The important role of suppliers in achieving critical national infrastructure cyber compliance
All across the world, safeguarding critical national infrastructure (CNI) is of paramount importance. Allowing it to be compromised in any way could mean dire consequences for national security, economic stability, and public safety. But, as society becomes more digitized, threats are no longer limited to physical attacks. Cyber attacks, data breaches, and other malicious online activities all pose risks to CNI.
To ensure that the companies that provide CNI are not compromised, there’s an increasing volume of cyber security frameworks being put in place by governments and international organizations for their locality.
In the USA, the Cyber Security Framework (CSF) from the US National Institute of Standards and Technology (NIST) is promoted by sector regulators, while companies operating in the EU must adhere to Member States’ laws implemented under the Network and Information Security Directive (NIS which are to be strengthened further by NIS2 soon) . Since leaving the EU, the UK has been updating its own NIS regulations, and Australian CNI providers must abide by the Security of Critical Infrastructure Act (SOCI).
However, it is not just the CNI providers that must be aware of these regulations. To ensure that all possible entry points for cyberattacks are protected, supply chain companies associated with CNI providers must also take steps to ensure their own cyber security.
Why must third-party suppliers to CNI providers be cyber secure?
“You could have a supplier as a route to compromise; someone hacks in through them to get to their customers’ systems,” said Chris Proctor, Senior Advisor at cyber security specialists NCC Group.
“You can have the supplier taken down which results in disruption to the client. Or it can be that their product, software or hardware, that goes to the client is used as a route to compromise. The regulatory landscape is increasingly focused on supply chain because of the number of threats.”
When advising CNI providers, NCC Group encourages them to consider their supply chain as well as their own systems. They must continuously review their level of cyber security from the moment the third-party organization is selected and onboarded through to after the termination of the contract when they need to separate connectivity and destroy data.
Rick Tahesh, Associate Director at the organization, said: “Supply chain integrates a lot of business functions. Think about your procurement, think about your IT and legal, think about business continuity management.
“That’s why we ensure we have an integrated approach on behalf of our clients. Only then can we gain a good understanding of the risk of that supplier to the client’s business.”
“Often the [suppliers’] systems or products that they provide are quite old, they use legacy technology, and are at higher risk of impact from a cyber event,” added Mick Flitcroft, Global Lead for Government Compliance Services at NCC Group. “Often this technology is not backed up in the traditional IT sense; we don’t necessarily have dual backups and cloud technology.”
But, in recent years, supply chain companies have become increasingly integral to the CNI companies themselves , meaning that any lack of cyber security measures on their part puts the CNI more at risk.
Mick said: “For example, we’re seeing what we call ‘condition monitoring’ by the supply chain, where they have a permanently live view into that client’s key infrastructure, looking for things like vibrations or wear and tear, and they’re trying to predict a breakdown before it happens. So before the [device] fails, the new one is there and being installed to reduce the impact on the availability of critical systems.
“Whilst this proactive approach has operational benefits, this presents a threat vector that [they] may never have had to deal with historically. Instead of coming down the stack – through the corporate enterprise, through that firewall, and into the operational technology (OT) network – we often see the supply chain punching straight through the side and coming in at the control layer or even the industrial control unit layer.”
What do third-party suppliers have to do?
Abiding by the appropriate cyber security frameworks simultaneously acts as a USP (unique selling proposition) for suppliers looking to renew contracts with CNI providers and improves their survivability in the event of a cyberattack.
But making a supply chain organization compliant with CNI cyber security regulations can be challenging, not least since the frameworks are drawn up specifically to be read and interpreted by the CNI companies who are in scope of regulations.
Mick said: “Quite often you look at NIS and it just says ‘you must consider your supply chain’ and then there’s some broad-brush sweeping statements and a couple of technical ones about remote access, so the requirements themselves are often not articulated in detail.”
Therefore, it is, at least in part, the responsibility of the CNI organization to understand what they expect from their third-party suppliers in terms of security and communicate that to them.
“[For the CNI organization], it’s a case of understanding what your critical assets are and knowing if your supply chain supports the resilience you need,” explained Mick.
Rick said: “Then [the suppliers] have got to provide that assurance that they have the processes, frameworks, tools, etc. to secure the supply chain as well.”
NCC Group advisors encourage CNI providers to outline the cyber security requirements they have for third-party suppliers in their contracts, even if they have already been in place for many years and have never needed to be reviewed in the past. Then, the suppliers must update their legacy products and systems to abide by these requirements.
How can NCC Group help?
NCC Group helps suppliers to CNI companies navigate the complexities of becoming compliant with various cyber security frameworks.
Chris said: “Many suppliers are getting all these questionnaires from potentially different types of CNI clients; you can get snowed down in lots of regulatory paperwork. We can help people understand how to be more efficient about getting through it and have the support available to help them if they need it.”
Rick added: “Given the current economic environment, we know budgets are under a lot of pressure. CNI clients, as well as suppliers, need to understand what the critical assets they really need to secure are so we can focus the investment and budget on these areas.”
NCC Group security consultants can help suppliers through a comprehensive risk assessment which will identify their critical assets. These are ones that would have a significant negative impact on the CNI organization if there were a breach or denial of service. The advisors will weigh up the cost of this potential unavailability next to the cost of regulating it.
“It’s having the ability to separate the valuable critical assets from the things that can wait,” Rick said. “We help them gain a good understanding of the security controls and measures around these critical assets, and if there are any gaps or issues.”
In the future, suppliers to CNI companies may be asked to review their own supply chain in a similar way if regulations are extended to cover fourth-party CNI suppliers. For example, both the EU’s Digital Operational Resilience Act (DORA) and the UK’s Financial Services and Markets Act are paving the way for critical third-party suppliers to the financial services sector to be brought under CNI regulation.
If you would like to learn more about what is required of your business to become compliant with local cyber security regulations, contact an NCC Group advisor here.