Skip to main content
Portal
Under attack?

    Security management for IT-OT integrations and supplier management

    Security management for IT-OT integrations and supplier management

    Recent decades have seen a significant increase in the integration, digitization and streamlining of industrial plants. Businesses now face increasing complexity due to integrations between IT and operational technology (OT), the use of cloud solutions and increased use of 4G and 5G solutions for communication. These developments have revolutionized the way we do business, but have also introduced new challenges related to security. For OT environments in particular, it will be important to address these challenges through a risk-based approach.

    Going forward, we will see increased integration to streamline operations. We need to facilitate a secure integration that results in efficient, reliable and secure operations.

    In this blog post, we address:

    1. Challenges with increasing gravity of integrations
    2. The status of vendor security
    3. What's required under the Digital Security Act (NIS2)
    4. How to build a resilient supply chain by applying a risk-based approach

    Increased complexity through digitalization and integration

    Digitalization has opened up new opportunities for efficiency and innovation. The use of technologies such as machine learning, artificial intelligence and industrial IoT has improved productivity and created new business models. The integration between IT and OT systems contributes to better information flow and decision-making.

    However, the increased integration leads to greater complexity. More systems are connected, potentially resulting in more vulnerabilities and new attack surfaces. The convergence between IT and OT challenges traditional security models, as OT systems often have different requirements and limitations than IT systems. For example, updates and security patches common in the IT world can be more difficult to implement in OT environments due to uptime and stability requirements.

    To deal with this complexity, a risk-based approach is needed. This means identifying which integrations and systems are most at risk, assessing the potential consequences of security breaches and prioritizing actions based on risk.

    Why this creates challenges

    The increased complexity resulting from digitization, integration and streamlining creates significant challenges for businesses. As systems and processes become more interconnected, the number of potential vulnerabilities and attack surfaces increases. This makes it more difficult to maintain an overview and control over security in all parts of the business.

    OT systems are often legacy, proprietary and designed for stability and availability rather than security. Integration with modern IT systems can expose OT systems to threats they are not equipped to handle. This increases the risk of security incidents occurring and having serious consequences for the business.

    A lack of overview of the supply chain can also mean that businesses are unaware of how vulnerable they actually are. This complexity makes it challenging to identify and assess the risks associated with each supplier and integration. Without a holistic understanding of how all components and actors are connected, it becomes difficult to implement effective security measures. This can result in vulnerabilities going undetected and the business becoming more exposed to cyber-attacks.

    We also see that inconsistent approaches and implementation of security measures across an organization can increase complexity. Different departments may have different approaches to cybersecurity, creating weaknesses that threat actors can exploit. This increases the risk to the business as vulnerabilities can be exploited to cause financial loss, damage reputation or disrupt critical services resulting in downtime and, in the worst case, harm to people, the environment and assets.

    bilfabrikk

    Status of supplier security

    Despite the fact that many organizations have good internal security, it turns out that threat actors often exploit weaknesses in subcontractors. Such suppliers may be less mature in terms of security practices and thus easier to compromise. This is particularly problematic at a time when businesses are closely integrated with their suppliers, and an incident at one company can have ripple effects throughout the value chain.

    Telenor's report "Digital Security 2023" mentions challenges related to supply chains no less than 71 times, which emphasizes how relevant and demanding this topic is. Many companies may not have the resources or expertise to follow up on supplier security in a satisfactory way, or it may not be given a high enough priority.

    One example is a factory that has outsourced maintenance of its production lines to an external supplier. This supplier has remote access to the factory's control systems. If the supplier does not have robust security measures in place, an attacker can exploit this access to cause production stoppages or manipulate production processes.

    According to the NVE report "Digital security in the energy sector" (2024), the energy sector is particularly vulnerable to such threats due to the high degree of digitization and complexity of the supply chain.

    What is required under the Digital Security Act?

    With the introduction of the NIS1 Directive, there are stricter requirements for businesses to manage digital security, including supplier security. The directive requires businesses to:

    • Perform risk assessments of their supplier relationships.
    • Implement security measures based on identified risks.
    • Ensure that suppliers have the necessary measures to protect against cyber attacks.
    • Have clear security requirements that also apply to subcontractors.

    This means that businesses need to integrate security management into all parts of the organization, with a particular focus on risk and complexity in the supply chain.

    How to build a resilient supply chain with a risk-based approach?

    The first step is to map and get an overview of all your suppliers and dependencies to understand how they impact your business. Identify which suppliers are critical to your day-to-day operations and how they are integrated with your systems and processes. By mapping your supply chain, you can better assess vulnerabilities and potential attack vectors. Use existing supplier assessments used for the business and categorize suppliers based on criticality and risk to prioritize efforts where they are needed most.

    A risk-based approach requires systematically identifying and assessing the risks associated with each supplier. Start by assessing the potential consequences if a supplier is exploited and evaluate the likelihood of it occurring based on existing measures and compliance practices. NIST SP 800-161 can be used as a guide to supply chain risk management.

    Clear security requirements in contracts ensure that suppliers understand and commit to managing risk in a way that is aligned with your business needs. Ensure you have audit rights to conduct security audits of suppliers. It's important to audit suppliers to ensure compliance and measure maturity. Audits are an arena where you can create a common understanding of risk. There should be clear expectations for incident reporting and communication in the event of security incidents.

    Effective routines for managing vulnerabilities and changes are essential to reduce the risk of vulnerabilities being exploited. Good practice is to follow IEC62443-2-4 to set requirements for reporting vulnerabilities through the supply chain so that asset owners and operators are updated on vulnerabilities that apply to them and testing of security updates in advance when relevant.

    A risk-based approach requires a strong security culture and effective governance mechanisms. Top management must be involved to ensure buy-in, resources and support to follow up on supplier security. Clear roles and responsibilities related to safety within the organization must be in place, also for OT. We find that this is often in place for IT, but not necessarily OT. Relevant training and awareness for employees, especially operators, engineers and programmers, must be in place so that security is taken care of in both the IT and OT departments.

    Understanding of roles, testing of communication plans and interaction between the actors are tested through exercises of contingency plans. This is to ensure a coordinated and effective response to incidents. In addition, such exercises are an arena for discussing security issues, creating common situational awareness and knowledge sharing, not least to improve future dynamics between the parties in any security incidents.

    arbeider med VR-briller

    Something to think about

    Supplier security is not something you do once and be done with it. It's like all security work - it's an ongoing process and is dynamic due to constant changes in the threat landscape and vulnerability surface.

    One example is a company implementing a new IoT system for real-time monitoring of production. This system integrates with both internal IT and OT networks and the supplier's systems, increasing complexity and introducing new risks. By being proactive and continuously evaluating the risks, the business can manage these challenges effectively.

    It's important to ask yourself some critical questions to better understand and manage your risks:

    • How does increased complexity affect risk in your supply chain?
    • Do you have a risk-based approach that takes digitalization and integration into account?
    • How can you and your suppliers work together to manage this complexity?
    • What are the consequences if the risks are not managed effectively?

    Supplier security in OT environments is a challenge that requires a holistic and risk-based approach. The increased complexity that comes with digitization and increased use of integrations makes it necessary to work systematically with security. By understanding this complexity and implementing effective security management strategies in line with the NIS2 directive, businesses can build a resilient supply chain. Such strategies include adopting the IEC62443 framework to ensure a common understanding of security efforts and a common supply chain language.

    Security is not an isolated task, but a shared responsibility that requires commitment from the entire organization and close collaboration with suppliers.

    Read also: External report NVE: Mutual dependencies of IT and OT in the power supply

    References:

    • NIST SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
    • ENISA: Threat Landscape for Supply Chain Attacks
    • Telenor: Digital security 2023
    • NVE report: Digital security in the energy sector (2024), by Netsecurity
    • IEC62443-2-4 Security program requirements for IACS service providers

     

     

     

    Questions regarding OT- and IT-security? Contact us:

     
    Daniel Ourom-Swart
    Skrevet av Daniel Ourom-Swart
    Oslo

    Drammensveien 288

    0283 Oslo

    Bergen

    Sandviksbodene 1

    5035 Bergen

    Stavanger

    Kanalsletta 4

    4033 Stavanger

    Grimstad

    Bark Silas vei 5

    4876 Grimstad

    Kristiansand

    Dronningens gt 12

    4610 Kristiansand

    Trondheim

    Krambugata 2

    7011 Trondheim

    Stockholm

    Kammakargatan 22

    111 40 Stockholm