Anyone who has seen the news lately knows that supply chain attacks are getting a lot of attention. Given the sophistication of today's attacks, the complexity of operational technology (OT) systems and networks, and the convergence between IT and OT, cybersecurity certainly is not getting any easier for CISOs.
An ESG Research Insights Report, "Assessing the State of OT Security and the Cyber Supply Chain" highlights the difficulties organizations are having providing consistent security for OT security systems. Based on a survey of senior IT, cybersecurity, and OT professionals, the implications of the challenges for OT are stark. Two-thirds (66%) of organizations reported known or suspected successful OT attacks in the last 12 months, and nearly half of those organizations (44%) experienced a disruption of business processes leading to cancelled orders, financial penalties, and missed deliveries. Respondent reported that the incidents led to:
Ensuring the integrity of the cyber supply chain is a significant challenge for OT security professionals. Supply chains continue to grow, and the survey indicates that organizations have an average of 27 third parties as part of their cyber supply chains, which span across different types of IT providers, OT providers, and channel partners. Many of these third parties have access to internal assets, a fact that has serious security implications. Additionally, fragmentation of the supply chain and shortages because of the pandemic forced organizations to source from alternative suppliers. Only 30% of respondents rated their organizations as "very resilient" in terms of responding to an attack.
Although ongoing auditing of supply chain partners is typically performed, many organizations are forced to prioritize due to limited resources. And the risks from third-party partners are real; 71% of respondents believe that most or all of the OT attacks their organization had suffered in the last 12 months began with supply chain partners.
To reduce the risks from third-party partners, organizations should consider a variety of factors before purchasing IT and OT products and services
Managing third-party suppliers and securing OT environments requires collaboration across functional areas, but lack of clarity around responsibilities and communication across multiple organizational groups continues to be a top challenge for organizations. A lack of executive ownership and issues related to the chain of command only add to the problems. Workflow issues linked to collaborative tasks and the fact that different groups are often measured on different goals also create potential roadblocks to success.
The continuing convergence of IT and OT networks and the expansion of supply chains has undeniably made cybersecurity more difficult. Although there are no easy answers to the challenges organizations face, the ESG report suggests that these practices are good places to start: