“Industrial companies are investing more in cyber security, stepping up efforts to identify cyber vulnerabilities, and taking steps to defend IT/OT environments. But it will make no difference if the cyber security of industrial supply chains is not similarly strengthened,” said Anette Roll Richardsen, Director of Cyber Security business in Norway, DNV. “The supply chain is an attractive target for cyber-attacks because it potentially provides a single-entry point to multiple companies’ environments.”
Supply-chain security challenges
Many suppliers and manufacturers of equipment integrated within OT systems lack the people, processes, and technologies to demonstrate the cyber security of their products and services. Once standalone, vendors’ systems are now increasingly connected within IT/OT systems internally and externally in much larger critical infrastructure ecosystems.
Having the right people, processes, and technologies in place to oversee supply chain security is equally challenging for operators. Only a third of OT security professionals report their organizations conducting regular audits of main suppliers, and just a quarter (27%) do due diligence on new suppliers, according to Applied Risk’s study.
Identifying cyber vulnerabilities
The overarching principle for mitigating cyber risk to assets and operations can be summed up thus: Protect, Detect, Respond and Recover.
This aligns with best practice including the (US) National Institute of Standards and Technology’s (NIST) cyber security framework.
For many organizations, however, the challenge is understanding and identifying their vulnerabilities. A clear overview of attack surfaces and potential entry points is needed for operators to prioritize which vulnerabilities and non-conformities must be addressed. Robust and frequently straightforward mitigation measures are available for most vulnerabilities.
Demonstrating supplier cyber security
To demonstrate security posture to customers, it benefits suppliers to be able to prove they conform to industry standards and practices. Examples include the IEC 62443 international series of standards covering cyber security for OT in automation and control systems, and the ISO 27001 standard for information security management systems and their requirements.
Recommended practices can help towards compliance. For example, DNV Recommended Practice DNV-RP-G108 provides best practice on how to apply IEC 62443 in the oil and gas industry.
Companies lacking in-house expertise can turn to industrial cyber security specialists such as DNV. External experts can advise on which standards to comply with and how to assess compliance status, achieve compliance, and implement mitigating actions.