New research from DNV identified that half of critical infrastructure organizations are not sure where their supply chain is, making them vulnerable to the rising tide of cyber attacks. This comes as about 53 percent of professionals working in these organizations are confident that their organization has full visibility of the cybersecurity vulnerabilities that their supply chain exposes to their business, heightening the risk of cyber-attacks through connected networks, components, software, and third-party service providers.
This situation comes as over a third (36 percent) believe cyber-attackers may have infiltrated their supply chain without suppliers reporting it, according to a survey of more than 1,150 professionals across critical infrastructure industries, including energy, maritime, manufacturing, and healthcare. Additionally, regulation is tightening to combat the rapidly growing supply chain cybersecurity threat, and organizations must strengthen their capabilities to ensure resilience.
Supply chains are an attractive target for cyber-attacks as they provide a potential single-entry point to multiple organizations and systems, including critical infrastructure organizations. Adversaries are constantly changing their approach and developing more sophisticated tactics. Three-quarters (76%) of professionals believe their organization’s cybersecurity training is not advanced enough to prepare employees for more sophisticated threats.
“You can’t secure what you don’t know. Organizations need to better understand the vulnerabilities in their supply chains, employing approaches that provide greater oversight of suppliers,” Auke Huistra, director of industrial and OT cybersecurity at DNV Cyber, said in a media statement this week. “To strengthen supply chain security, they should better address cybersecurity requirements in procurement and supplier contracts, increase focus on security in the design of processes and assets, and involve cyber teams earlier in projects. Ongoing testing and detect and response capabilities are essential to identify and reduce the impact of breaches from the supply chain.”
DNV stated that the security of supply chains is one of several areas for improvement. In addition to securing supply chains, DNV Cyber’s Cyber Priority research finds that critical infrastructure industries should strengthen OT (operational technology) security, improve employee vigilance, build a cyber culture, and accelerate the use of AI in cybersecurity.
The DNV Cyber research noted that organizations operating critical infrastructure are investing more in cybersecurity and taking steps to secure IT and OT, the systems that monitor and control physical devices, processes, and infrastructure. “But this could make little difference if the cybersecurity of an organization’s supply chain is not similarly strengthened,” warns DNV Cyber in the research.
Additionally, cyber-physical attacks are a growing concern, in which attacks on digital technologies directly impact the ‘real world’ of physical assets and operations. Some 60 percent of critical infrastructure professionals are confident that their organization can build cybersecurity obligations into new contracts with suppliers, while 70 percent say their organization incorporates cybersecurity in the early phases of new infrastructure projects.
Huistra recognized that vendors and suppliers can be game changers in enhancing security. It is important that asset owners set requirements for suppliers based on their company’s risk profile and regulation but also check on the actual implementation of those requirements. Cooperation along the supply chain is crucial, including information sharing about vulnerabilities and incidents.
DNV recognized that stricter regulations are a timely and effective response to threats in supply chains. According to the Cyber Priority research, regulation is the primary catalyst for investment in cybersecurity within critical infrastructure industries. It is also one of the most effective means to enhance cyber resilience and mitigate supply chain risks.
“Governments are tightening regulation. The EU Network and Information Systems Directive 2 (NIS2), for example, addresses risk from supply chains and supplier relationships,” the post detailed. “The EU Cyber Resilience Act (CRA) requires suppliers of everything with a smart element in it (including industrial IoT products) to meet enhanced cybersecurity standards, impacting design, development, and deployment processes.”
Regulation at the industry level is also making a difference. In the maritime industry, the International Association of Classified Societies’ (IACS) unified requirements (IACS UR-E26 and UR-E27) have set mandatory cybersecurity requirements for new vessels contracted after 1 July 2024 and on-board systems and equipment. This has given an enormous push for the implementation of cybersecurity controls for yards, designers, original equipment manufacturers, and owners during vessel design and operation.
The DNV research noted that collaboration is key to strengthening cybersecurity. Companies should stay ahead of regulation to ensure resilience against evolving threats. Collaborative examples include joint efforts like the development of the IEC 62443 standards that address security for operational technology in industrial control systems and the creation of recommended practices for cyber resilience in the maritime and energy industries. There is strong support for such an approach, as 93 percent of critical infrastructure professionals agree there should be more collaboration to ensure aligned approaches to cybersecurity.
There are several relevant cybersecurity standards, but to make them easy to implement, it is important to have good practices for each industry sector, which make clear what is expected from all parties in the supply chain.
An example is the initiative of a Joint Industry Project to address cyber threats in the offshore wind sector, which has been launched by DNV and Siemens Energy to establish common practice. Companies from across the supply chain have shown commitment to joining in, thus making collaboration key, as critical assets are heavily dependent on their suppliers.
In January, DNV reported that growing attention is being paid to OT cybersecurity – securing the systems that manage, monitor, and automate physical assets – as two-thirds (67 percent) expect greater OT security investment in the year ahead. As the energy industry progresses in its cybersecurity maturity, the DNV report notes that it must continuously refine and adapt its strategies to remain resilient against a growing array of sophisticated threats. Despite advancements, challenges persist as the energy transition introduces new vulnerabilities and threat actors become increasingly sophisticated.
