The cybersecurity alarm: threats to the ICT/OT supply chain in Europe

The interconnection of systems and networks in the digital age offers unprecedented opportunities, but also presents significant cybersecurity challenges. According to a report by the European Union Agency for Cybersecurity (ENISA), threats to the security of the ICT/OT supply chain have increased significantly in recent years. For example, supply chain-related intrusions rose from 1% in 2020 to 17% in 2021, making the supply chain the second most common vector for initial cyberattacks. Furthermore, the report highlights that 66% of suppliers involved in supply chain attacks were unaware of the compromises they had suffered or lacked transparency about them. This raises the importance of adopting more robust protocols for reporting cybersecurity incidents among suppliers and implementing proactive measures to protect the IoT supply chain.

Supply chain threats through the Internet of Things (IoT)

Within the supply chain, the Internet of Things (IoT) represents a sector particularly exposed to vulnerabilities that can be exploited for cyber attacks. According to the ENISA report, a large percentage of organizations surveyed have experienced cyber incidents caused by third parties. This highlights the broad scope of threats involving the supply chain, including supplier compromise. Supply chain attacks not only affect businesses, but can also affect popular open source repositories, such as NPM, Python, and RubyGems, which are susceptible to malicious activity, including malware injection. Additionally, the report highlights a growing interest from threat groups in attacks on supply chains and managed service providers (MSPs), highlighting the need to invest in vulnerability research and take appropriate protective measures.

The role of essential entities and the need for cybersecurity-based risk management

The NIS2 Directive requires essential and important entities to address cybersecurity risks in supply chains and supplier relationships. It is critical that these entities take appropriate measures for cybersecurity-based risk management at technical, operational and organizational levels. This includes implementing supply chain cybersecurity policies, allocating specific budgets, requiring security certifications from suppliers, using security assessment services, and managing vulnerabilities. Additionally, entities should take into account vendors' specific vulnerabilities and the overall quality of vendors' cybersecurity products and practices. Organizations interviewed in the ENISA report revealed that not all of them assess supply chain security risks, and only some of them have a rigorous security patching policy.

Best practices for effective ICT/OT supply chain management

The ENISA report proposes a series of best practices to address cybersecurity in the ICT/OT supply chain. These best practices include a strategic approach based on risk management, supplier relationship management, vulnerability management, quality of products and practices for suppliers and service providers. It is critical that organizations adopt ICT/OT supply chain cybersecurity policies, require security certifications from suppliers, and implement risk assessment and vulnerability management processes. Additionally, organizations should establish a quality management system that includes ongoing evaluation of vendors' security practices. It is essential that these best practices involve all entities involved in the supply chain, from the manufacturer to the end user of ICT/OT products and services.