Cybersecurity is on everyone's lips, especially due to the various laws and regulations. What impact do these have on the supply chain?

Hector Tejero: Compliance with relevant laws and regulations is crucial for supply chain security. Depending on the industry and geographic location, companies in the supply chain must comply with certain data protection regulations, industry standards or international trade requirements. These requirements include data protection laws, export regulations and industry-specific compliance requirements. Companies in the supply chain must regularly review and update their cybersecurity policies and practices to keep up with changing regulatory requirements.

We keep hearing about cyber attacks on the supply chain. What are these attacks and what impact do they have?

The goal of secure supply chains is to ensure the integrity, confidentiality and authenticity of goods, services, information and resources throughout the supply chain process. Supply chain security is critical as it consists of complex networks involving multiple parties. Any weak link in the chain can provide an opportunity for hostile actors to exploit vulnerabilities and introduce counterfeit, substandard or malicious components or compromise the integrity of the supply chain. If a company unknowingly distributes compromised or counterfeit components due to a cyberattack on the supply chain, this can result in a significant loss of customer confidence and reputational damage. Cyberattacks on the supply chain can lead to financial loss, potential legal repercussions, loss of customers and sales, and damage to brand equity.

How do you counter this, how do distributors protect themselves and their customers?

To mitigate the impact of cyberattacks on the supply chain, distributors should prioritize the implementation of robust cybersecurity measures across their operations. Keeping abreast of emerging cyber threats and proactively addressing vulnerabilities are critical steps to maintaining supply chain integrity. Cybersecurity regulations often emphasize the importance of managing the risks associated with third-party vendors. Distributors should implement rigorous vendor risk management practices to ensure that the components they distribute come from reputable sources and do not introduce vulnerabilities. Proactive risk management and resilience planning are essential elements of secure supply chains. This means identifying and assessing potential risks and vulnerabilities within the supply chain, including physical, operational and cyber security risks.

Distributors not only ship hardware, but also offer software and services. What new business areas will the new cybersecurity guidelines open up for distributors?

Successful companies in recent years are primarily those that have undergone a successful digital transformation. Digital transformation takes place at all levels of an organization and affects both internal processes such as data-driven decisions, efficient processes and ERP/CRM systems as well as external services such as the creation and provision of new and innovative digital services.

To mitigate risks, manufacturers and OEMs are encouraged to consider cybersecurity aspects throughout the product lifecycle. Security starts in the product design phase and ends in the decommissioning phase. OEMs must prioritize device security and provide ongoing support to close any security gaps that may arise.

Distributors support manufacturers and OEMs in the implementation and configuration of security solutions and assist in the development of risk management strategies and compliance with security standards. They offer products and services that help companies improve their cyber security practices. They advise on the selection of secure components, secure IoT devices and systems and the use of compliance tools such as firewall systems, antivirus software or encryption technologies and provide training on threats and security best practices.

In a highly connected IoT world, implementing cybersecurity requires a holistic approach. Distribution has excellent relationships with a wide range of vendors and therefore offers insight into the latest products and technology roadmaps. Our application and system solution engineers are continuously trained by the manufacturers or externally certified, building up extensive know-how far beyond the box. Large distributors such as Arrow work with a large number of customers worldwide, know their requirements and can therefore also identify and share best practices.

What added value can distributors offer that a cybersecurity specialist cannot?

Distributors and cybersecurity specialists complement each other's business offerings in the technology ecosystem and each offer customers unique added value.

Distributors' industry knowledge, supply chain expertise and value-added services make them valuable team members in improving cybersecurity within an organization's infrastructure. They make informed decisions about their sourcing strategies and implement appropriate risk mitigation measures.

Simplifying security frameworks, PSA (Platform Security Architecture) Certified, plays an important role in the more effective implementation of security measures to protect digital systems from threats. Platform Security Architecture (PSA) Certified is a security certification scheme for Internet of Things (IoT) hardware, software and devices. It was created by Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure, TrustCB and UL as part of a global partnership.

Arrow Electronics is working with PSA Certified to provide secure platforms for the IoT ecosystem and make the connected world safer. The collaboration between Arrow and PSA Certified lowers the barriers to entry for creating secure platforms and raises security standards in the ecosystem. Arrow has introduced a series of certified kits that provide a comprehensive framework for creating secure devices that comply with global regulations. In this way, the responsibility for security lies across the IoT industry.

What specific services do you offer in relation to the regulatory aspect of cybersecurity?

In an increasingly connected world, the need for cybersecurity solutions has never been more important. eInfochips - an Arrow Electronics company - provides cybersecurity solutions to protect our connected world. The company supports customers throughout the entire journey: from the initial assessment and consulting phase to the implementation of the security solution and after deployment for managed security services. The initial assessment and consulting phase provides a solid foundation for a robust security strategy.

The implementation phase is critical for identifying, prioritizing and remediating potential vulnerabilities. Managed security services help to ensure that organizations are protected from the latest cybersecurity threats and that response mechanisms are in place. These services provide the foundation for a secure digital future and include assessment and consulting, vulnerability assessment, penetration testing and ongoing managed security.

What challenges do you expect to face in the next five years in terms of cybersecurity and secure supply chain and how are you addressing them?

The increasing complexity of the supply chain will present particular challenges when it comes to ensuring the security and integrity of components throughout the supply chain. Distributors must continue to invest in supply chain visibility, risk assessment and management tools to mitigate potential vulnerabilities.

The cyber security threat landscape is constantly evolving and companies need to stay ahead of the latest threats and adapt their cyber security strategies accordingly to mitigate the risks of sophisticated cyber attacks.

To address these challenges, Arrow will continue to prioritize cybersecurity as a core element of its business, invest in robust cybersecurity measures, maintain close relationships with vendors, collaborate with industry associations, and remain proactive in monitoring and adapting to the evolving threat landscape and regulatory environment.