Click Image to Enlarge

Cyber threats to industrial facilities are becoming more common, complex, and creative as operational technology (OT) – the control systems that manage, monitor, automate and control industrial operations – is increasingly networked and connected to IT environments. The manufacturing sector recently became the world’s most cyber-attacked industry for the first time, according to IBM’s 2022 X-Force Threat Intelligence Index. Other industrial sectors, including energy and transport also appear within the top ten.

Production shutdowns, safety incidents, process disturbances and other service disruptions are all potential consequences of a cyber-attack on industrial operations. Life, property and the environment are at stake.

It’s no surprise, then, that cyber security is rising up the boardroom agenda in industrial sectors. Cyber security risks are now business risks, and business leaders are recognising that cyber security is a pre-requisite for digitalisation and automation excellence.

The supply chain security challenge

Industrial companies’ investment in cyber security is now increasing. More focus is being placed on identifying where companies are vulnerable to attack, and putting the people, process, and technology measures in place to defend their IT and OT environments. But all this effort will make no difference if the security posture of a company’s supply chain is not equally strengthened.

Companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, but this doesn’t matter if there are undiscovered vulnerabilities in their supply chain. One issue can escalate or ‘domino’ into many others. The supply chain is a very attractive target for cyber criminals because it potentially provides a single-entry point to multiple companies’ environments.

Supply chain security risks have not gone unnoticed by OT security professionals. The majority say their organisations are at risk because of their inability to ascertain the security practices of relevant third parties and to mitigate cyber risks across the OT external supply chain, according to research conducted by Applied Risk, a DNV company, in 2021.

Many suppliers and manufacturers of equipment integrated within OT systems simply lack the people, processes, and technologies to demonstrate the cyber security of their products and services. By adopting a cyber security programme, investing in training of the workforce and following a Secure Software Development Life Cycle (SDLC) process, the risk of security vulnerabilities in products in production can be improved.

Vendors’ systems used to be standalone. Now, they are increasingly connected within IT/OT systems internally and externally in much larger critical infrastructure ecosystems.

Applied Risk’s study found that only a third of OT security professionals say their organisations conduct regular audits of their main suppliers, and just a quarter (27%) conduct due diligence prior to contracting with new suppliers.

Companies with industrial operations need to pay greater attention to assuring that equipment vendors and suppliers demonstrate compliance with security best practice from the earliest stages of procurement and throughout the lifecycle of a project. Strengthened data management securing information and data sharing between suppliers, customers and other partners, limited access to critical assets - next to implementing monitoring and threat detection systems - improve supply chain cyber security by mitigating the risk of cyber-attacks. And if things go wrong, have an incident response plan in place to manage the threat and act fast.

Time to take action

It is now time for both industrial operators and their suppliers to face these challenges head-on. Increasingly, suppliers must assure themselves that they have the right measures in place to defend their products and systems from cyber threats. They must also be in a position to demonstrate their security posture to companies procuring from them.
The overriding principle to mitigate against assets and operations being compromised by a cyber-attack is to protect, detect, respond and recover. This is in line with industry best practice including the National Institute of Standards and Technology’s (NIST) cyber security framework.

The Centre for Internet Security (CIS) sets out benchmarks for vendor product families to help protect systems against threats more confidently while The Open Worldwide Application Security Project (OWASP) Foundation provides free online resources for web application security.

For many organisations, however, the challenge in ensuring cyber resilience is understanding and identifying where their vulnerabilities are. By having a clear overview of attack surfaces and potential entry points, you can prioritise the vulnerabilities and non-conformities that must be addressed. Robust and often straightforward mitigation measures can be put in place to address most vulnerabilities.

When it comes to demonstrating security posture, it pays for suppliers to be able to prove that they conform to a growing number of industry standards and practices. These standards include IEC 62443, the international series of standards that address cyber security for operational technology in automation and control systems, and ISO 27001, the standard for information security management systems and their requirements.

Assessments should be undertaken continually, rather than periodically, to ensure resilience against new and emerging cyber-attack vectors.

Recommended practices are also available to help companies on their path to compliance with industry standards. For example, DNV’s Recommended Practice DNV-RP-G108 provides best practice on how to apply the IEC 62443 standard in the oil and gas industry.

Help is at hand from industrial cyber security specialists, including DNV, for those companies who don’t have the in-house expertise to undertake this work themselves. They can help to identify which standards are most relevant to comply with, uncover companies’ compliance status, what outline what needs to be done to achieve compliance before helping to put mitigating actions in place.

For companies procuring products and systems from suppliers, we recommend that supply chain audits and vendor cyber security requirements are implemented during procurement, installation and operation of equipment, systems, and software. By defining requirements up front, and regularly reviewing suppliers against those requirements, understanding the supply chain’s cyber security posture becomes less of a black box. Vulnerabilities can be more easily identified. Mitigating actions can be undertaken more collaboratively. Assessments should be undertaken continually, rather than periodically, to ensure resilience against new and emerging cyber-attack vectors.

Tighter regulation on the horizon

Companies with industrial operations who have not yet put their own cyber security and that of their supply chain on their to-do list may be incentivised to do so by tightening regulation. For example, organisations providing essential services (including energy, drinking water supply, transport, healthcare and more) in the European Union (EU), will soon face tougher cyber security regulation than ever, with the threat of more and greater fines and/or withdrawal of license to operate if they do not comply.

The revised NIS2 Directive strengthens cyber security requirements on companies, introducing top management accountability for non-compliance and streamlining reporting obligations. Crucially, the Directive also puts more focus on cyber security of supply chains.

The NIS2 Directive suggests forcing individual businesses to address cyber security risks in supply chains and supplier partnerships to address the security of these ties. The idea is that it will improve supply-chain cyber security for important information and communication technology at the European level. Building on the successful strategy used in the framework of the European Commission’s Recommendation on Cybersecurity, Member States may conduct coordinated risk assessments of vital supply chains in collaboration with the Commission and the European Union Agency for Cybersecurity (ENISA).

The revised Directive on Security of Network and Information Systems (NIS2) to come into force in January 2023. Member States have until October 2024 to homologate NIS2 into national legislation and while it is estimated that organisations within NIS2 scope will have to start complying by mid-2024 with relevant national laws.

Organisations in industrial sectors should now think about NIS2's scope and if their operations fit within it. An organisation should consider the organisational, financial, and technical actions that will be necessary to get ready for NIS2 compliance if it looks likely that they will fall under the new legislation's purview. For instance, the European Commission anticipates that organisations' ICT security spending will increase by up to 22% in the first few years following the introduction of NIS2.

In-scope organisations should also monitor how NIS2 is implemented in the important EU jurisdictions where they conduct business.

If you think your organisation might fall under the scope of the NIS2 Directive, my advice is to get advice. DNV’s white paper on the Directive is a great starting point for identifying what new cyber security laws mean for industrial companies in Europe, and what you need to do to get ready to comply.

Jalal Bouhdada, Global Cyber Security Segment Director, DNV