It is quite a week for the EU Agency for Cybersecurity (ENISA). It released on 13 June 2023 a report on current supply chain cybersecurity practices of essential and important entities in the EU, following its study results in 2022, focusing on investments of cybersecurity budgets amongst the EU organisations. 

Photo by Pixabay: https://www.pexels.com/photo/security-logo-60504/

Requirements of the NIS2 Directive

First, the NIS2 Directive n° 2022/2555 requires Member States to ensure essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems. In detail, art. 21(2) of the NIS2 Directive consider supply chain cybersecurity as an integral part of the cybersecurity risk management measures. The 2022 ENISA study found the following noteworthy issues:

• 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
• 47 % allocate budget for ICT/OT supply chain cybersecurity.
• 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
• 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
• 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.

Good practices proposed 

According to the ENISA, good practices should cover all various entities which play a role in the supply chain of ICT/OT products and services, from production to consumption. Accordingly, they includes five main areas: 

• strategic corporate approach;
• supply chain risk management;
• supplier relationship management;
• vulnerability handling;
• quality of products and practices for suppliers and service providers.

Cybersecurity ICT/OT Supply Chain Risk Management Cycle

Next, based on the well-defined strategy, rooted in a continuous screening of all ICT/OT supply chain cybersecurity dependencies, the ENISA also suggested the Cybersecurity ICT/OT Supply Chain Risk Management Cycle, including the steps corresponding to the rest of main areas: 

• ICT/OT supply chain risk assessment helps organisations to understand their respective supply chain through identification of suppliers and service providers and through understanding the potential supply chain risks for the own organisation and for end customers related to the deliverables of used suppliers and service providers.
• Supplier relationship management helps to manage the supply chain with policies, procedures and agreements that address supply chain risks. This is supported by monitoring of the supplier’s and service provider’s performance and change management practices.
• Vulnerability handling defines how an organisation manages vulnerabilities. Vulnerabilities of own assets are monitored and linked to assets in the infrastructure. Their risks are understood, and patches are deployed to close these vulnerabilities based on a well-defined maintenance policy.
• Quality of products and services requires actors along the supply value chain to implement processes with cybersecurity practices in place, to have their own infrastructure protected and technical measures in products and services implemented that increases the cyber-robustness. Quality needs to be measured and continuously improved. Essential and important entities need to have transparency on cybersecurity practices for delivered products and services.

Source: https://www.enisa.europa.eu/publications/good-practices-for-supply-chain-cybersecurity

For more news regarding cybersecurity on AstraIA Gear: https://www.astraiagear.com/category/cybersecurity/

Further discussion or weekly newsletter – follow me on Linkedin and more short news, follow our LinkedIn Page, cheers!