Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

Five steps to make your supply chain 'secure by design'

As supply chains become smarter and more connected, they’re increasingly becoming a soft target for cyber attackers. Supply chain cyber-attacks have risen by 78 per cent since 2018. And the risk of a successful cyber security attack increases if procured systems aren’t ‘secure by design’ and integrated into existing infrastructure.

Last year’s introduction of the Network and Information System Regulation 2018 (NISR) firmly sets the responsibility for the cyber security of supply chains with the Operators of Essential Services (OES). This is particularly the case where Industrial Control Systems (ICS), Operational Technology (OT) or other third-party services support or provide those essential services. Ensuring these systems and services are secure is a difficult task and there is a lack of published cyber security guidance available to support organisations that procure and operate ICS/OT and related services.

The problem is compounded by traditional approaches to procurement. Often, security requirements are insufficiently covered in contracts or omitted altogether. Manufacturers rarely employ a ‘secure by design’ approach as this increases costs and can put their products and services at a competitive disadvantage. Not including security requirements in procurement can results in vulnerable technologies becoming integrated into organisational infrastructure, which ultimately increases the risk of a cyber security attack.

Choose ‘secure by design’

So, with no common approach or model to adopt, how can organisations ensure the systems they procure are effectively secured to reduce the likelihood and risk of a successful cyber-attack?

Organisations must specify systems that are ‘secure by design’. And those responsible for the procurement of such systems should develop, implement and articulate clear cyber security requirements to be adhered to in procurement processes and contracts.

Five steps to ‘secure by design’ supply chains

There are five key steps to make the move to a ‘secure by design’ approach:

  • understand the criticality of the systems being procured and the environment in which they’ll operate. Some systems may be considered mission or safety critical and will require extra security controls to be applied to lower the risk of a cyber-attack
  • develop a robust understanding of the potential threats that face the system and how those systems might be compromised during a cyber-attack. This will help in the selection of appropriate security controls that lower the risk of a successful attack (such as system hardening or secure remote connectivity)
  • develop clear cyber security requirements and guidance statements to be included in procurement contracts, to enable systems to meet the identified cyber security standards and specifications
  • obtain assurances throughout the procurement lifecycle to ensure that systems meet the security requirements. This can be achieved through security testing or performing configuration reviews during the factory or site acceptance testing process (FAT/SAT)
  • establish effective smart supply chain risk management processes and carry out ongoing assurance of suppliers and the services they provide, to ensure they’re meeting their contractual obligations.

We applied this approach to our work with the UK’s Department of Business, Energy & Industrial Strategy (DBEIS) and the Energy Networks Association (ENA), to develop guidance on enhancing cyber resilience in supply chains and procurement processes.

While the guidance is focussed on Energy Delivery Systems (EDS), it can and should be adopted to benefit any organisation that procures and operates ICS and OT systems within their infrastructure. It’s important that OES and operators of ICS and OT understand the extent of the impact that procuring and integrating insecure technologies can have on their organisation.

Taking a ‘secure by design’ approach will ultimately reduce the likelihood of a successful cyber security attack on your infrastructure, leading to more resilient business output and minimised impact should a security incident occur.

There are additional benefits. The increased standardisation the approach brings can reduce operational management, maintenance efforts and overall operating costs and overheads. Standardisation across systems also makes it possible to recognise and react to suspicious activity more quickly and accurately, with fewer false positives because technology and processes are consistent.

Lastly, the widespread adoption of cyber security procurement guidance may encourage manufacturers and suppliers to develop their systems to be ‘secure by design’ and ultimately defeat one of the main challenges faced by industry.

While many organisations struggle to find the time and expertise to develop secure supply chain and procurement processes, they can reap the rewards of innovation with minimal risk by taking a ‘secure by design’ approach to procurement.

Transform and energise your enterprise with a smart supply chain

Find out more

Contact the digital trust and cyber security team

Adam Stringer

Adam Stringer

Cate Pye

Cate Pye

Elliot Rose

Elliot Rose

Justin Lowe

Justin Lowe


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.