Safeguard your key business process: avoid cyber security blind spots in your supply chain security

I see a lot of companies working hard to be cyber resilient. Most of the time the first focus is on their own internal organization and processes. But a lot of the work around mission critical systems and networks is performed by others, as companies rely heavily on third parties to develop, maintain, and update their OT environments. Some companies have gone so far as to fully outsource support and maintenance for the OT network, operating systems, HMIs, engineering station/laptops and PLCs/RTUs, for example. Others work in a sort of hybrid situation.

We have all heard about cyber security incidents in the supply chain, be it from a contractor’s personnel or from vulnerabilities in software and hardware. Attackers have discovered that this is often the easiest way in, and that it is effective – as breaching one supplier will give access to multiple company networks. A good example is the SolarWinds hack, which provided the attackers with backdoor access to a multitude of governmental organizations and companies across the world.

These examples make it clear to me that security doesn’t stop at the border of the organization. You must consider the supply chain risk to secure your critical business processes. Working closely with third parties and having a good cyber security assurance process in place for vendors when procuring or developing new solutions.

Trust, but also verify

What I’ve seen in almost every company I’ve worked for is that there is a lot of trust in suppliers and the systems and networks that they’re implementing and managing on behalf of the client. But I also experience that service providers, equipment suppliers, and manufacturers within the OT domain struggle with demonstrating the cybersecurity of their products and services. This is often due to a lack of appropriately skilled people and the required processes and technologies. But it is also a result of asset owners not paying enough attention to the topic. According to a study that we did in Applied Risk, only 33% of OT security professionals indicate that their organizations regularly audit their primary suppliers, and just 27% perform due diligence on new suppliers.

There is a huge gap to be filled. Not only to ensure cyber resilience and business continuity, but also because of tightening regulations such as the EU revised Directive on Security of Network and Information Systems (NIS2), which focuses on supply-chain cyber security. This recently updated directive requires that member states make organizations legally responsible for addressing cyber security threats in their supply chains.

Assess vulnerabilities, set requirements

Operators need a clear overview of attack surfaces and potential entry points to prioritise which vulnerabilities and non-conformities they should address. Fortunately, robust mitigation measures are available for most vulnerabilities.

Widely known frameworks and best practices are available to guide this process. All international standards like ISO/IEC 2700X, IEC 62443 and the (US) National Institute of Standards and Technology’s (NIST) cyber security framework provide guidance on how to mitigate threats and what to do to secure the supply chain. In the past I’ve been involved in developing best practice on securing the development process from the supplier: IEC 62443-2-4 “Security program requirements for IACS service providers”. This standard contains a comprehensive set of requirements for security capabilities for IACS service providers.

It all starts with the asset owners. They should set clear cyber security requirements for their third-party suppliers and hardware and software vendors. And they should audit them on a regular basis. This is the keyway to get assure that they are mitigating third-party risk. ?

For suppliers, this presents an opportunity: to demonstrate their security posture, prove their compliance with the latest standards and best practice, and show that they take cyber security seriously.

Act now to protect the supply chain

We should already be looking to the NIS2 directive in the EU. This was adopted in December 2022, and organizations within its scope will need to start complying with national implementations soon, likely towards the end of 2024.

But you shouldn’t wait. By taking proactive steps to protect the supply chain, organizations can effectively manage supply chain risk and continuously improve cyber resilience, improve collaboration with vendors and service providers, trust them but also verify, and adopt relevant international standards – all as key steps towards cyber resilience, and as valuable measures to get ahead of tightening regulation.