Within NIS2, one of the items to take into account in reaching compliance, is Supply Chain security. A part of supply chain security is vendor security validation. Managing what your vendor is promising, saying and delivering is a tedious task. We can help you setup your vendor validation program to make sure that the necessary steps are covered:
- Setting cybersecurity requirements matching your desired NIS2 level. Such requirements list can be based on NIS2 requirements, yet other frameworks can be used for this as well. A popular one within OT is the IEC62443-2-4 (cybersecurity requirements for vendors), sometimes in combination with IEC62443-3-3 (System security requirements and security levels).
- Verifying supplier responses to these cybersecurity requirements and challenging your suppliers on non-conformities. This is often a “paper based” exercise and requires interaction between you and (technical) people at the supplier to be able to complete this completely and thoroughly. Only this way it will be possible to come to an acceptable agreement for both sides.
- Performing technical verifications of the provided solutions or systems through executing a cyber FAT/SAT approach. These must follow a standardised approach so these are repeatable and the tests cover all your cybersecurity requirements. You can read more on Vendor validation or the practical side of FAT/SAT testing in the following blog posts:
- Match your findings to your cybersecurity requirements to identify any issues that need to be fixed prior deploying the solution or system.
- Not only performing FAT/SAT testing is important, but also determining your residual risk after issues that are possible to be fixed are actually fixed. The residual risk of the solution or systems will describe the remaining technical risks, however it is important to identify the associated business risk as well. For each of these risks, taken mitigating measures should be listed.