OTORIO launches study on the security of the digital OT supply chain

Armis: Sachin Shah wird CTO für die Bereiche OT und ICS

OT Supply Chain

So that the house of data cards does not collapse

OTORIO’s OT Cybersecurity 2022 study shows that the digital OT supply chain is at risk

Today’s OT networks drive production areas built on an ecosystem of third-party services, devices and infrastructures. These, in turn, are built on third-party services, devices and infrastructures, which are also built on third-party services, devices and infrastructures. This makes the digital OT supply chain a house of cards from a cybersecurity perspective. If you pull out a card, everything collapses. For this reason, OTORIO , an expert in the security of OT systems (Operational Technology), has launched and evaluated an investigation into OT security.

A gap in the digital OT supply chain can lead to an impairment of production, services, users, customers and even business continuity. Hackers, of course, know this. For this reason, they are increasingly targeting third-party OT infrastructure – instead of bothering to attack the security perimeters of the target companies head-on. As the attacks on Solarwinds, Codecov, Kaseya and most recently Transnet have shown, the threats to the OT supply chain are serious, real and growing rapidly. In all these and many other attacks, hundreds of companies were affected by a vulnerability that was exploited by a single service provider.

Therefore, it was not surprising to learn that the majority (53 percent) of participants in the latest OT-Cyber Security survey ranked supply chain attacks among the top three cybersecurity problems. 99 Percent of the participants reported an attack on the supply chain in the last twelve months. The question is not whether there is a problem, but rather what can be done about it.

Rethinking the OT cybersecurity Supply Chain

Even if operators, manufacturers and machine builders invest heavily in the cybersecurity of their own networks and systems, hackers have turned their focus to highly complex upstream and downstream production systems. The impact of this trend is exacerbated by the inherent complexity of securing operational environments.

Every company, whether service provider, manufacturer, mechanical engineer or supplier, is only as strong as the weakest link in its supply chain. In view of the dynamic threat landscape and the constantly changing technologies, machine builders and service providers will ultimately become part of the end customer’s supply chain. This means that the cyber responsibility of machine manufacturers and service providers can no longer end after the Site Acceptance Test (SAT).

Any actor with remote access to the production environment represents a potential vulnerability or threat to the entire supply chain. So what needs to be done? First of all, machine builders and service providers must ensure that every machine or service is fully secured and compliant before delivery. Manufacturers are already demanding proof of this safety and conformity. In fact, 96 percent of survey participants already require a cyber certificate for their hardware or software from their suppliers. The rest plan to demand this from 2022.

Today, machine manufacturers are expected to quickly perform automated inspections and provide auditable reports during the SAT phase. Manufacturers and operators also demand constant responsibility for the cyber security and cyber resilience of the delivered machines. This requires rethinking the way machines are certified as cybersecurity.

To meet customer requirements, machine builders must use technologies that allow the identification, tracking and remediation of vulnerabilities in any machine at any customer site, including all built-in components from any manufacturer. You also need to ensure that your machines are in line with industry best practices, customer safety regulations and other policies, warranty and service requirements, and constantly evolving international and local regulations. You also need to proactively notify your customers in real time when new vulnerabilities are discovered and provide clear, real-time or near-real-time remediation guidelines.

What about the end users?

End users, both manufacturers and operators, are increasingly aware of and worried about the attacks emanating from their supply chains. In the previously mentioned survey, 83 percent of respondents said that they were “very worried” in this regard, and 17 percent were “a little worried”. Now this awareness is being translated into action.

Manufacturers and operators not only proactively and continuously assess the risks and security gaps in their environments. They also require that every machine, system, device and service be checked for cybersecurity, legal and contractual requirements before delivery. To reduce risk and liability, these companies implement micro-segmentation technologies and restrict access to third-party providers based on the principles of least rights and zero trust.

What you can do

Specialized providers help both end users and machine builders to support the house of cards of the digital supply chain by mastering existing and new challenges related to the vulnerability of OT networks and equipment.

For industrial manufacturing companies, assessment solutions help manage OT cybersecurity risks. These identify threats, instruct operations staff on how best to mitigate them, and automatically generate an assessment of security controls, risks, compliance, and governance. All this reduces the audit time and the required resources by up to 75 percent.

For machine manufacturers, new OT safety systems offer a complete overview of all machines and their systems, even if they are not connected to a network. They automatically identify security threats and warn before vulnerabilities become a danger.

Ready to see us in action:

More To Explore

Enable registration in settings - general
Have any project in mind?

Contact us: