Tighter regulation makes industrial supply-chain cyber security even more important

• Businesses with industrial operations are investing more in cyber security as risks rise
• Stronger industrial supply-chain cyber security is also needed
• Tighter regulation may drive industrial companies to act on supply-chain cyber security
• DNV white paper advises on preparing for relevant new EU law on cyber security

Cyber threats to industrial facilities such a power grids and fuel pipelines are becoming more common, complex, and creative as operational technology (OT) – the systems that manage, monitor, automate and control industrial operations – increasingly networks and connects to IT environments. Manufacturing was the most cyber-attacked industry in 2022, according to IBM’s 2023 X-Force Threat Intelligence Index. Other industrial sectors, including energy and transport also appear within the Index’s Top 10.

With life, property, and the environment at stake, cyber security risks in industrial operations are now business risks. Company boards and C-suites are also recognizing that cyber security is vital to digitalization and automation.

However, most OT security professionals say their organizations are at risk because they do not know the security practices of relevant third parties and cannot mitigate cyber risk across the OT external supply chain, according to research conducted by Applied Risk, a DNV company, in 2021.

“Industrial companies are investing more in cyber security, stepping up efforts to identify cyber vulnerabilities, and taking steps to defend IT/OT environments. But it will make no difference if the cyber security of industrial supply chains is not similarly strengthened,” said Anette Roll Richardsen, Director of Cyber Security business in Norway, DNV. “The supply chain is an attractive target for cyber-attacks because it potentially provides a single-entry point to multiple companies’ environments.”

Supply-chain security challenges

Many suppliers and manufacturers of equipment integrated within OT systems lack the people, processes, and technologies to demonstrate the cyber security of their products and services. Once standalone, vendors’ systems are now increasingly connected within IT/OT systems internally and externally in much larger critical infrastructure ecosystems.

Having the right people, processes, and technologies in place to oversee supply chain security is equally challenging for operators. Only a third of OT security professionals report their organizations conducting regular audits of main suppliers, and just a quarter (27%) do due diligence on new suppliers, according to Applied Risk’s study.

Identifying cyber vulnerabilities

The overarching principle for mitigating cyber risk to assets and operations can be summed up thus: Protect, Detect, Respond and Recover.

This aligns with best practice including the (US) National Institute of Standards and Technology’s (NIST) cyber security framework.

For many organizations, however, the challenge is understanding and identifying their vulnerabilities. A clear overview of attack surfaces and potential entry points is needed for operators to prioritize which vulnerabilities and non-conformities must be addressed. Robust and frequently straightforward mitigation measures are available for most vulnerabilities.

Demonstrating supplier cyber security

To demonstrate security posture to customers, it benefits suppliers to be able to prove they conform to industry standards and practices. Examples include the IEC 62443 international series of standards covering cyber security for OT in automation and control systems, and the ISO 27001 standard for information security management systems and their requirements.

Recommended practices can help towards compliance. For example, DNV Recommended Practice DNV-RP-G108 provides best practice on how to apply IEC 62443 in the oil and gas industry.

Companies lacking in-house expertise can turn to industrial cyber security specialists such as DNV. External experts can advise on which standards to comply with and how to assess compliance status, achieve compliance, and implement mitigating actions.

“For companies sourcing from suppliers, we recommend implementing supply-chain audits and vendor cyber security requirements during procurement, installation, and operation of equipment, systems, and software,” said Roll Richardsen. “By defining requirements up front, and regularly reviewing suppliers against those requirements, understanding the supply chain’s cyber security posture becomes less of a black box.”

These strategies mean vulnerabilities can more easily be identified, she added: “Mitigating actions can be undertaken more collaboratively. Assessments should be undertaken continually, rather than periodically, to ensure resilience against new and emerging cyber-attack vectors.”

Tighter regulation is coming

Tightening regulation may prompt industrial companies to act on their own and/or supply-chain cyber security. For example, organizations providing essential services in the EU will soon face tougher cyber security regulation based on the revised Directive on Security of Network and Information Systems.

Known simply as NIS2, the revised Directive brings the threat of more and greater fines and/or withdrawal of license to operate if companies within its scope fail to comply. Sectors within scope include, among others, energy, drinking water supply, transport, and healthcare.

NIS2 strengthens cyber security requirements, introduces top management accountability for non-compliance, and streamlines reporting obligations (Figure 1). It suggests forcing individual businesses to address supply-chain cyber security risks, and for supplier partnerships to address the security of these links.

Building on a successful strategy used in the framework of the European Commission’s Recommendation on Cybersecurity, EU Member States may conduct coordinated risk assessments of vital supply chains in collaboration with the Commission and the European Union Agency for Cybersecurity (ENISA).

The clock is ticking on NIS2 compliance. The revised Directive entered into force in January 2023. Member States must homologate it into national laws by October 2024, and it is likely that organizations within scope will need to start complying with these by mid-2024.

A rapid learning curve looms for some, judging from a poll at a DNV webinar when a fifth (21%) of some 350 respondents said they had either a moderate or advanced familiarity with NIS2. Respondents were from the energy and transport sectors and their supply chains.

A third (34%) said implementing NIS2 was impacting positively on allocation of cyber security resources in their organizations. The European Commission anticipates that organizations’ ICT security spending will increase by up to 22% in the first few years following introduction of NIS2.

How to comply with NIS2

Organizations in industrial sectors are being advised to think now about the likelihood of falling within NIS2 scope. If so, they will need to consider organizational, financial, and technical actions to prepare for compliance. In-scope organizations are also being advised to monitor how NIS2 is implemented in all important EU jurisdictions where they conduct business.

“Advice is available if you think you may fall within NIS2 scope. DNV’s NIS2 white paper is a starting point for identifying what the new cyber security laws will mean for industrial companies in Europe, and how they can prepare to comply,” said Anette Roll Richardsen.

She concluded: “Scoping is key. Start as early as possible. There are plenty of resources and best practices to adopt across IT/OT. But remember that there will be no compliance without security. Hence, NIS2 can be regarded as an opportunity to review and ensure your cyber security as a platform for doing more and better business in the future whether you are an operator or supplier.”

Download DNV white paper NIS2 Directive: From Risk to Opportunity