This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>
This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>
Enterprise products, solutions & services
The rapid development and application of big data, industrial Internet, cloud computing, artificial intelligence, and other new technologies are driving advancements in businesses' digital services, leading to a prosperous digital economy. However, these new technologies also contribute to the increasing complexity of software architectures and the emergence of new attack methods. As a result, businesses' service systems are exposed to more security vulnerabilities. In the context of frequent cybersecurity incidents, businesses are increasingly aware of cybersecurity risks, and vulnerability management has become an important part of their cybersecurity strategies. Additionally, different countries and regions have legislated to manage cybersecurity vulnerabilities.
Over the past few years, the number of cyberspace security threats has increased dramatically. Such threats — which can cause major losses — include cyber ransomware and supply chain security incidents. Vulnerability exploitation remains one of the main causes of security incidents.
Finland has a longstanding tradition of adopting a comprehensive approach to security and codifying this in its legal framework. This commitment is already reflected across various sectors. In the EU level, the NIS2 directive establishes a comprehensive and legally codified approach to cybersecurity and risk management that aligns with Finland’s existing practices across various sectors.
In Finland, the Finnish Transport and Communications Agency (Traficom) oversees national cybersecurity regulations. This includes the transposition of the EU NIS2 directive, which is locally implemented through the proposed Cybersecurity Act, "Kyberturvallisuuslaki". The Kyberturvallisuuslaki mandates that organizations in critical sectors assess and manage risks to their communication networks and information systems, and mandates that organizations report significant incidents to the National Cyber Security Centre Finland (NCSC-FI).
At the time of writing, the proposed Finnish NIS2 implementation refers to all affected parties uniformly as “operators” instead of the two-categories approach of the NIS2 Directive.
The Cybersecurity Act defines 12 risk management measures and mandates “technical, operational or organizational control measures” incorporating risk management measures in a number of areas, including vulnerability handling.
Huawei and Joki ICT welcome the Cybersecurity Act because it establishes clear cybersecurity requirements and lays down the legal path for collaboration between stakeholders on risk management.
Joki ICT has proactively started to advance the implementation of the Cybersecurity Act (the Finnish draft NIS2 Directive transposition).
Joki ICT has assessed the tasks related to the implementation using the Kybermittari (a tool developed by NCSC-FI), which allows Joki ICT to also assess the impacts on ISO27001 compliance, where Joki ICT’s target state is set.
Joki ICT aims to create an awareness picture of its own management and operational environment, from which Joki ICT can identify critical tasks based on risks through vulnerability detection and input, and monitor the completion of tasks to ensure the flawless functioning of the management and operational environment.
Joki ICT manages the vulnerabilities based on risk scenarios of both its own and its customers’ environments. Joki ICT supports its customers in carrying out vulnerability actions from both an administrative and technical perspective. The requirements necessitate Joki ICTs’ customers and partners to engage in responsible procurement, maintenance, and development. Joki ICT recognizes the data management model of its own and its customer environments and through the use of information systems.
Joki ICT proactively monitors the vulnerability landscape and initiates actions with different priorities based on risk scenarios.
Joki ICT participates in national forums and discussions on vulnerability management and strives, on its part, to ensure the operational environment of ourselves and our customers in the changing threat in landscape and world situation.
Information systems enable the identification of vulnerabilities in the environment. Additionally, the Joki ICT SOC-services receives vulnerability information from Huawei, NCSC-FI, and other stakeholders.
Joki ICT reviews vulnerability findings on its own and customers operating environments by Joki ICT SOC-service. The SOC-service evaluates the impact and prioritizes actions based on risk and threat scenarios. Joki ICT continues monitoring the execution of risk management actions and ensure adherence to schedule through coordination. Joki ICT then verifies the effectiveness of actions after completion based on risk and threat scenarios. Joki ICT maintains change management records that can also be utilized in future risk assessments.
In incident management, if a potential vulnerability exploitation is identified, Joki ICT can request assistance from NCSC-FI and Huawei for Huawei-provided products for analysis if its own resources are unable to resolve the incident and root cause.
All vulnerability-exploitation incident observations of affected products and suspicions are reported to NCSC-FI to enable a national-level cybersecurity situational picture. If the incident affects a Joki ICT customer, these are also reported to the customer. Through this reporting, Joki ICT strengthens these partners and by doing so enables the development of its own operations and those of its customers in the future.
Under the Cybersecurity Act, Joki ICT needs to report significant security incidents. Some security incidents may be triggered by vulnerability exploitation. Therefore, Huawei, as a supplier, will actively detect and remediate vulnerabilities that affect its products and notify Joki ICT to fix them in a timely manner to reduce the occurence of security incidents related to the exploitation of vulnerabilities.
In general, Huawei plays a critical role in helping Joki ICT meet security requirements by:
• Providing timely vulnerability disclosures: Huawei provides Joki ICT actionable information on vulnerabilities affecting products and services that Huawei supplies to Joki ICT.
• Enabling automated vulnerability management: Huawei provides automated vulnerability disclosure capabilities that Joki ICT can use to enhance the vulnerability management process and make it more efficient (which is not mandatory under the Cybersecurity Act and therefore goes above the expected Cybersecurity Act requirements).
• Offering patch management support: Huawei provides Joki ICT regular security updates and patches during products’ life-cycle.
By aligning Joki ICT’s services and its obligations under the Cybersecurity Act with Huawei’s vendor capabilities, it is ensured that Joki ICT is able to support both compliance and effective vulnerability management.
1.Harm and risk reduction
Huawei’s vision for vulnerability management is to reduce the harm and security risks caused by vulnerabilities in Huawei products and services to customers/users. This vision guides Huawei when handling and disclosing vulnerabilities.
2.Vulnerability reduction and mitigation
The industry recognizes that vulnerabilities are inevitable, but Huawei strives to:
1. Take measures to reduce vulnerabilities in products and services.
2. Promptly provide risk mitigations for customers/users once vulnerabilities in products and services are found.
3.Proactive management
Vulnerability issues need to be resolved through upstream and downstream collaboration in the supply chain. Huawei proactively identifies and fulfills its responsibilities in vulnerability management and builds its management system based on laws, regulations, contracts, and open standards to proactively manage vulnerabilities.
4.Continuous improvement
Cybersecurity is a constantly evolving process where threats and attacks also evolve constantly. As such, defense must be adapted accordingly. Huawei will continue to learn from industry standards and best practices in order to drive the maturity of our vulnerability management.
5.Openness and collaboration
Huawei will continue to adopt an open and cooperative attitude and strengthen the connection with the supply chain and external security ecosystem. And Huawei will enhance collaboration with stakeholders to build trusted cooperation relationships.
Huawei operates a comprehensive vulnerability disclosure program through its Product Security Incident Response Team (PSIRT) which is a part of Huawei Vulnerability Management Center [1]. This includes capabilities to receive vulnerability reports -- including a bug bounty program to incentivize responsible disclosure from security researchers -- as well as a dedicated security advisory portal where Huawei Vulnerability Management Center publishes detailed Security Notices (SNs) and Security Advisories (SAs) about vulnerabilities affecting its products and solutions. Through this channel, Huawei is able to provide vulnerability information, such as vulnerability severity, affected product versions and remediations in a trusted, secure channel respecting the need-to-know principle. Also, this portal provides functionality to download SNs and SAs in PDF and machine-readable formats.
Huawei Vulnerability Management Center collaborates directly with capable customer security teams through the CERT-to-CERT connection mechanism, which is an information-sharing and trust-building activity.
To make the vulnerability management process more efficient and streamlined, Huawei provides several automated vulnerability disclosure capabilities. Huawei has setup the capability to serve standardized vulnerability information conforming to the Common Security Advisory Framework (CSAF) 2.0 specification through RESTful APIs. Furthermore, Huawei meets all the requirements of the role CSAF Trusted Provider providing another way for secure and automated access to standardized vulnerability information.
As a regional company providing Information and Communications Technology ICT powered government services, Finland's Joki ICT is actually owned by the municipalities it serves. As such, Joki ICT has 38 owners and covers 26 municipalities, four consortiums of municipalities, six municipally owned companies and two welfare areas, and provides these owners with network data center, information security, data protection, telecommunications, and Information Technology (IT support, and software systems services). Joki ICT places emphasis on close cooperation with customers, heavily investing in solutions that streamline and digitalize service processes.
Working with Huawei, Joki ICT has shortened the time it takes to build solutions for municipal clients. Another milestone is that during 2024, Joki ICT successfully made the CERT-to-CERT automatic interconnection with Huawei Vulnerability Management Center and was able to smoothly implement three vulnerability-management related use-cases, including one related to the Security Operations Center (SOC) Joki ICT operates.
First, Joki ICT was onboarded to Huawei’s vulnerability disclosure website which allows Joki ICT to receive vulnerability disclosures in a streamlined and human-friendly way. This enables Joki ICT to assess, mitigate and respond to potential vulnerabilities contained in the Huawei products and services.
Second, Joki ICT is now together with Huawei investigating how to realize the Machine-to-Machine interconnection which provides standardized CSAF-format vulnerability information. It is expected this initiative will lead to an improved accuracy, quality and efficiency of the Joki ICT vulnerability handling process.
Third, the inclusion of Huawei-provided Security Advisories (SAs) as input to the SOC. Joki ICT operates a SOC across its municipal clients spanning 26 municipalities. For day-to-day SOC operations, the Huawei-provided security advisories have proven useful in updating the detection capabilities and sharpening the technical risk posture management.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy, position, products, and technologies of Huawei Technologies Co., Ltd. If you need to learn more about the products and technologies of Huawei Technologies Co., Ltd., please visit our website at e.huawei.com or contact us.
