Trends in Security

visible on larger screens only

Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.

An overview of the Cybercheck

This chapter provides a overview of the Cybercheck, which is intended for public and private organisations that have Protectable Interests (Te Beschermen Belangen, TBB) with regard to National Security. It is intended as a guide for mapping and controlling supply chain risks for products and services from countries with an offensive cyber programme to protect the Protectable Interests. Management bears full responsibility for digital risks, however often times the CISO or a trusted partner is responsible for the execution of this check.

The Cybercheck can be implemented for products and services that are already in use as well as for those under consideration for procurement. It is applicable to all physical and digital, environmental components of the products and services in use of the organisation. This relates to the software, operating system, firmware and hardware. Malicious actors are known to exploit developmental and maintenance stages of products and services.

More source info

The Cybercheck is a tool to map whether deployment of a specific product or service from a country with an offensive cyber programme may result in a heightened security risk and as such is cause for conducting an additional risk assessment.

This chapter explains how and for what purpose you can use the Cybercheck in your organisation. It also provides a glossary of terms to answer the questions in the Cybercheck.

What value does the Cybercheck add for your organisation?

The questions in the Cybercheck have been formulated based on a number of technology layers, the so-called technology stack. In this guide, the layers are the software, the operating system (OS), the firmware, and the physical hardware. Countries with an offensive cyber programme can use the supply chain to exploit the products of services on one or more of these layers. By answering a number of questions for each of these layers, you can analyse whether the technology in any one layer can possibly be exploited.

What products and services should you select for the Cybercheck?

This guide is intended for organisations who have one or more Protectable Interests with regard to National Security. Your risk management process should have already helped you establish what interests are at stake or will allow you to do so within a short amount of time.

The Protectable Interests are the starting point for selecting specific products and services for the Cybercheck. Determine on what products and services these interests depend or what products and services are themselves a Protectable Interest. For instance, because they must always be available. We recommend prioritising products and services based on its importance for the functioning of the Protectable Interest.

The selected products and services are the starting point for the Cybercheck in this guide. An example is a business-critical service for processing sensitive information or operational technology that supports production processes, such as a Programmable Logic Controller (PLC) or Human Machine Interface (HMI) in an OT environment.

Who should perform the Cybercheck?

The Cybercheck is intended for persons in your organisation who play a part in controlling digital risks. The management is the owner of these risks (for example, the process owner). The management bears final responsibility and is accountable. The management generally receives support from the Chief Information Security Officer (CISO), who usually is responsible for the execution. The CISO may also call upon a trusted partner to map the risks. The trusted partner does not have to be an expert on the subject matter but must be knowledgeable about the primary process and which persons can supply the right information for answering the questions of the Cybercheck. This might involve internal interviews with subject matter experts or external suppliers of a specific product or service.

When to use the Cybercheck

The Cybercheck can be implemented for products and services that are already in use as well as for those under consideration for procurement. We recommend using the Cybercheck well ahead of time whenever you consider buying new products or services. This allows you to make a procurement decision in a timely manner. It is important to gain and maintain a good understanding of the origin of such products and services in terms of parties in the supply chain. Changes due to takeovers or new ownership constructions may be reasons for your organisation to conduct another Cybercheck.

For the Dutch central government the existing cabinet policy applies that risks with regard to, for instance, espionage, undue influence or sabotage by state actors relating to digital products or services are assessed on a case-by-case basis with the aid of the so-called C2000 criteria. Central government organisations can use the Cybercheck as part of the assessment that the C2000 criteria requires them to do.

Getting started with the Cybercheck

We recommend proceeding with the Cybercheck in accordance with the following steps:

Select products and/or services for the Cybercheck
To begin with, establish the scope of the products and services that should be assessed in the Cybercheck
Conduct the Cybercheck and answer the questions
If the Cybercheck results in a ‘yes’, do an additional risk assessment

Below is a glossary of terms used in the Cybercheck.

What is a product or service?

In this guide, a product is defined as the entirety of physical and digital components. For instance, a smartphone consists of physical hardware but also firmware, a specific type of Operating System (OS) and software in the form of applications. A service provides for a specific need of an organisation. A service often makes use of multiple products. Antivirus solutions or Identity and Access Management (IAM) solutions are examples of services.

A product in this guide is understood to mean not only a physical product with which users interact, but also the digital environment with which the product is connected. Security cameras are an example. A security camera consists of the physical security camera but can also be connected to a cloud environment to which it transfers the security footage. In this example, the cloud environment is therefore also a part of the product and must be included when answering the Cybercheck questions.

When investigating a service, you must determine what underlying products or services that service uses. These products and services are a part of the service and as such, they are relevant in answering the Cybercheck questions. Be aware that components may consist of several components and services may consist of multiple services for which products are used. It is up to the organisation itself to determine the scope and depth of the analysis of the supply chain.

Software

Software is the combination of programmes that enable computers or other devices to execute a task. Software can have many forms, such as the applications on your phone, office automation such as accounting software packages, or games.13

The operating system

The Operating System (OS) is the layer between the applications and the firmware controlling the hardware. The OS is loaded to the RAM after the system is started up. Microsoft Windows, Android, iOS, Linux and UNIX are familiar examples of an OS. OS extensions, such as Ubuntu for Linux or One UI for Android, are also included in the definition of an operating system.

Firmware

Firmware is specific software programmed into hardware that facilitates the operating system in controlling that hardware. The firmware ensures that hardware can execute specific basic functions, such as starting up and shutting down. The Basic Input Output System (BIOS) is an example of firmware.

Hardware

Hardware covers the physical components comprising a digital product. Hardware can be deployed in both IT and OT environments. Examples of hardware include Random Access Memory (RAM), Central Processing Units (CPUs), Solid State Drives (SSDs), Printed Circuit Boards (PCBs) and Programmable Logic Controllers (PLCs). Printers, servers and network devices are also hardware.

Development

Products and services must be produced and/or developed before they can be deployed by users. For software, OS and firmware, this usually means designing and writing the program code. Mistakes can be made or inserted either intentionally or unintentionally during code development, which can be exploited by malicious actors. Hardware components are manufactured physically at plants, which means that digital backdoors can be incorporated into the product on purpose during production. These can then be exploited at a later time.

Maintenance

Products and services must be maintained/serviced after they are delivered. Software, OS and firmware are maintained by means of updates. An update often introduces new or improved features. They also patch vulnerabilities resulting from errors in the code. Malicious actors can exploit such updates to introduce vulnerabilities. A well-known example is the incident that occurred with a product of the company SolarWinds.

Hardware and firmware sometimes require physical maintenance. In some cases, an organisation’s administrator can handle this internally but often service and maintenance are outsourced to the hardware vendor. Malicious actors can exploit such physical access by asking or forcing the vendor to insert vulnerabilities.

Date Trend snippet:

26 September 2024

Relevance date:

2024

Type of Treath or Oppertunity

Technological

More trend snippets in Technological

This threat landscape paper provides valuable insights into emerging trends in terms of cybersecurity threats, threat actors’ activities as well as vulnerabilities and cybersecurity incidents.

The ENISA Threat Landscape 2023 report is a comprehensive overview of the cybersecurity landscape, drawing insights from open sources and ENISA's Cyber Threat Intelligence capabilities. It covers various cybersecurity threats, including threat actors, CVE landscape, ransomware, malware, and more. The report categorizes threat actors, providing insights into their motives, impact, and tactics. It emphasizes the challenges of attribution and highlights the misuse of legitimate tools by state-nexus groups. Additionally, the report addresses evolving tactics of cybercriminals, hackers-for-hire, and hacktivists. It provides recommendations for threat mitigation and offers valuable insights into the attributed threat actors during the reporting period. Overall, it serves as a crucial resource for understanding emerging threats and cybersecurity trends.