Companies must build resilience to protect their supply chains against cyber attacks. Yet many view security as an issue to be addressed once a product has been designed. And when flaws are uncovered later in the development lifecycle or within supply chain components, the consequences can be significant.

Further complicating the situation is that products like cars, medical devices and cloud platforms include a complex mix of hardware and software components sourced across the globe. This means that a single insecure component, such as a firmware module or chiplet, can compromise the entire assembly.

Numerous regulations have been introduced to mitigate cybersecurity risks, creating a web of compliance that organizations must meet. These include Europe’s comprehensive Cyber Resilience Act (CRA), executive orders such as EO 14028 on software bill of materials (SBOM), sector-specific mandates like CMMC for the defense industry, and international standards such as ISO/SAE 21434 for automotives.

If a company fails to obtain the relevant cyber certifications, it might be unable to ship or have to recall non-compliant models, along with incurring heavy financial penalties.

For example, Porsche can no longer sell its Macan, Boxster and Cayman cars in Europe due to its failure to meet UN ECE R155 requirements. This regulation mandates strict cybersecurity protocols and development processes for all new cars in Europe.

Vulnerabilities identified early in the design process are far less expensive than those uncovered in production. If a flaw is found later in the development process, the cost of a redesign can be significant. Shifting security to an earlier stage is much cheaper than retrofitting it later. 

Medtronic had to pull multiple insulin pumps from the market because it hadn’t planned for cybersecurity updates. The recalls weren’t a result of the brands ignoring cybersecurity, but rather failing to address cyber certification as a priority on day one.

Many digital products depend on global suppliers, and with hardware and software no longer built-in silos, solving the cybersecurity problem is challenging. To reduce the risks and avoid blind spots in security coverage, integrity validation is required to continuously check data and code. This ensures that flaws or vulnerabilities are identified and addressed rather than waiting for cybercriminals to find and exploit them.

Supply chain security isn’t static; it's a constant process to ensure that vulnerabilities don’t creep in at any point. A key part of mitigating risks and eliminating security issues is introducing software and hardware bills of materials (SBOMs and HBOMs). This ensures that organizations have the tools to continuously track and validate the integrity of all components across the supply chain. For example, a company not only generates and publishes the SBOM for code it creates, but all upstream suppliers are required to do the same, so the information can be combined to provide forensic accounting for regulatory bodies or other stakeholders. BOMs are so critical for securing interconnected supply chains that many regulations now mandate them.

Organizations that fail to design with security in mind from the outset increase the likelihood of a data breach and service disruption. Therefore, cybersecurity can no longer be an afterthought in the development process —compliance assurance needs to be prioritized at every stage. The cost of remediation and risk of delays increase significantly if it’s left until later, which can make or break a product's viability. 

Adopting a secure-by-design approach ensures a company's products meet all compliance requirements. Rather than firefighting certification standards, organizations should treat cybersecurity as a strategic priority, and enforce it as part of their supply chain DNA from day one.

Marie Hattar is senior vice president of Keysight Technologies.