Regulation Bolsters Industrial Supply-Chain Cybersecurity

376
Credit: Pixabay/Pexels

Cyber threats targeting industrial facilities, particularly power grids and fuel pipelines, are on the rise and becoming more sophisticated. The increasing integration of operational technology (OT) with IT environments has created a larger attack surface for cybercriminals. In IBM’s 2023 X-Force Threat Intelligence Index, manufacturing emerged as the most targeted industry in terms of cyber attacks in 2022. The energy and transport sectors also ranked among the top 10 industries facing significant cyber threats. These findings highlight the urgent need for robust cybersecurity measures within industrial sectors to safeguard critical infrastructure and operations.

Cyber security risks

Industrial operations now face cyber security risks that have become critical business risks, impacting life, property, and the environment. Company boards and C-suites are recognizing the importance of cyber security in the context of digitalization and automation. However, a significant number of OT security professionals believe that their organizations are vulnerable because they lack knowledge about the security practices of relevant third parties, making it challenging to mitigate cyber risks across the OT external supply chain. Strengthening the cyber security of industrial supply chains is crucial, as they serve as attractive targets for cyber-attacks, potentially providing a single point of entry to multiple companies’ environments.

Supply-chain security challenges

Suppliers and manufacturers of equipment integrated within OT systems often lack the necessary resources to demonstrate the cyber security of their products. As these systems become more interconnected within IT/OT systems, ensuring supply chain security becomes increasingly challenging. A study by Applied Risk reveals that only a third of OT security professionals conduct regular audits of main suppliers, and a mere 27% perform due diligence on new suppliers. Identifying vulnerabilities is a key step in mitigating cyber risk, following the principles of Protect, Detect, Respond, and Recover. Organizations struggle with understanding and pinpointing their vulnerabilities, requiring a comprehensive overview of attack surfaces and potential entry points. By prioritizing vulnerabilities and implementing robust mitigation measures, operators can address non-conformities effectively.

Demonstrating supplier cyber security

Suppliers can enhance their credibility by demonstrating adherence to industry standards such as IEC 62443 for OT cyber security and ISO 27001 for information security management systems. DNV’s recommended practices, like DNV-RP-G108 for the oil and gas sector, provide valuable guidance on implementing these standards. Industrial cyber security specialists like DNV can assist companies lacking in-house expertise in assessing compliance, achieving compliance, and implementing mitigating actions. Implementing supply-chain audits and vendor cyber security requirements during procurement, installation, and operation of equipment is recommended to ensure a transparent understanding of the supply chain’s cyber security posture. Continuous assessments and collaboration enable the identification of vulnerabilities and proactive mitigation against emerging cyber threats.

Tighter regulation is coming

Industrial companies are expected to take action to strengthen their own cyber security and of their supply chains due to tightening regulations. The revised Directive on Security of Network and Information Systems (NIS2) in the EU introduces stricter requirements and potential penalties, including fines and license withdrawal, for organizations providing essential services. NIS2 emphasizes top management accountability, streamlines reporting obligations, and highlights the need to address supply-chain cyber security risks. Coordinated risk assessments of vital supply chains may be conducted by EU Member States in collaboration with the European Commission and ENISA. The revised Directive came into force in January 2023, and organizations within its scope are expected to comply by mid-2024. A poll conducted during a DNV webinar revealed that many respondents from the energy and transport sectors had limited familiarity with NIS2, but implementing it had a positive impact on the allocation of cyber security resources. The European Commission predicts an increase in ICT security spending by up to 22% following the introduction of NIS2.

Click here to read the full report.

 

Did you subscribe to our newsletter?

It’s free! Click here to subscribe!

Source: DNV