Managing Cybersecurity Risk in Your Supply Chain

Updated on April 20, 2023 to update IEC 62443 to ISA/IEC 62443.

Industry 4.0 (the fourth industrial revolution) exacerbates cyber risk in manufacturing and industrial IoT (IIoT) supply chains. Every connected device can be a potential risk. Moreover, connecting cyber and physical systems not only expands the attack surface, but also creates new ways for threat actors to do what they do best. They now have the opportunity to jump across information technology (IT) and operations technology (OT) systems to inflict malicious deeds.

Manufacturing was the second-most targeted industry by threat actors in 2020, following the finance and insurance sector, according to IBM’s X-Force Threat Intelligence Index. In a complex industrial supply chain, cybersecurity is only as strong as the weakest link.

Not just an IT problem

Securing Industry 4.0 data and assets encompasses a variety of players with differing roles and priorities. Asset owners, for example, generally focus on operations security, business continuity and risk management across the supply chain. System integrators primarily concern themselves with their systems’ and processes’ security and resilience, along with required capabilities. Their role somewhat overlaps with maintenance managers, who must also consider their plants’ life cycles and the continued integration of security measures as equipment assets and requirements change.

Meanwhile, component and product manufacturers want to prove that they’ve built security into their wares, wishing to secure the commercial advantage that stems from a demonstrably secure supply chain.

Amid these different roles and interdependencies, collaboration is vital to successfully secure Industry 4.0 businesses and their supply chains.

Your organization must perceive the network and IIoT infrastructure as a single asset to manage and mine for value rather than a collection of discrete roles and departments. Securing Industry 4.0 shouldn’t be relegated entirely to IT and OT. It isn’t an IT or OT problem alone. Rather, it’s a companywide issue that can often — but not always — benefit from IT solutions. It’s a shared responsibility among IT, operations, security staff and disciplines across an organization.

Nor is cybersecurity only a technology problem, but also a people, processes, policies and knowledge problem. In fact, human error causes more breaches than technology failures. IT security systems won’t fully protect critical data and systems unless everyone throughout the supply chain follows cybersecurity best practices.

Global Cybersecurity Standards bubble up

Companies in a supply chain may be subject to different national legislative frameworks. Security incidents may relate to the exchange of goods, services or information, and breaches and risks may traverse the supply chain. All of this can make determining the source of a problem challenging.

While each Industry 4.0 business and sector has its own challenges, cybersecurity has matured to the point that regulations, standards and frameworks have been established. Among them:

• National Institute of Standards and Technology(NIST) cyber supply chain risk management

• European Union Agency for Cybersecurity (ENISA)  for achieving a high common level of cybersecurity across Europe.

• Japanese Ministry of Economy, Trade and Industry (METI) Society 5.0

• North American Electric Reliability Corporation (NERC) CIP-013-1

• Supplier Assurance software as a service (SaaS) for automotive supply chain risk management

• ISO/IEC 20243-1 standard for mitigating threats to COTS ICT hardware and software integrity

• The ISA/IEC 62443 family of standards for industrial automation and control systems security, facility management and the energy industry

• ISO 27001 standard for information security management systems

Mapping and using security controls from industry best practices, standards and frameworks like the ones listed above can help you navigate and mitigate cyber risks in your supply chain.

In a complex supply chain, it’s imperative that companies can prove that their products, systems and processes provide robust security and that they also meet global regulatory requirements. This obligation demands solutions and processes that have security built in and are regularly tested and verified against established standards.

The cyber risk management practices and processes that create confidence in a product’s integrity and supply chain resiliency can also be one of your key market differentiators. See our white paper for more on turning Industry 4.0 cybersecurity into a business advantage.