Third-party vendors and OEMs do have a significant role to play when it comes to the overall risk exposure of an enterprise. In complex ICS environments with multiple OEMs and point solutions, it is easy to lose track of hardware and application origin.
This could lead to the emergence of supply chain security issues linked to backdoors, unauthorized usage data sharing or a cyber incident linked to a vendor.
It is therefore essential to address the security challenges linked to third-party vendors early before the risks linked to them manifest.
What are the other benefits of deploying robust supply chain cybersecurity practices?
- Know which products are nearing their end of life
- Track and address component vulnerabilities
- Gain a better handle on the software code base
- Prevent misuse of bandwidth/application capability
- Isolate cyber incidents of interest faster, prevent the need to shutdown the infrastructure completely
- Reduce bloats and infrastructure blindspots
Compliance mandates/standards and supply chain security
The IEC 62443 series of standards reference supply chain security directly and indirectly. IEC 62443-4-1 for instance calls out the need for an inventory of components from third-party suppliers.
It also recommends establishing a security measure to identify and manage the security risks associated with third-party components.
Aldo read: The Complete Guide to OT SOC
As per IEC 62443-2-4, service providers need to have the ability to maintain a component inventory register for reference. The register should include asset serial numbers and information on asset components associated with the service being provided.
Article 21 (2) of the NIS2 Directive of the European Union requires Member States to ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems, which those entities use in the provision of their services.
NIS2 Directive also requires essential and important entities to deploy “appropriate and proportionate technical, operational and organizational cybersecurity risk management measures and to follow an all-hazards approach”.
While there could be disagreements on what constitutes appropriate and proportionate measures, it is clear that the directive is asking entities to ensure supply chain risks are addressed in the best possible manner.
Also Read: How to get started with OT security
While management, the National Institute of Standards and Technology (NIST) talks about cybersecurity principles that can be adopted to address supply chain security issues.
These OT Security supply chain guidelines include:
- Develop your defenses based on the principle that your systems will be breached (how to increase the gap between an attacker and key systems and data and how to recover faster)
- Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem (breaches are about human error more than anything else).
- Security is security (there should be zero gap between physical security and cyber security)
New Zealand’s National Cyber Security Centre (NCSC) has produced a guidance document for business leaders and cyber security professionals to better understand and manage the cyber risks in the supply chain.
The document identifies the following steps to be undertaken by enterprises and entities to improve their supply chain management practices:
- Understand your supplier management
- Understand your suppliers’ security measures processes
- Identify your critical services and assets
- Collaborate with suppliers on cybersecurity
- Systematically evaluate and review supplier security
- Determine the existing controls landscape
UK’s National Cybersecurity Center has also brought out 12 principles as part of its supply chain security guidance. It proposes a set of 12 principles to help establish effective oversight of the supply chain.
The principles for OT security supply chain are arranged under 4 phases viz.,
- Understand the risks
- The first three principles deal with the information-gathering stage.
- Establish control
- Gain and maintain control of your supply chain.
- Check your arrangements
- Businesses will have to gain confidence in their approach towards establishing control over their supply chain.
- Continuous improvement
- As your supply chain evolves, there will be a need to continue improving and maintaining security.
OT Supply chain cybersecurity best practices recommended by Sectrio
- Run an ICS/OT cybersecurity program in collaboration with all component vendors.
- Establish a cybersecurity baseline as per the standards we have discussed above and get them to adopt the requirements as stipulated by the program
- The above program should be co-owned by vendors.
- This program should also extend to your ICS/OT cybersecurity vendors as well
- Distil best practices from all standards and implement them as part of this program
- Maintain a Bill of Materials for every component purchase.
- Plug in the following as part of the original purchase negotiation
- Inventory/asset management
- Change management
- Vulnerability management
- Clear identification of supply chain risks
- Deploy an ICS/ cybersecurity governance policy. This policy should also cover procurement and asset onboarding
- Allow the vendor to have a clearly delineated role in incident response
- Train your employees on supply chain management best practices
- Establish a patch management program in accordance with IEC 62443-2-3
Interested in knowing how to reduce your supply chain risks in line with IEC 62443 and NIS2? Talk to us now for a free consulting session.
Talk to us to learn how your crown jewels and assets can be protected through a custom-built ICS/OT cybersecurity plan. Contact us now!
Reach out to us now.
Conduct an IEC 62443/NIST-CSF based risk assessment and gap analysis now!
Learn more about our ICS/OT cybersecurity solution and its capabilities around asset inventory, vulnerability management, threat management, and compliance.
Book a consultation with our OT/ICS cybersecurity experts now. Contact Us
Thinking of an ICS security training program for your employees? Talk to us for a custom package.