The shift to an increasingly connected industrial ecosystem—the evolution toward what’s widely referred to as Industry 4.0—brings with it smoother processes, cost and energy savings, more sustainable processes and better logistics. But financial limitations, operational challenges and technological roadblocks have limited digital transformation for many organizations, according to McKinsey & Company.
One of the major technological roadblocks on the path to transformation is cybersecurity. As supply chain leaders look to artificial intelligence (AI), Internet of Things (IoT) and automation to improve efficiencies, they also open themselves up to an increasing amount of cybersecurity threats. Bad actors look to wreak havoc with ransomware, theft of sensitive data, disruption of critical national and international infrastructure and more. The nature of many modern facilities is that, by design, they’re supported by many third parties. This expands risk beyond the borders of the organization. Tighter digital integration between suppliers also increases risk, as there’s simply no buffer if things go wrong. Equally, the nature of specialized control and monitoring equipment can make skills hard to build and retain, creating more reliance on an organization’s suppliers.
Supply chain cybersecurity threats have implications for suppliers and partners alike. According to the European Union Agency for Cybersecurity, supply chain cybersecurity attacks saw a four-fold increase in 2021. There is a need for the cybersecurity community to “act now.”
Here are four ways to prepare your organization to mitigate the risk of future cybersecurity threats on supply chains.
1. Prepare for device hyper-connectivity via a Zero Trust approach
Industry 4.0 is all about connectivity across organizations. This includes hyper-connecting devices for telemetry, analytics, prediction, and optimization. Connecting information technology (IT) and operational technology (OT) requires connecting things that were never designed to connect to the internet. One of the consequences of this is the need to deal with unwanted device connectivity. Physically isolating specific devices from the network via air gapping—a security countermeasure to create barriers between digital assets and malicious actors—and instituting clear procedural controls have a role but shouldn’t be exclusively relied upon. The reality is people find ways around most obstacles they think are stopping them from carrying out their jobs efficiently. Supply chain leaders need to also assess their capability to implement OT connectivity safely and adopt what is known as a Zero Trust approach: Don’t trust anything either inside or outside the network without first identifying and classifying all users and devices seeking access.
Zero Trust is not a technology, it’s a philosophy for mitigating cybersecurity risks. Zero Trust should be included by design when considering an overall digital transformation strategy and before implementing architectural changes to support IT/OT convergence.
2. Gain visibility of all assets to manage them
OT asset discovery, a fundamental prerequisite for compliance with cybersecurity frameworks, is a challenge for most industrial organizations. One of the major issues is that there are so many devices connected to a network, which makes inventory management a major hurdle. Above and beyond devices, auxiliary connections like enterprise resource planning (ERP) systems, customer relationship management (CRM) solutions, remote access and business continuity systems make visibility and management even more challenging.
There are two ways to account for devices in OT environments: passive and active detection. Passive detection has been the typical favorite when accounting for devices in OT environments out of concern that active detection would cause devices to malfunction. But modern scanning methods use actual industrial control system (ICS) protocols to collect detailed information from assets. The active component sends legitimate protocol requests to devices versus relying on network scanning. Modern scanning methods offer a safer, more accurate way to use active detection.
When looking for a place to start, organizations should begin with passive detection. Active scanning is a logical next step as it offers a valuable way to discover if devices can connect into an air-gapped system.
3. Ensure IT and OT security management are aligned for visibility and control
It’s not uncommon for organizations across the supply chain to deal with rifts between the OT and IT teams. OT often sees IT as a potential threat to disrupt production. And both OT and IT see the security team as a brake on productivity. Convergence isn’t always easy across departments, but it is essential for organizations to gain visibility and control in security management.
The best approach for combining IT and OT operations is a combination of a centralized single executive leader—for example, a chief information security officer (CISO)—to navigate the cultural divide between IT and OT along with on-site plant management and maintenance. This allows the organization to adopt appropriate security-related policies and tools and apply an overarching security policy while recognizing the individuality of OT systems on a site-by-site basis. Additionally, integrating all alerts into a single dashboard, such as a corporate security information and event management (SIEM) system, will support cost-effective and holistic security threat management.
4. Protect remote access to the OT environment
Secure remote access underpins many Industry 4.0 initiatives. Remote access is especially critical in an increasingly layered and connected supply chain. However, remote monitoring and diagnostics of operations and assets, remote product servicing, and a remote workforce all rely on connectivity. Lack of insight and control surrounding connectivity leaves the door open to a multitude of cybersecurity risks.
Education across the organization is an important step. Employees and partners working with an organization should understand risks so they can act accordingly when remote access is required. In addition, a security team should have central control over remote access. All remote connections should be authenticated, actively monitored, and logged following a Zero Trust philosophy as discussed above. Scanning should be implemented for external and internet-visible remote connectivity platforms and anomalous traffic, and security teams must stay vigilant for configuration drift towards back-door access via regular penetration testing and visual audits of the OT control infrastructure.
Overcoming the threat across the supply chain
Supply chain cyber risk is ultimately an extension of a broader supply chain risk management strategy. To implement protections, organizations can form cross-organization committees to develop supply chain policies and procedures. It is also critical to identify all assets deployed in an OT environment and get all suppliers and vendors across the supply chain to do the same. A framework of regular supplier assessments and reviews further strengthens security for everyone across the supply chain. The time to act is now.