The number of cyberattacks on industrial plants of all sizes has been increasing significantly for years. The risk extends across the entire supply chain. A recent study of 150 cybersecurity and IT professionals in medium-sized and large manufacturing companies showed that every second OT infrastructure is vulnerable to cyberattacks. Fifty-three per cent of respondents also said that their company had been affected by a cyberattack or other security incident that also involved OT networks in the past 12 to 24 months.
Modern supply chains have long been complicated, intertwined partner networks. And if one partner is compromised, it affects all partners in the supply chain. The effects of an attack on a first-tier supplier can be just as devastating as an attack on your systems: entire production lines can fail, which causes high costs, harms sales and damages the company’s reputation.
For years, attackers have used supply chain vulnerabilities as a stepping stone to infiltrate other companies. Perhaps some of you still remember the US retail company Target data incident almost ten years ago. Here attackers used stolen access data from an air conditioning manufacturer to access the Target network and move laterally—the result: millions of stolen customer data, including payment information.
A few years later, we saw NotPetya with the ransomware, another high profile attack on the supply chain that initially infected software from a Ukrainian accounting firm. In the further course, multinational companies were hit, and there was estimated total damage of 10 billion US dollars. The compromise of the SolarWinds Orion software and the SUNBURST backdoor gave attackers access to numerous companies and government agencies around the world. The extent and the effects of this attack cannot yet be foreseen.
Cybersecurity in the supply chain is now perceived as an essential issue by executives and security officers in (almost) all industries. Correspondingly, authorities, industry associations and regulators take measures to minimize the risk. As a vaccine for COVID-19 came within reach, IBM issued a warning of unknown threat actors targeting the supply chain for the COVID-19 vaccine.
The security experts pointed out the increased abilities of attackers and the urgency and severity of the supply chain risk and warned to reduce the risk to OT environments. From July 2024, new cybersecurity regulations for the automotive industry will be compulsory for all new vehicles produced in the European Union. Accordingly, new cybersecurity standards are currently being developed to establish “cybersecurity by design” over the entire life cycle.
What Security Officers Can Do
Cyber risks in the supply chain are complicated and extend over the entire life cycle – from development through manufacture, distribution and storage to maintenance. The more extensive and complex the life cycle, the more opportunities for attack and chances of finding and exploiting a weak link in the chain. And since supply chains are often global and involve multiple levels of suppliers, the responsibility for security does not rest with a single company. Every partner must be applied here, reducing cyber risks in the supply chain a particular challenge. That’s why executives shouldn’t just keep an eye on their own company when creating business continuity plans. They also need to keep an eye on the security measures of their immediate suppliers and how they, in turn, manage and mitigate risk with their expanded network of suppliers. These five steps can help:
Communication And Evaluation: The management of this critical risk begins with the definition of the internal responsibility for the procurement and the review of the process reliability of a partner. The legal departments, as well as technology and specialist department heads in all business areas, must be involved. Executives need reliable threat intelligence regarding supply chain attacks to make informed decisions about the risks to the business. Procurement and data security must be communicated clearly and effectively to partners and stakeholders.
Detailed Operational Transparency: Dedicated industrial cybersecurity solutions can address TO-specific challenges, such as the lack of standardized technology, the use of proprietary protocols and a low tolerance for interruptions of critical processes. A platform that continuously monitors and detects threats throughout the OT network connects to your company’s existing security network and also connects to all access points with your partners in the supply chain, extending this transparency to all relevant partners.
Consistent Cybersecurity standards: Keep up to date with new regulations (such as the planned IT Security Act 2.0 ) and bars, as well as new warning messages. Follow industry-specific recommendations and implement them quickly.
Rising Awareness: Because of the critical threat situation, many executives and board members have become aware of the need for effective industrial cybersecurity to ensure productivity, availability, reliability and safety. As a security officer, you should seize the moment to receive cross-functional and cross-departmental support for current and future industrial cybersecurity initiatives.
Collaborative Approach: Your supply chain is an integral part of your company’s ecosystem. That is why it must also be integrated into your security ecosystem and protected just as effectively as your “internal” systems. Cloud-based solutions simplify secure connectivity with critical partners in the supply chain. They can also improve security, update more efficiently, and add new features faster. In some industries, a cloud transformation is not yet feasible due to legal requirements. Nevertheless, it is also possible here to set benchmarks and to exchange reports and findings on weak points and the respective OT network security level with the partners in the supply chain.
We see that cybersecurity across the supply chain is a collaborative and challenging task that can only be tackled through collaboration. Fortunately, there are steps any individual company can take to reduce the risk. It is high time we took this quickly.