You are currently viewing Supply chain blind spots expose the energy sector’s new cybersecurity risks

Supply chain blind spots expose the energy sector’s new cybersecurity risks

Energy is one of the top three industries to report cyberattacks and it faces specific challenges. Companies in the sector have been tackling IT security for several decades. But securing operational technology (OT) – the computer and communication systems that manage, monitor and control industrial operations – has become a newer and increasingly pressing challenge for the sector. As OT becomes increasingly networked and connected to IT systems, cybercriminals can more easily access control systems operating critical infrastructure.

The Cyber ​​Priority, a study of 940 energy industry professionals published by DNV in May 2022, found that industry leaders anticipate cyber attacks that compromise life, property and the environment on the sector over the next two years.

Businesses in the industry are waking up to the most common, complex and creative cybersecurity risks the industry now faces. Two-thirds (67%) of energy professionals agree that the shock of recent cyberattacks on the sector – such as the breach that caused the shutdown of the American company Colonial Pipeline in April 2021 – prompted their company to make major changes to their security strategy and systems. And three-quarters (74%) believe that cybersecurity is a significantly higher priority for their organization today than it was two years ago.

Revealing supply chain cyber vulnerability

While many organizations are investing more in identifying where they are vulnerable to attack, as well as putting in place human, process, and technological measures to defend their environments, DNV research found that blind spots emerge when it comes to companies’ oversight of cybersecurity in their supply chains.

Only 28% of energy professionals working in OT say their company makes cybersecurity of their supply chain a high investment priority. This contrasts with the 45% of respondents operating in OT who say spending on IT system upgrades is a high investment priority. At the same time, only 12% of people working in companies operating in OT rank supplier and vendor monitoring among their top areas of maturity. The percentage is slightly higher (13%) for all companies in the sector, and much lower (8%) in the oil and gas sector.

Energy companies may have full oversight of their own vulnerabilities and have all the right measures in place to manage the risk, but it won’t make a difference if there are undiscovered vulnerabilities in their supply chain. The danger is that equipment vendors and manufacturers lack the people, processes, or technology to secure their products and services. As a result, energy operators could be unaware of the vulnerabilities to which they are exposed.

Companies must invest in the security of their suppliers.

Companies must invest in the security of their suppliers. The security of technology platforms can be compromised if there are vulnerabilities elsewhere in the supply chain and if cybersecurity has not been sufficiently considered in contracts with suppliers and subcontractors.

The widely reported vulnerability for the popular Java programming language is a stark example of a supply chain risk. First disclosed in December 2021, this vulnerability was discovered in a tool used in cloud servers and enterprise software globally and was present in both IT and OT. Hackers could exploit it without the need for authentication or special server access privileges.

Companies across many industries have been rushing to install official patches and use alternative workarounds for the Log4Shell issue and to protect their IT/OT environments. But it is likely that many have been much slower to ensure the safety of their equipment and system suppliers.

The challenge of identifying cyber risks in complex supply chains

It can be extremely difficult for companies with complex supply chains to confidently assess the cyber vulnerabilities of equipment manufactured, sold and installed by third-party vendors. The challenge is often a lack of transparency about cybersecurity.

Achieving transparency can be difficult because many vendors and manufacturers of equipment integrated into OT systems simply lack the people, processes, and technology to demonstrate the cybersecurity of their products and services.

Small vendor systems used to be stand-alone. Today, they are increasingly connected within internally and externally connected IT/OT systems, whose elements come from large and fragmented supply chains. Complexity and connectivity pose a cybersecurity challenge for energy operators and contracted engineering, procurement and construction (EPC) contractors to exercise cyber risk oversight.

Supply chain audits and supplier security requirements

Many energy companies apply standards and recommended practices to ensure cybersecurity when implementing OT/IT systems individually and in combination. For example, Recommended Practice DNV-RP-G108 “Cyber ​​Security in the Oil and Gas Industry Based on IEC 62443” provides best practices on how to apply the IEC international standard to the oil and gas industry.

However, companies’ assessment of cyber risks will be inaccurate if the hardware and software vendors themselves do not have a complete picture of the cyber vulnerabilities of what they supply. An accurate cyber risk assessment is necessary to write adequate cybersecurity requirements in contracts with suppliers and contractors.

Cybersecurity concerns raised by DNV’s findings on supply chain visibility highlight the need for supply chain audits and supplier security requirements. For energy companies, getting a full picture of internal and external risks therefore involves assessing cybersecurity service providers and the cyber risk of other product and service providers. Suppliers must also assess their own cybersecurity risks to their customers.

Evaluation of cybersecurity services and other providers

Cybersecurity legislation and industry standards are struggling to keep pace with evolving cyber threats. Regulations and best practices can change quickly across and within geographic boundaries, jurisdictions and even industries. This changing landscape and the lack of common regulations and standards make it difficult for companies to purchase the right cybersecurity products and solutions.

Trond Soldberg

Because it is difficult to assess capabilities and commitments on a comparable basis, energy industries need internal or external experts who can anticipate and monitor what is happening. To address cyber vulnerabilities that arise across the gap between OT and IT, cybersecurity leaders must have a comprehensive understanding of IT, engineering and HSEQ (health, safety, environment). and quality) in the organization and the specific industry.

Some of the same issues apply when evaluating other types of vendors. DNV has gained in-depth knowledge of these through its long experience in providing domain-specific cybersecurity verification services for third-party vendor components in energy infrastructure. This involved simulating cyberattacks on industrial and IT systems to assess vulnerabilities that could give hackers unauthorized and potentially malicious access to control system networks.

This analysis identified key questions for companies in the energy sector: how can you trust the cybersecurity provisions of another company that operates infrastructure, equipment and systems for you? How to be sure that the cyber risks of the components are acceptable? For example, how can you validate supplier claims using recognized standards and recommended practices? What is the overall cyber risk exposure of OT/IT? Is this risk acceptable, and have you or your contractors/suppliers done everything possible to mitigate it?

Assessing vendors own cybersecurity risks to customers

Sellers need to protect themselves and their customers. For example, they need to know what cybersecurity measures they need to comply with when bidding or contracting.

Sellers need to know if they can comply with the terms and conditions agreed with customers, if they do, and if not, what they are doing about it. Otherwise, a seller could be exposed to unlimited liability. Also ask what your approach to cybersecurity as a supplier says to existing and potential customers. What does it say about your cyber vulnerabilities and reliability on other security issues such as commercially sensitive data or documents?

Concerns raised in DNV’s research on cybersecurity in the supply chain serve as a reminder that suppliers and customers need to assess cyber vulnerabilities iteratively, rather than periodically, to ensure resilience against new and emerging cyberattack vectors. .

Trond Solberg is Managing Director of Cybersecurity at DNV, an independent risk management and quality assurance provider.

Leave a Reply