| |

Security testing & your supply chain

BySecudea

Within NIS2, one of the items to take into account in reaching compliance, is Supply Chain security.

First of all of course is to make sure you know your risks through performing risks assessments, a tool to do so can be Cyrias – Cyrias – conducting cybersecurity risk assessments

The big parts within a supply chain security program are at least the following topics:

  • Inventory of all suppliers (including prioritising suppliers’ criticality to operations)
  • Determine what these suppliers are doing or delivering to your organisation
  • Determine whether they have remote access to your environment in one way or another (including interconnectivity connections – i.e. cloud)
  • Determine supplier cyber maturity
  • Find out to what level within NIS2 each supplier should be compliant to. Request these suppliers to reach compliancy to this security level in a reasonable timeframe, or at least have a plan in reaching that security level.
  • Comprehensive Supply Chain Risk Management:
    • Risk Assessment (or determining cyber maturity): Identify and evaluate risks associated with each supplier to the organization, considering their cybersecurity practices and potential vulnerabilities. 
    • Implementation of Security Measures: Where necessary and possible, apply appropriate security measures based on the risk assessments to mitigate potential supplier risks on the organization’s environment.
    • Continuous Monitoring: Regularly monitor suppliers to detect and respond to emerging risks promptly.
  • Supplier Accountability:
    • Contractual Obligations: Incorporate cybersecurity requirements into contracts with suppliers, clearly defining security standards, audit rights, and incident reporting procedures. 
    • Regular Audits: Conduct periodic audits to ensure suppliers comply with the agreed-upon security requirements.

Another big part within supply chain security is making sure that all new solutions or upgraded solutions within your environment, delivered by one or more suppliers are cybersecure and match your desired cybersecurity level according to NIS2.

This means that several steps need to be performed to do so:

  • Setting cybersecurity requirements matching your desired NIS2 level. Such requirements list can be based on NIS2 requirements, yet other frameworks can be used for this as well. A popular one within OT is the IEC62443-2-4 (cybersecurity requirements for vendors), sometimes in combination with IEC62443-3-3 (System security requirements and security levels).
  • Verifying supplier responses to these cybersecurity requirements and challenging your suppliers on non-conformities. This is often a “paper based” exercise and requires interaction between you and (technical) people at the supplier to be able to complete this completely and thoroughly. Only this way it will be possible to come to an acceptable agreement for both sides.
  • Performing technical verifications of the provided solutions or systems through executing a cyber FAT/SAT approach. These must follow a standardised approach so these are repeatable and the tests cover all your cybersecurity requirements. You can read more on Vendor validation or the practical side of FAT/SAT testing in the following blog posts:
  • Match your findings to your cybersecurity requirements to identify any issues that need to be fixed prior deploying the solution or system.
  • Not only performing FAT/SAT testing is important, but also determining your residual risk after issues that are possible to be fixed are actually fixed. The residual risk of the solution or systems will describe the remaining technical risks, however it is important to identify the associated business risk as well. For each of these risks, taken mitigating measures should be listed.
  • Following a cybersecurity FAT/SAT test, the residual risks should be encompassed within a risk register.

Overall, if you have not done yet, you should start scaling up your supply chain security program and also set up a vendor security validation process through which – in best case – all your cybersecurity requirements are validated and cross checked to make sure what comes into your environment or what gets upgraded is actually cybersecure.

Contact me if you want to know more about or vendor validation services.

Similar Posts

| | | |

using IEC62443-2-4 to reach a more secure ICS – Vendor validation

FAT/SAT, ICS, SCADA, Security, Security Testing

Every ICS environment will sooner or later have to deal with updates, upgrades or additions to the control system environment. Nowadays it is important to include security within such projects, although that is still sometimes…

| |

Security testing for ICS Owners – Back to Basics – recording

FAT/SAT, ICS, Security Testing

The video recording of the https://secudea.be/2019/10/28/security-testing-for-ics-owners-back-to-basics/ presentation that I gave at CS3STHLM last year can be found on Youtube: https://www.youtube.com/watch?v=M8xjylA9rtI Enjoy watching and when performing security tests within ICS environments, don’t forget to look at…