As supply chains become smarter and more connected, they’re increasingly becoming a soft target for cyber attackers. Supply chain cyber-attacks have risen by 78 per cent since 2018. And the risk of a successful cyber security attack increases if procured systems aren’t ‘secure by design’ and integrated into existing infrastructure.
Last year’s introduction of the Network and Information System Regulation 2018 (NISR) firmly sets the responsibility for the cyber security of supply chains with the Operators of Essential Services (OES). This is particularly the case where Industrial Control Systems (ICS), Operational Technology (OT) or other third-party services support or provide those essential services. Ensuring these systems and services are secure is a difficult task and there is a lack of published cyber security guidance available to support organisations that procure and operate ICS/OT and related services.
The problem is compounded by traditional approaches to procurement. Often, security requirements are insufficiently covered in contracts or omitted altogether. Manufacturers rarely employ a ‘secure by design’ approach as this increases costs and can put their products and services at a competitive disadvantage. Not including security requirements in procurement can results in vulnerable technologies becoming integrated into organisational infrastructure, which ultimately increases the risk of a cyber security attack.
Choose ‘secure by design’
So, with no common approach or model to adopt, how can organisations ensure the systems they procure are effectively secured to reduce the likelihood and risk of a successful cyber-attack?
Organisations must specify systems that are ‘secure by design’. And those responsible for the procurement of such systems should develop, implement and articulate clear cyber security requirements to be adhered to in procurement processes and contracts.
Five steps to ‘secure by design’ supply chains
There are five key steps to make the move to a ‘secure by design’ approach:
We applied this approach to our work with the UK’s Department of Business, Energy & Industrial Strategy (DBEIS) and the Energy Networks Association (ENA), to develop guidance on enhancing cyber resilience in supply chains and procurement processes.
While the guidance is focussed on Energy Delivery Systems (EDS), it can and should be adopted to benefit any organisation that procures and operates ICS and OT systems within their infrastructure. It’s important that OES and operators of ICS and OT understand the extent of the impact that procuring and integrating insecure technologies can have on their organisation.
Taking a ‘secure by design’ approach will ultimately reduce the likelihood of a successful cyber security attack on your infrastructure, leading to more resilient business output and minimised impact should a security incident occur.
There are additional benefits. The increased standardisation the approach brings can reduce operational management, maintenance efforts and overall operating costs and overheads. Standardisation across systems also makes it possible to recognise and react to suspicious activity more quickly and accurately, with fewer false positives because technology and processes are consistent.
Lastly, the widespread adoption of cyber security procurement guidance may encourage manufacturers and suppliers to develop their systems to be ‘secure by design’ and ultimately defeat one of the main challenges faced by industry.
While many organisations struggle to find the time and expertise to develop secure supply chain and procurement processes, they can reap the rewards of innovation with minimal risk by taking a ‘secure by design’ approach to procurement.