘯𝘤𝘦 𝘈𝘤𝘵 (𝘊𝘙𝘈) 𝘣𝘦𝘤𝘰𝘮𝘦𝘴 𝘵𝘩𝘦 𝘮𝘰𝘴𝘵 𝘪𝘮𝘱𝘢𝘤𝘵𝘧𝘶𝘭 𝘳𝘦𝘨𝘶𝘭𝘢𝘵𝘪𝘰𝘯 𝘧𝘰𝘳 𝘐𝘰𝘛 𝘮𝘢𝘯𝘶𝘧𝘢𝘤𝘵𝘶𝘳𝘦𝘳𝘴 𝘪𝘯 𝘵𝘩𝘦 𝘤𝘰𝘮𝘪𝘯𝘨 𝘺𝘦𝘢𝘳𝘴. 🔥 𝐓𝐨𝐩 𝐓𝐚𝐤𝐞𝐚𝐰𝐚𝐲𝐬 1️⃣ 𝐀 𝐜𝐨𝐦𝐩𝐥𝐞𝐭𝐞 𝐦𝐞𝐭𝐡𝐨𝐝𝐨𝐥𝐨𝐠𝐲 𝐭𝐨 𝐜𝐨𝐧𝐯𝐞𝐫𝐭 𝐥𝐞𝐠𝐚𝐥 𝐂𝐑𝐀 𝐭𝐞𝐱𝐭 𝐢𝐧𝐭𝐨 𝐞𝐧𝐠𝐢𝐧𝐞𝐞𝐫𝐢𝐧𝐠 𝐫𝐞𝐚𝐥𝐢𝐭𝐲: We introduce a two-phase framework: • Phase 1: Systematically transform CRA Articles 13–14 and Annexes into atomic, testable engineering requirements. • Phase 2: Apply Analytic Hierarchy Process (AHP) quantitative scoring to produce a defensible readiness metric. 2️⃣ 𝐀 𝐟𝐮𝐥𝐥 𝐥𝐢𝐟𝐞𝐜𝐲𝐜𝐥𝐞-𝐛𝐚𝐬𝐞𝐝 𝐂𝐑𝐀 𝐜𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭 𝐟𝐨𝐫 𝐈𝐨𝐓 𝐩𝐫𝐨𝐝𝐮𝐜𝐭𝐬: From secure design to post-market obligations, the paper provides an actionable DevSecOps-aligned checklist. 3️⃣ 𝐀 𝐝𝐞𝐟𝐞𝐧𝐬𝐢𝐛𝐥𝐞 𝐫𝐢𝐬𝐤-𝐛𝐚𝐬𝐞𝐝 𝐰𝐞𝐢𝐠𝐡𝐭𝐢𝐧𝐠 𝐦𝐨𝐝𝐞𝐥 𝐮𝐬𝐢𝐧𝐠 𝐭𝐡𝐞 𝐀𝐧𝐚𝐥𝐲𝐭𝐢𝐜 𝐇𝐢𝐞𝐫𝐚𝐫𝐜𝐡𝐲 𝐏𝐫𝐨𝐜𝐞𝐬𝐬 (𝐀𝐇𝐏): We derive consistent domain weights, ensuring mathematically validated prioritization of CRA domains. 4️⃣ 𝐑𝐞𝐚𝐥-𝐰𝐨𝐫𝐥𝐝 𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧 through the TRUEDATA project funded by INCIBE - Instituto Nacional de Ciberseguridad: We applied the full model to a large industrial OT cybersecurity project (water infrastructure) with Neoradix Solutions AirTrace Bersey UCAM Universidad Católica San Antonio de Murcia at the pilots with the support of the Confederación Hidrográfica del Segura, O.A., Mancomunidad De Los Canales De Taibilla, and FRANCISCO ARAGÓN. 5️⃣ 𝐂𝐥𝐞𝐚𝐫 𝐨𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐚𝐥 𝐠𝐮𝐢𝐝𝐚𝐧𝐜𝐞. The paper provides best practices for SBOM automation, PSIRT & CVD setup, Secure-by-design, OTA, monitoring, attestation, documentation and conformity assessment Our aim from Libelium with this paper is to give the industry a practical, structured, and evidence-based way to operationalize compliance and strengthen cybersecurity by design. 𝐓𝐑𝐔𝐄𝐃𝐀𝐓𝐀 𝐝𝐞𝐦𝐨𝐧𝐬𝐭𝐫𝐚𝐭𝐞𝐬 𝐡𝐨𝐰 𝐭𝐡𝐞 𝐦𝐞𝐭𝐡𝐨𝐝𝐨𝐥𝐨𝐠𝐲 𝐚𝐩𝐩𝐥𝐢𝐞𝐬 𝐭𝐨 𝐡𝐢𝐠𝐡-𝐬𝐭𝐚𝐤𝐞𝐬 𝐢𝐧𝐝𝐮𝐬𝐭𝐫𝐢𝐚𝐥 𝐬𝐲𝐬𝐭𝐞𝐦𝐬. 𝐓𝐡𝐞 𝐂𝐑𝐀 𝐢𝐬 𝐧𝐨𝐭 “𝐣𝐮𝐬𝐭 𝐚𝐧𝐨𝐭𝐡𝐞𝐫 𝐫𝐞𝐠𝐮𝐥𝐚𝐭𝐢𝐨𝐧”, 𝐢𝐭 𝐢𝐬 𝐭𝐡𝐞 𝐧𝐞𝐰 𝐛𝐚𝐬𝐞𝐥𝐢𝐧𝐞 𝐟𝐨𝐫 𝐈𝐨𝐓 𝐭𝐫𝐮𝐬𝐭 𝐢𝐧 𝐄𝐮𝐫𝐨𝐩𝐞. 👉 Download here: https://lnkd.in/dQu54qE2 European Union Agency for Cybersecurity (ENISA) Felix A. Barrio (PhD, CISM) Global Cybersecurity Forum SITE سايت Betania Allo Axon Partners Group ISACA ISACA VALENCIA

📢 Cybersecurity in Medical Devices: A Regulatory Perspective 🔐 As #medicaldevices become increasingly connected, #cybersecurity is now a key focus for regulatory bodies worldwide. The #EUMDR and #FDA both emphasize cybersecurity requirements to ensure patient safety and data protection. This week’s infographic provides a comprehensive analysis of cybersecurity requirements under both frameworks. 💠 Pathway for Cybersecurity Compliance per EU MDR ⚡ Design Phase: Incorporate cybersecurity into risk management activities and align with General Safety and Performance Requirements (#GSPRs) ⚡ Development & Manufacturing: Implement secure-by-design principles, conduct verification/validation, and document residual risks ⚡ Conformity Assessment: Engage a Notified Body to review and certify cybersecurity compliance ⚡ Pre-Market Submission: Include cybersecurity measures in technical documentation, such as risk files, validation reports, and user instructions ⚡ Post-Market Activities: Monitor risks, address vulnerabilities through timely updates, and incorporate cybersecurity findings into post-market surveillance (PMS) and clinical follow-up (PMCF) 💠 Pathway for Cybersecurity Compliance per FDA ⚡ Pre-Market Development: Follow the Security Product Development Framework (SPDF), integrating secure design and risk management ⚡ Risk Management: Conduct risk assessments to identify and mitigate vulnerabilities ⚡ Documentation: Prepare cybersecurity management plans, testing reports, architecture details, and labeling ⚡ Submission: Provide this documentation in 510(k), De Novo, or PMA submissions ⚡ Post-Market Monitoring: Evaluate cybersecurity risks from device use, incidents, and vulnerability sources; deploy patches and updates as necessary 🎇 Additional EU Regulations Supporting Cybersecurity ✔️ #GDPR: Protects patient data collected or processed by medical devices. ✔️ NIS 2 Directive: Strengthens cybersecurity for critical infrastructure, including healthcare. ✔️ EU Cybersecurity Act: Establishes a European certification framework for digital products. ✔️ #CyberResilience Act: Focuses on secure-by-design principles for connected devices. 📌 High-Level Comparison of Cybersecurity Requirements for EU MDR and FDA ✳️ Approach: 🏹 EU MDR: Prioritizes pre-market compliance with rigorous assessments. 🏹 FDA: Focuses more on post-market monitoring and risk mitigation. ✳️ Compliance Requirements: 🏹 EU MDR: Imposes stringent obligations, emphasizing transparency, detailed documentation, and adherence to best practices. 🏹 FDA: Ensures device safety with flexibility, allowing manufacturers to determine how to meet cybersecurity requirements. 📢 Engage with This Post 👉 Let’s discuss: How is your organization navigating cybersecurity challenges in medical devices? 👉 Share your strategies for compliance or ask questions in the comments!

European Parliamentary Research Service: EU Cyber Resilience Act (#CRA) New technologies come with new risks, and the impact of cyber-attacks through digital products has increased dramatically in recent years. Consumers are increasingly falling victim to security flaws linked to digital products such as baby monitors, robo-vacuum cleaners, Wi-Fi routers and alarm systems. For businesses, the importance of ensuring that digital products in the supply chain are secure has become pivotal, considering three in five vendors have already lost money as a result of product security gaps. The European Union's lawmakers signed the 'cyber-resilience act' in October 2024. The regulation imposes cybersecurity obligations on all products with digital elements whose intended and foreseeable use includes direct or indirect data connection to a device or network. The regulation introduces cybersecurity by design and by default principles and imposes a duty of care for the lifecycle of products. The Cyber Resilience Act was published in the EU's Official Journal on 20 November 2024. It entered into force in December 2024 and will apply in full as of 11 December 2027.

Powered by Technology, Driven by Regulation: The Evolution of Software Supply Chain Security ! The software supply chain has become a critical area of focus for organizations and governments alike. The increasing use of software and third-party vendors has brought about new risks and vulnerabilities that need to be managed. Over the past year, we've seen a surge in cybersecurity threats, and the software supply chain is a prime target for attackers seeking to exploit vulnerabilities. Regulatory requirements have become an important driver of increased focus on software supply chain security. Governments around the world have introduced new regulations and standards to enforce stronger cybersecurity measures for software supply chains. For example, self-attestation requirements in the United States and Canada require organizations to implement appropriate cybersecurity measures and report on their compliance. The US Food and Drug Administration (FDA) has also introduced new guidelines for the management of cybersecurity risks in medical devices, which includes software supply chain management. In the UK, the Financial Conduct Authority’s (FCA) Cyber and Technology Resilience (CTR) regulatory framework for financial services includes software supply chain management. Meanwhile, technology is playing an increasingly important role in assessing and managing software supply chain risk. DevOps teams are increasingly implementing automation and other measures, such as secure coding practices, testing automation, SBOM, and artifact management, to reduce the risk of vulnerabilities. SBOM provides an understanding of the complete software component supply chain including open source assets. Artifact management provides the ability to maintain a secure software assembly line from code commits to production deployment. Together, the combination of secure coding practices, testing automation, SBOM, artifact management and integrated risk management platforms offer an end-to-end supply chain security during software development, maintenance, and distribution. By adopting these technologies, organizations can proactively identify and mitigate risks in their software supply chain, improve their software development practices and enhance cybersecurity posture. In conclusion, organizations need to assess their own risks and ensure they are compliant with relevant regulations and standards such as self-attestation requirements, FDA requirements, CRA, and NIS 2 directive regulatory requirements in Europe. Also, this requires a culture of ongoing vigilance and investment in appropriate security measures. Self-assessment, periodic third-party audits or automated monitoring can be invaluable to provide an early warning system for potential software supply chain risk. By adopting such a comprehensive approach, organizations can build and maintain more secure software products and associate supply chain environment.

A cybersecurity program should be well rounded and needs strong components, one of which is a Third-Party Vendor Cyber Risk Assessment program. I believe there will be regulatory push for this moving forward so adopting this practice is beneficial sooner rather than later. Organizations within critical infrastructure—such as energy, healthcare, finance, and transportation—are increasingly vulnerable to cyber threats due to the interconnected nature of modern supply chains. Third-party vendors often have direct access to sensitive data and critical systems, making them a significant cybersecurity risk. A single breach through a compromised vendor can lead to operational disruptions, data theft, regulatory penalties, and even national security threats. To mitigate these risks, organizations must implement rigorous third-party vendor cyber risk assessments as part of their cybersecurity strategy. These assessments help ensure compliance with regulatory frameworks (such as NIST, ISO 27001, CIS and CISA guidelines), protect sensitive data, and strengthen operational resilience against supply chain attacks. Key components of a robust vendor risk assessment include: Vendor Risk Profiling: Identifying vendors with access to critical systems. Security Policy & Compliance Review: Ensuring adherence to cybersecurity standards. Access Controls & Data Protection: Enforcing least privilege access and encryption. Incident Response & Recovery Readiness: Evaluating vendors’ breach response capabilities. Continuous Monitoring & Penetration Testing: Regularly assessing vulnerabilities and security posture. Contractual Security Requirements: Embedding cybersecurity obligations in vendor agreements. To strengthen third-party risk management, organizations should adopt a risk-based approach, enforce Zero Trust principles, require real-time security monitoring, and conduct regular cybersecurity exercises. Cyber threats are escalating, and organizations can no longer afford to overlook vendor risks. A proactive cybersecurity strategy that includes thorough third-party risk assessments is essential for safeguarding critical infrastructure, ensuring regulatory compliance, and maintaining national security.

Your Vendor's Breach is Your Problem: The Supply Chain Security Wake-Up Call. The recent NYT report on the bank data hack via a third-party vendor confirms a critical truth: https://lnkd.in/eqTaNTX2 In today's interconnected world, your security perimeter is only as strong as your weakest link. This is not just a "big bank" problem. If major financial institutions can be exposed by vendors, smaller firms who often share those same suppliers, or rely on vendors with less mature controls, are equally (if not more) vulnerable. Data confidentiality and system access are non-negotiable privileges that must be earned and constantly re-verified. To the question, "Is there nothing that can be done?"—the answer is a definitive NO. We must move past reactive audits and embrace a proactive posture. 4 Essential Steps to Protect Your Confidential Data: 1. Shift to Continuous Monitoring: Annual questionnaires are insufficient. Implement tools for real-time risk scoring and continuous assessment of vendor security posture. 2. Zero Trust for Third Parties: Apply the principle of least privilege. Vendors should only have access to the bare minimum data and systems absolutely required for their service, and no more. 3. Mandate Cyber Contractual Clauses: Ensure contracts legally enforce strong security controls, prompt breach notification, and right-to-audit clauses. 4. Data Minimization: Review every vendor relationship. If a third party doesn't truly need access to confidential data, remove it. Reduce the attack surface immediately. The fallout from a breach is astronomical. The investment in robust TPRM and cyber oversight is a strategic necessity, not a compliance burden. Leaders, the time to vet and monitor is now.

#ZeroTrust or #ZeroMargin: Cyber attacks against food and consumer product manufacturers are no longer about stealing data—they are about stopping production. Highly automated plants, globally connected supply chains, and third-party dependencies mean a single breach can disrupt operations and impact revenue within hours. Two Incidents Every Executive Should Understand 1. Global Food Producer Ransomware Shutdown A major food manufacturer was forced to halt production across multiple plants following a ransomware attack—creating immediate supply disruption and financial impact. Failure point: Flat networks and implicit trust between IT and OT environments. 2. Beverage Manufacturer Supply Chain Breach Attackers entered through a third-party vendor connection, disrupting logistics and internal systems. Failure point: Over-permissioned vendor access with no continuous verification. The Pattern: Trust Is the Vulnerability * Users are trusted after login * Vendors are trusted once connected * Networks are trusted by default That model no longer holds. Where #ZeroTrust Changes the Outcome * #ContinuousVerification – Every user, device, and session is validated in real time * #MicroSegmentation – Prevents lateral movement into production systems * #SecureRemoteAccess – Eliminates broad network exposure for vendors and remote users * #Enforcement Points Everywhere – Access is controlled at identity, network, application, and data layers Bottom Line: In manufacturing, cybersecurity is operational resilience. If an attacker can move freely, they can stop production. If they can’t move, the impact is contained. Zero Trust isn’t about preventing every breach—it’s about ensuring one breach doesn’t become a shutdown. #ZeroTrust #CyberSecurity #Manufacturing #FoodIndustry #OTSecurity #SupplyChainSecurity #Ransomware #CISO

Integrating ISA/IEC 62443 Cybersecurity throughout Project Lifecycle How to integrate cybersecurity in project phases is a million dollar question, let's explore together! >> integrating Cybersecurity in the project life cycle provides many benefits: > Proactive risk mitigation to prevent vulnerabilities. > Compliance with industry standards and regulations. > Cost savings by addressing security early. > Ensures operational reliability and safety. >> The IEC 62443 framework provides a structured approach to secure systems throughout their lifecycle—from conceptualization to ongoing operation. >> Relevant Standards: > ISA/IEC 62443-2-1, > ISA/IEC 62443-2-4, > ISA/IEC62443-3-2, and > ISA/IEC62443-3-3, >>These standards cover > cyber security management, > risk assessment, and > technical requirements. 1. Concept Phase: Define project goals, scope, and requirements. >> Key Activities: > Define scope of work and requirements. > Develop strategy and methodology. > Assign roles and responsibilities. >> Relevant Standards: IEC 62443-2-1 and IEC 62443-2-2. 2. FEED Phase: Front-End Engineering Design >> Key Activities: > Identify Systems under Consideration (SuC). > Conduct a high-level risk assessment. > Partition zones and conduits. > Perform detailed risk assessments. > Specify cybersecurity requirements. >> Relevant Standards: IEC 62443-3-2. 3. Project Phase: Execute the design, build, and testing activities. >> Key Activities: > Conduct detailed engineering. > Perform Factory Acceptance Testing (FAT). > Commission systems. > Hand over systems to operations. >> Relevant Standards: IEC 62443-3-3 and IEC 62443-2-4. 4. Operation Phase: operations and Maintenance >> Key Activities: > Maintain systems. > Monitor cybersecurity performance. > Manage change. > Respond to and recover from incidents. >>Relevant Standards: IEC 62443-3-3 and IEC 62443-2-4. #icssecurity #otsecurity