Is your supply chain secure? What standards, practices or guidelines does your organization lean on to guide the business forward in a security-susceptible environment? Mike Regan, Vice President of Business Performance for the Telecommunication Industry Association joins us in this Executive Perspectives episode to discuss the association’s latest standard and how to better protect oneself within increasingly digital industries.
This interview was edited and formatted for clarity.
Tyler Fussner, Managing Editor, Supply Chain Connect
Hey, good morning, Mike. Thank you for joining us today.
Mike Regan, VP Business Performance, TIA
Tyler, pleasure to be here. Thank you.
If you wouldn’t mind, please, introducing yourself to our audience.
My name is Mike Regan. I am with the Telecommunications Industry Association. And specifically, I oversee the activities of the QuEST Forum community within TIA. TIA is a long operating industry association and standards development organization, literally hundreds, thousands of standards developed over many decades. We have roots going back almost 80 to 100 years if you can believe that.
TIA is structured within four communities. One is technical standards, which focuses on topics such as data center design, structured cabling, cell tower design, things of that nature. We have a very active government advocacy group mediating between our membership and various global governments pursuing the goals of our members. Third community: technology programs. These tend to be pulling together works of some of the other communities into things like a data center design and certification program, a smart buildings certification program, things of that nature. And then QuEST Forum, which I’m responsible for. And we focus on business performance improvement standards; pretty widely known for a near 25-year-old standard called TL 9000, which is a quality management system. And most recently, we have developed and are promoting a standard called STS 9001, which is intended to provide a higher level of assurance of the cyber and supply chain security practices of those operating within the ICT industry.
Excellent. Mike, that is why I’m so glad to get you to be able to sit down and talk to us today, because I know our audience wants to hear about supply chain security. And as I understand, like you had just touched on, this new standard that TIA has developed—SCS 9001—can you please explain a little bit more about what exactly that standard is and why it was developed?
Sure, glad to. Everyone is aware of the vulnerabilities that are being exposed on pretty much a daily basis. The types of cyber-attacks that are taking place are broadening in scope and severity in the types of attacks that are launched. This isn’t just ransomware and nuisance any longer. The bad guys are attacking critical infrastructure within countries; they are attacking mission-critical systems, life-critical systems in some cases. The problem has really grown and frankly hasn’t been solved yet.
Several years ago, our membership… Our standards are developed by people from industry, for industry. It’s not like we decide something that sounds interesting and go and launch a new standards effort. People from industry that were members of ours came and said, “Look, here’s some of the things we’re struggling with.” There’s a number of works focused on cybersecurity, but there’s really a gap here in accounting for all elements of how an organization operates, including its supply chain practices. And there’s a number of examples of supply chain attacks that the bad actors have launched; SolarWinds maybe being one of the most prominent of those.
And so, we said, “We don’t want to do something for the sake of doing something. We don’t want to repeat prior art that’s already been done and released.” But we saw a gap and that was a bridging into supply chain security topics. And so, we pulled together subject matter expertise from our membership. And for a standard like SCS 9001, it’s a big standard and it’s intended to solve a tough problem. We had to pull in subject matter expertise from a wide variety of disciplines—supply chain, logistics, quality, product development, IT, network design, architecture. We were fortunate to have a very broad member base that could donate that level of expertise. We assembled our team and when we put together the standard called SCS 9001. It is intended to allow people to evaluate their vendors as to their security practices with the goal of providing a higher level of assurance of the inherent security present in the products and services going into modern networks.
Okay. It sounds like you have a very widespread team that has attacked this thing from multiple angles and you’re really setting up a standard to put some new checks and balances in place. From the flip side of that perspective, how does someone utilize SCS 9001?
There are a number of ways. We are proponents that for solving difficult problems, independent auditing and certification provides the highest level of assurance. But I think this probably comes down to the levels of trust that exists in a network operator and their vendors. If you’ve had long term relations with a particular vendor, and you've done audits or you provided them with security requirements, and they’ve answered that, you might have a higher level of confidence in the deliverables from certain vendors and not others. So, this can be used to drive consistency in the performance of your vendors. And again, with the ultimate goal of trying to improve and close the window and the types of attacks that are being seen out there.
While we are advocates of certification, and part of delivering process based standards like this is developing an entire ecosystem and network of accreditation and certification bodies and associated training materials, while we think that provides the highest level of assurance, we certainly have use cases where organizations can take and use the standard, assess it against their own existing processes and use it to strengthen it whether a particular customer demands certification to it or not.
Mike, I’m curious, as we get deeper and deeper into this conversation, I have to ask myself, are there not already standards in place for supply chain security? For IoT security? I guess what I really want to know is why was there a need for this new standard and what really sets it apart?
So great question. First, I’ll answer with this: TIA is an industry association that is not aligned with a particular industry. We are agnostic in that regard. So, if you were to talk to us about the standards that we were developing 15 and 20 years ago, there would be a heavy bias towards traditional public service providers at that time. The work that we’re doing today with the way that global connectivity has grown, we are developing standards that have appeal and benefit to a wide variety of different verticals. This isn’t just for the Verizons, the AT&Ts of the world any longer. We are not a mobile networking organization; we are technology and network agnostic when it comes to the types of standards we’re developing.
SCS 9001, we believe, provides great benefit not only to those traditional service providers, but if you’re operating a cloud platform or hosted data center or a multinational large enterprise, satellite communications, and yes, Internet of Things. Internet of Things, interestingly enough, is gaining widespread attention from a large number of global governments, where they are concerned with the level of security in the devices being installed, initially in households. And then, if you look at the different verticals, within IoT, there’s industrial Internet of Things, there’s critical care, medical devices… there is a great segmentation even within IoT.
If you look at things like the U.S. Cyber Trust Mark Program that was nudged forward by Executive Order 14028, governments are really starting to get involved. Now that program is a voluntary program and it’s intended, initially, to provide security labeling for household consumer devices. But there’s every expectation it’s going to start moving into edge networking types of devices, industrial control types of applications. There are certainly cybersecurity works of various types, guidelines, best recommendations, even standards, from some leading organizations. The Consumer Technology Association ANSI/CTA-2088 for IoT security. ETSI has a publication called EN 303 645. And there are others focused on IoT security. But if you were to read the standards, they will provide benefit for sure, but their focus is on operational security and baselines of operational security. So, things like IOT devices, they can be upgraded in the future, or passwords aren’t passed in clear text, data is encrypted, things of that nature.
There is very little, if any, focus on supply chain of those devices. And when you consider how these types of devices are put together, certainly different verticals, there’s a lot of early-stage companies—innovative, fast moving—that maybe are not as mature when it comes to security considerations. There’s a heavy use of open source. We’ve seen examples of what happens when you don’t have a very good process around the use of open source. And most importantly, continuous upgrades and assessment of vulnerabilities detected post product release. The Log4j vulnerability may be the worst one that’s been experienced yet.
We felt appropriate, now, to align with these government initiatives in the cybersecurity standards that are available around IoT to augment and grow that level of coverage to include supply chain. This is a really large problem. No single standard or approach is going to fully solve it. We believe STS 9001, in combination with some of these more operationally-focused security standards, can provide great benefit.
Mike, I think you touched on a lot of things there. One thing to consider aligns with TIA becoming more of, let’s say, a vertical agnostic association: As you’re touching on so many more industries, at the same time, we can clearly see all of these verticals are going through a digitization process. Everyone is transforming and going forward with digitization or industry 4.0. And that’s opening a lot of doors for new paths that these companies have to navigate. And having these standards in place to help guide them on that path forward into a more digitally connected environment is of utmost importance.
Exactly right. And having come out of private industry, I led development teams in some highly regulated industries for nearly 30 years, standards can be helpful; they can be very difficult to adopt and operationalize at times. And the issues of security are so widespread and are on everyone’s mind, everyone’s jumping in trying to solve the problem. So, there’s a lot of noise in the system right now as to which is the proper approach; which standard should I embrace or not.
We have the differentiation around a big focus on ICT supply chain security. But, again, using this standard in addition to others that are more operationally focused, we think, provides a much higher level of safety. And the other thing young companies are challenged with, because there’s so much activity: imagine having to understand the various policy directives and legislation coming out of all of these different global governments, all of these different industry association standards, and trying to figure out or thinking you need to embrace or certify all of them. There is overlap in many of the areas of government publications and in the operational security standards.
The way that we’re approaching it is we have very broad and a high level of coverage, and we do mapping exercises against these other various works. We almost always have a very high level of overlap and coverage with some of these others. So, for cost efficiencies and simplicity, if someone wanted a single global standard that they could embrace and have confidence that it’s giving them high level of ability to checklist against all of these other publications and best practices, we can provide that level of support and evidence showing that a certification to this standard moves your needle pretty significantly in meeting the expectations all of these different regions and other documents you may be looking at.
It’s a tricky subject to approach. Security has to be top of mind. As you’ve already touched on, bad actors are on the rise; their methods are changing; their points of attack are changing. And this is something that every single industry has to keep as a priority focus.
Something else you had brought up with the U.S. Cyber Trust Mark Program: there seems to be a huge surge in global initiatives aimed at applying standards to IoT security or supply chain security. Will SCS 9001 play a role in this initiative? I know you had spoken on what you are doing now, but going forward, what’s the goal for these standards being put in place? How does every single industry approach standardizing their security practices?
One of the first things is to recognize that this is now a cost of doing business. Even in my days leading development teams in private industry, I can tell you the business pressures of getting that next product to market or early-stage companies that are just trying to survive, sometimes operational practices get deferred for business needs. Again, can’t look at it that way any longer. Developing inherently more secure products—the cost of doing that has to be considered a cost of doing business. No more kicking the can down the road. Would you want to be on the wrong end of a class litigation lawsuit for a breach that was avoidable? I wouldn’t want to be providing that bad news to my boss, or my board of directors or my investors.
People have to start accepting the need to deliver more secure products and services is just part of the job. Those of us that are working on the standards side of it, I think, need to have an appreciation of what we’re asking industry to do and to make it as easy as possible to insert and adopt and start altering operational practices to be more secure by nature. It doesn’t need to be more difficult than what’s in place today. It’s just a matter of getting it done and getting things in place and then having proper checks and measures to ensure that those improved processes continue to be practiced over time. But if you look at the level of attacks that still come every week, what we’ve tried so far, I think, is proving to be insufficient. We need to work harder, collectively, to have a better security posture so that the bad guys can’t have it as easy as they have.
I think you put it perfectly there that your device security has to be considered a cost of doing business today. It’s on the list. So, looking ahead, what’s the future look like for TIA? How does SCS develop from here?
We are very busy, for sure. There’s been tremendous interest generated in SCS 9001 and the problems that it aims to solve. We are in the process right now of releasing the second version of it, should be done of this month, hard to believe it’s September already, but it is. That should be done this month. And then we’re immediately going to start looking to specialize a bit by putting together new teams and work groups that will assess the standard as to its efficiency in meeting their business needs, in particular ICT verticals. And the first one that we've focused for some of the reasons previously mentioned is IoT. A huge, huge trend of increased devices of all types being installed in all kinds of different applications, we think SCS 9001, in its current form, provides great benefit and value to that vertical. And we’re looking to move into it by assembling a new work group with some of the globally premier companies delivering IoT products and assessing the standard as to its adequacy in meeting their needs. So, we may need a new version; we may create a profile for different use cases; we may adjust some of the controls and enhance them; some of the measurements, we may enhance into particular verticals. But our first focus is going to be on IoT. And we are assembling a who’s who of players to work on that we're very appreciative of the support already provided to us with the intent on joining this team.
I would expect sometime this month, you will see press releases announcing its formal launch and a call to industry to come and join us. Take a look at the work. I think you’ll find it to be very beneficial in solving some of the problems that people are currently facing. And we are a volunteer-driven organization. We welcome additional participants to come in; share your views, your problems with peers within the industry, and all work together collectively to move the needle and make some improvements.
And in line with that invitation, say if any of our audience is listening to this conversation and they say, “I want to leverage these standards as a resource in my business practices,” where do they look? How do they get involved?
Probably the easiest place is to go to our website: TIAonline.org. There’s a wealth of information up there, including the different ways to contact us for the areas of interest and we would be glad to share more information and hopefully get you involved.