This request would obviously put the supply chain from India to England to the limit. She had a few things going for her. First she was the queen of the largest empire on earth so everyone would jump when she said jump and secondly the Suez Canal had opened for traffic in 1869 cutting the journey between India and Europe by some 7000 km. In time in the late 1800s that was huge.

But lets return to the present day, about 150 years after Victorias request, and discuss security and supply chains and the impact they can have on critical infrastructure. The thing is that when people think about supply chains today they think about it in the same way. The Suez Canal is still in the news and the transport gets disrupted by Houthi rebels as we speak forcing the navies of many countries to patrol the area.

We talked mainly about physical transport, whether it be by ship, train, truck och plane. It is still the moving of physical things from one place to another. Obviously, this can have security implications (e.g., NSA Hack etc.) but I would like to broaden the question to not just take care of the physical transport of goods but rather raise two other questions regarding the supply chain that might actually be more important.

• The Supplier. Where do they manufacture? Do they have sub-suppliers (EMS:s)? How do they source their components?
• The Software. How can you control the firmware you get? Updates? Secure boot?

Why is the supplier important? In security trust is the key. When auditing a supplier you should look at a couple of things.

• Do they actively work with information security? If they have certifications (e.g., ISO27001, IEC62443 etc.) look at the implementation. What does the scope cover? What controls do they have? How do they manage threat modelling?
• How and Where is the product manufactured? Do they have their own factory? How to they perform audits on sub-suppliers? A short supply chain means less risk of errors and successful attacks.

The Software

• Can you rely on them to provide continuous and consistent software updates? Probably the most important topic, how will you and they manage vulnerabilities together, it is a team effort after all, especially if you throw Open Source into the mix.
• How do the customer manage the signing process? Key management and secure boot. Do look into this. They can claim that they have secure boot but if that trust chain can be compromised it is not worth that much. How do they handle the private keys? How hardened is the firmware? Is there a trust chain in there that might have a weak link?
• If Open Source is in the play, do they use known and maintained libraries? Some recent attacks (e.g., Log4j) have shown that it is important not just that the library is common and used but that it also have a vibrant maintainer community, people that are actually looking at and evaluating the code.

Time to eat the Mango and summarize

In the 1800s queen Victoria had to rely on physical transport of the goods. So what happened to the mango she so desperately wanted for the jubilee? Well as you can imagine with the ships and cooling available at the time the fruit was as it is put in the movie “off” when it arrived, that is overripe. Even being the Queen of an empire as large as the British she could not ensure a fresh mango at her table, something almost anyone can enjoy these days.

But to put in terms of supply chain security, if you want your system to stay fresh and enjoyable to the bite in every day work you should keep a really close eye on the updating the software of your products, because experience show that is how an attacker will compromise you. The nice thing is that you can do that without travelling through the Suez Canal fighting of rebels. Working with the right supplier can ensure that you have it at your fingertips when you need it.