Supply chain security: Secure data exchange with suppliers, partners and customers
Companies are usually networked in many ways and are in exchange beyond their own systems – with suppliers, customers, authorities, or partner companies. The integrity of this entire supply chain is of crucial importance for corporate security.
If a cyber-attack hits even one link in this chain, it can have devastating effects on all networked systems. This can be collateral damage, but also targeted attacks that use a less protected company as a steppingstone to the actual target system.
The number of such attacks is constantly increasing. Risks in the supply chain are therefore also classified as particularly important in the new NIS2 directive. [1] But not only affected companies can and should deal with cyber security in the supply chain and implement basic strategies or measures.
Secure supply chains: Dependencies affect every organisation
Regardless of whether you are a small, medium-sized, or large company that provides services or uses IT services yourself: The ability to communicate digitally and provide basic services almost always has an impact on one’s own business. Understanding the dependency structure is therefore a very important strategic element in securing one’s own business.
Of course, the possible effects and scenarios vary depending on the size of the company and not every company “has” to deal with this issue. But already in one’s own interest of minimising risk, it makes sense to undertake these preparations. Another advantage lies in a security-oriented corporate culture, which – if implemented well from the beginning – is more scalable and does not have to be laboriously worked out at a later stage.
ENISA report: “Good Practices for Supply Chain Cybersecurity”
The European Cyber Security Agency published a study on the status and implementation of secure supply chains in June 2023. Unsurprisingly, it shows that large companies have an advantage over smaller organisations. In terms of detailed implementation levels, the banking sector leads the way.
Although there is a general understanding of the need to secure supply chains in companies, there is still considerable room for improvement in the planning and implementation of measures. [2] Third-party risk management is therefore on the agenda of many organisations.
Often deficits in inventory and vulnerability management
The ENISA study reveals that many companies do not yet have complete asset management. There are often gaps in the documentation of the systems and services used. This results in a need for action in the detection of security gaps and the regular updating of systems.
However, it is precisely these simple activities such as patching and updating that contribute immensely to avoiding security problems in the first place. Comprehensive asset management therefore often has considerable potential to improve the overall level of security.
Recommendations on strategies for secure supply chains
According to the ENISA study, companies mainly lack a strategic approach to managing their supplier relationships, quality assessment and vulnerability management. It is recommended that all cybersecurity dependencies in the ICT/OT supply chain be continuously reviewed and assessed in terms of their risks to their own cyber supply chain.
Similarly, NIS Guideline 2 also calls for a risk-based approach considering the following four aspects:
- risk assessment of the ICT/OT supply chain incl. structure of dependencies and considering own risks and those for end customers.
- management of supplier relationships including definition of requirements, guidelines, performance monitoring and change management
- handling vulnerabilities in products and components, including asset management, vulnerability monitoring, patching and maintenance guidelines
- quality of products and cybersecurity practices of suppliers and service providers, including secure infrastructure and processes, technical measures, transparency along the supply chain and quality assessment.
With good practices and references to existing standards, ENISA provides concrete recommendations for action and targets in these four areas – both for companies that want to optimise their supply chain security and for suppliers and service providers. The basis should always be a documented and communicated strategy that fits the company to support an efficient and targeted approach. Plan the necessary resources (personnel, budget) at an early stage and realise that achieving secure supply chains is not a completed but a continuous process.
Despite best practices for creating secure supply chains, it is not possible to eliminate all risks. Therefore, the goal of OT security is also to strengthen operational resilience and to detect anomalies, disruptions, or attacks as early and accurately as possible. In this way, you can react quickly and in a targeted manner and to prevent or mitigate the impact of incidents.
This might also interest you:
Defense in Depth: Multi-layer approach for lived OT security
Cyber Threat Intelligence for OT and Critical Infrastructure
Who takes care of security in the OT?
Sources:
[1] https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32022L2555&qid=1674579731975&from=EN
[2] https://www.enisa.europa.eu/publications/good-practices-for-supply-chain-cybersecurity