Mounting cybersecurity threats and attacks elevate the priorities of asset owners and operators of critical infrastructure installations to ensure that their supply chains are safe, risk-free, and free from cybersecurity risks in ICS procurement. Vendors shall be expected to provide technological solutions and demonstrate a deep understanding of the application of cybersecurity best practices. This includes implementing robust security measures in their products to protect against adversarial threats targeting OT (operational technology) and ICS (industrial control system) environments, such as malware, ransomware, and nation-state attacks.
Asset owners and operators want more transparency from vendors, detailing information on the security of the components applied across software and hardware, and associated third-party suppliers. They also worry about vulnerabilities introduced during manufacturing or integration. Now, vendors will be required to provide supply chain integrity guarantees through rigorous vetting processes for subcontractors or partners.
ICS procurement can be improved by making sure the software and hardware are from trusted sources, scanned for security vulnerabilities, provide transparency into their supply chain and manufacturing processes, have robust security controls in place for encryption and secure authentication, regular security testing, and vulnerability assessments.
Organizations at the same time should provide training to asset owners/operators for proper installation, configuration, and maintenance of ICS products; document security features and configuration options in an easy-to-understand form; collaborate with the asset owners/operators in strategy formulation and implementation regarding cybersecurity; and keep pace with changing security standards and regulations. They can also provide incident response and disaster recovery programs in case cybersecurity is compromised, and offer transparency into their cybersecurity practices and policies.
These vendors should also provide, within the products delivered, a feature for continuous monitoring and real-time threat detection. In addition, they should provide facilities for patch management and timely security updates. Briefly, in 2024 vendors will need to move from simply delivering functional products to proactive collaboration in the constantly changing fight against cyber threats, taking care not to make their solutions the weakest link in the supply chain. Basically, what is expected is a proactive contribution on the part of vendors to turn into partners in safeguarding the operational technology environment from new cyber threats.
Cybersecurity priorities in ICS procurement
Industrial Cyber reached out to cybersecurity professionals to explore the evolving priorities of asset owners and operators regarding cybersecurity when they purchase hardware and services from ICS vendors. They also covered the changes observed in these priorities over the past 24 months and the factors driving these shifts.
In recent years, asset owners and operators have significantly increased their cybersecurity expectations from ICS vendors. Influenced by heightened awareness from regulatory changes and incidents, cybersecurity teams now play a crucial role in business decisions, Yair Attar, CTO and co-founder of OTORIO, told Industrial Cyber. “The adoption of standards like IEC 62443, particularly for supply chain security, has surged due to its comprehensive approach involving multiple stakeholders. Asset owners now require certifications, full disclosure of internal components, vulnerability management SLAs, and a comprehensive list of digital assets throughout the lifecycle,” he added.
Asset owners should expect ICS vendors to prioritize comprehensive security practices throughout the entire product lifecycle, Janet Bodenbach, senior director of solutions architecture of Finite State, told Industrial Cyber. “This includes secure development, deployment, release, continuous monitoring, patching, and incident response. Prioritization expectations should include robust vulnerability management, supply chain security transparency (e.g., providing SBOMs and visibility into multi-layer OEM/ODM manufacturing relationships), and collaboration in operationalizing processes for patch management and incident response,” she added.
Bodenbach added that these factors have become increasingly important over the last 24 months as a stronger focus is placed on supply chain security, driven by incidents like the SolarWinds attack and increased pressures to comply with regulations, frameworks, and standards like the NIST Cybersecurity Framework, ISA/IEC 62443 and the EU CRA, along with the shift towards implementing zero trust across the ICS ecosystem.
Slava Bronfman, CEO and co-founder of Cybellum, outlined that asset owners and operators must demand stringent cybersecurity measures from ICS vendors and get evidence they have the right cybersecurity processes in place. “This includes secure by design product development, continuous vulnerability management, coordinated vulnerability disclosure programs (CVD), and strict adherence to industry regulations and standards.”
He added that the escalating cyber threat landscape, coupled with the increasing complexity of ICS systems, has intensified the focus on secure development practices and ongoing security updates. “To mitigate risks effectively, asset owners should collaborate with vendors to establish clear security requirements, including the need for comprehensive Software Bills of Materials (SBOMs) to identify and manage supply chain cybersecurity risks. In addition, threat models should be created during the design phase with post-production monitoring once products are in the field.”
“Cybersecurity risk in software and intelligent devices comes from many sources,” Tom Alrich, an independent consultant specializing in supply chain security of critical infrastructure, told Industrial Cyber. “The most important source is vulnerabilities found in software, whether standalone or installed in a device. Vulnerabilities can come with the product or they can ‘develop’ later, as suppliers and researchers identify code previously thought to be benign, which instead harbors a risk.”
When ICS procurement meets regulatory compliance
The executives examine how the new regulations and compliance requirements are impacting ICS procurement practices. They also explore the strategies that organizations are implementing to address these challenges and improve supply chain security.
Attar said that the introduction of the EU Cyber Resilience Act (CRA) on March 12, 2024, has accelerated the adoption of stringent cybersecurity measures in Europe and globally. “The CRA mandates that products with digital elements, including smart devices, must be resilient against cyber threats. This has pushed machinery suppliers to enhance their compliance frameworks and integrate automated security checks during FAT/SAT processes. Organizations are increasingly leveraging these regulations to fortify their supply chain security,” he added.
Bronfman also assessed that new regulations have significantly transformed ICS procurement, imposing stricter compliance obligations on both asset owners and vendors. “Organizations must meticulously examine vendor adherence to regulations with proactive strategies that include robust third-party risk assessments, zero-trust architectures, and continuous supply chain monitoring to mitigate emerging challenges. Cybersecurity personnel should collaborate with procurement teams to develop and implement vendor assessment criteria that prioritize security and compliance, such as patching cadence, time to vulnerability mitigation, and SBOM analysis.”
Bodenbach assesses that new regulations are driving stricter compliance in ICS procurement, placing advanced scrutiny on cybersecurity practices across the supply chain. “Vendors must meet specific standards, resulting in enhanced contractual obligations, including evidence-based compliance requirements, continuous security monitoring, and incident response collaboration.”
In response, she added that organizations are establishing risk-based procurement strategies outlining specific criteria for vendor acceptance and ongoing engagement, increasing vendor collaboration, and investing in third-party risk management solutions to continually assess and monitor vendor security.
Role of secure development practices in ICS procurement
The executives examine the secure development practices that vendors implement to ensure their products are safeguarded against vulnerabilities when procuring ICS equipment and services. They also consider the integration of these practices into existing OT and ICS systems and assess how it impacts organizational risk.
“The ICS supply chain involves various stakeholders, each with distinct cybersecurity responsibilities,” Attar said. “Vendors are investing in secure development lifecycle practices, aligning with IEC 62443-4-1, which includes rigorous testing and vulnerability scanning for each release. Asset owners should demand these practices and utilize their tools to assess risks continuously. Ensuring these secure development practices are in place helps mitigate organizational risks by reducing vulnerabilities in procured ICS equipment.”
“Security must be embedded into the development lifecycle as early as possible, with threat modeling, enforcement of coding standards, rigorous testing, and vulnerability monitoring throughout the device lifecycle,” Bronfman observed. “Generating quality SBOMs is essential for enabling efficient vulnerability management and facilitating supply chain security.”
He also identified close collaboration between development, quality assurance, and cybersecurity teams is crucial for identifying and addressing vulnerabilities promptly. “Leveraging AI-powered functionality can automate vulnerability scanning and prioritization, code analysis, and threat detection, enhancing the efficiency and effectiveness of the development process.”
Alrich said that almost all software vulnerabilities are reported to CVE.org (or another vulnerability aggregator like CISA’s ICS-CERT) by the supplier of the software. “However, it is likely that the majority of vulnerabilities aren’t reported to anybody. As soon as a supplier learns of a vulnerability in one of their products, they should report it, both to CVE.org and directly to their customers in a security advisory.”
“Normally, a vulnerability shouldn’t be reported until there is a patch available for it,” Alrich added. “However, there are some vulnerabilities that are too insignificant to patch (or report), because of, say, a low CVSS score. The supplier should announce its threshold for patching vulnerabilities to its customers and patch any vulnerability that exceeds the threshold.”
Bodenbach noted that vendors are following secure development practices like implementing secure SDLC, adopting a secure-by-design approach, utilizing secure defaults, and ensuring compliance throughout the DevSecOps lifecycle. “They’re conducting regular scanning and penetration testing to identify, prioritize, and remediate vulnerabilities while aligning with security standards (e.g., ISO/IEC 27001 and ISA/IEC 62443). These practices highlight the need for comprehensive security strategies across the ICS ecosystem, addressing gaps introduced by increased connectivity of legacy OT and ICS systems, which pose significant risks by exposing vulnerabilities and increasing the attack surface for sophisticated adversaries.”
Providing secure ICS procurement strategies
The executives highlight strategies that asset owners and operators must adopt to mitigate cybersecurity risk in ICS procurement.
“Mitigating cybersecurity risks in ICS procurement requires early involvement of cybersecurity considerations in the procurement process,” Attar expressed. “Asset owners should rank suppliers based on their cybersecurity capabilities and consider the long-term costs associated with continuous support and updates. Prioritizing use cases based on business impact and key metrics ensures that cybersecurity investments are aligned with organizational goals. Establishing clear SLAs and demanding higher security standards from vendors is crucial.”
Bronfman identified that asset owners and operators should rigorously assess suppliers to mitigate cybersecurity risk, incorporating stringent security clauses into contracts. “Implementing vulnerability management programs, including regular scanning and patch management, is essential. Cybersecurity personnel should work closely with procurement to develop and enforce security standards. Conducting regular security awareness training for employees is crucial to preventing human error-related breaches,” he added.
“Asset owners and operators must adopt key initiatives driven by new and existing regulatory requirements, including requiring vendors to provide comprehensive SBOMs and VEX/VDR information,” according to Bodenbach. “SBOMs enhance transparency and provide visibility into ICS systems, [which is] crucial for proactive vulnerability management. Additionally, asset owners should strengthen vendor contractual obligations to encompass essential security measures, such as continuous security monitoring, timely patch updates, and collaborative incident response protocols.”
Alrich detailed that the situation is more complicated when it comes to intelligent devices. “Some types of devices, including many ICS and medical devices, are almost never patched promptly, because the user organization (e.g., a power plant or a large hospital) needs to wait for a time when there will be no disruption to operations to apply the patch. If the manufacturer reports the vulnerability immediately after they release the patch, devices in the field may be vulnerable until the patch is applied. The manufacturer should probably delay reporting the vulnerability for a few months after the patch is released.”
He also identified that another issue with intelligent devices is manufacturers often only update their devices every 6-12 months. “If they wait for the next update to announce a serious vulnerability and patch it, they may leave their customers for almost a year with an unpatched vulnerability. Even though the customers can’t develop a patch themselves, if they’re concerned about the vulnerability, they can at least remove the device from their network. But if they don’t even know about the vulnerability, they won’t do anything to protect themselves.”
Delivering collaborative cybersecurity in ICS procurement
The executives analyze asset owners and vendors working together to enhance supply chain security and mitigate cybersecurity risks in ICS procurement.
Attar noted that effective collaboration between asset owners and vendors is vital for enhancing supply chain security. “Asset owners, positioned at the top of the supply chain, must set high-security demands. As more asset owners enforce stringent security requirements, vendors will be compelled to invest in better protection measures. However, it’s important to acknowledge that these investments come at a cost, necessitating mutual support for long-term success.” he added.
“Asset owners and vendors must work together to assess risks, share threat information, and align on security standards. Encouraging security certifications and establishing joint incident response plans can significantly strengthen the overall security posture,” according to Bronfman. “To address the cybersecurity challenges faced by smaller suppliers, larger organizations can provide guidance, training, and resources.”
He added that building strong relationships with suppliers is essential for fostering a secure and resilient supply chain. “AI-powered tools can be used to assess supplier risk, monitor supply chain activities, and detect anomalies that may indicate potential threats.”
Bodenbach zeroed in on tighter partnerships and effective collaboration between asset owners and vendors are crucial for supply chain security. “Establishing clear communication channels, conducting joint security audits, and developing collaborative incident response plans are all key strategies to achieving this goal. Continuous improvement programs that encourage vendors to enhance their security practices, including requiring SBOMs and regular updates from OEMs, will also reduce overall cybersecurity risks in ICS procurement.”
“A new problem came up on February 12. The National Vulnerability Database (NVD) essentially stopped adding machine-readable software identifiers (CPE names) to the CVE records,” according to Alrich. “This means that currently, an automated search for vulnerabilities that apply to a product isn’t likely to reveal any vulnerabilities reported after early February.”
He added that the NVD hasn’t even acknowledged the scale of the problem (17,000 ‘unenriched’ CVEs, with 100 added every day, let alone shown how they will fix it. “The OWASP Vulnerability Database Working Group is working on solutions to this problem.”
Adapting to emerging threats in ICS procurement
The executives identify proactive measures can asset owners and operators adopt to stay ahead of emerging threats and continuously adapt their ICS procurement strategies.
Attar indicated that to stay ahead of emerging threats, asset owners and operators should integrate cybersecurity into the procurement process from the outset. “Recognizing the shared responsibility between asset owners and vendors is essential. Both parties should utilize tools and processes to evaluate new equipment and continuously assess the overall security posture. By ranking suppliers and maintaining rigorous cybersecurity standards, asset owners can proactively adapt their strategies to evolving threats.”
Organizations should share threat intelligence, conduct regular security audits, and invest in emerging technologies like AI for threat detection, Bronfman said. “Cybersecurity teams should collaborate with IT/OT teams to develop and implement incident response plans. Regular tabletop exercises and simulations can help prepare the organization for various cyberattack scenarios. AI can be used to analyze vast amounts of data to identify emerging threats and predict potential attack vectors, enabling organizations to proactively mitigate risks.”
Bodenbach assessed that asset owners and operators can stay ahead of emerging threats by maintaining a comprehensive OT/ICS asset management program that includes industrial defense-in-depth OT security practices to cover all aspects of operational risk. “Implementing updates for n-day and zero-day threats, adopting threat intelligence programs, regularly updating procurement policies based on industry collaboration and best-practice experiential knowledge, promoting innovation in security technologies, and implementing zero trust will all help protect ICS systems from emerging threats and allow organizations to continually adapt their ICS procurement strategies.”
“The best solution to this problem is for the manufacturer to update the device more regularly, say every three months; all new patches would be applied with the update,” Alrich concluded. “If that isn’t possible, the manufacturer should at least do a ‘patch release’ every three months and issue more urgent patches immediately.”
