With increasing IT/OT convergence, supply chain security is emerging to be a highly complex and evolving function for critical infrastructure protection. As the two environments are digitally transformed, they become more connected and more vulnerable to traditional and sophisticated cyber attacks.
Identifying, assessing, and mitigating cyber supply chain security risks is critical to ensure business resilience, Dr. Tim Nedyalkov, cybersecurity manager of infrastructure for the Middle East region at SNC- Lavalin, said at the Critical Security for Critical Assets World (CS4CA) 2021 virtual event. The conference brought together senior professionals from the oil and gas, energy, renewables, chemical, utilities, mining, water, power and maritime industries, in addition to academics and government representatives, and was organized by QG Media.
Challenges that affect supply chain security include the fact that threats to supply chains are complex and difficult to detect, Nedyalkov said. Vulnerabilities in supply chains for commercial products and critical infrastructure are a national security issue, and some threats are “baked-in” to many critical systems and commercial products via software and hardware supply chains. The current supply chain risk management and mitigation efforts are insufficient to meet the increasing threats, and misunderstanding of specific threats and a poor choice of protection options, he added.
The reality is that digital is here to stay, and critical infrastructure is not an exception to this growing trend, according to Nedyalkov. Recent developments reveal a growing number of connected OT systems to the internet. Integrated IT and OT networks, as there is no separation of OT and IT architectures due to the increase in data, connectivity, complexity and costs. Connectivity has also brought about an expanding ecosystem of OT vendors, with a growing number of vendors entering the OT space, he added.
The convergence between IT and OT networks makes the protection of critical infrastructure very difficult, Nedyalkov observed. Corporate headquarters want to have visibility on the systems in the factories and processes around them. He added many new systems utilizing cloud-based services for data analytics, predictive maintenance, and other features that require external connectivity.
“The threats that normally impact the IT can move between cyber and physical environments with no separation of IT and OT networks, the risks of major cybersecurity attacks significantly increase,” Nedyalkov said.
The landscape gets further complicated as organizations rely on many suppliers to support the organizations’ critical functions, he pointed out. This trend has accelerated over the years and is expected to continue in the same direction. Globalization, outsourcing, digitalization, and most recently, the global pandemic have contributed to this trend.
Suppliers have their own sub-contractors, who in return have their own suppliers creating an extended supply chain and entire supply chain ecosystems. As a result, there is reduced visibility, lack of understanding and close to, or no control over critical suppliers and their operational practices, Nedyalkov said.
The reality is that “organizations can no longer protect themselves alone by simply securing their own infrastructures since their perimeter is no longer representative of the entire vulnerability surface,’ according to Nedyalkov.
The supply chain security can be enhanced by using master requirements lists and service level agreements (SLAs), and carrying out third-party assessments, site visits, and formal certification, Nedyalkov said. It can also be boosted by executing incident response, business continuity and disaster recovery plans with the suppliers, in addition to putting in place protocols for communication with external stakeholders, he added.
“Knowing the environment and understanding the supply chain risks, managing, controlling and monitoring are the key principles that when regularly performed can significantly improve the supply chain security of critical infrastructure,” Nedyalkov concluded.