Companies in critical infrastructure sectors say weak cyber defenses at suppliers are becoming a significant threat to their business, and that rules to boost security down the supply chain might be needed.
While federal and industry rules for specific areas such as aviation, pipeline companies and other critical infrastructure operators are well-established, said Curley Henry, vice president and deputy chief information security officer at power utility Southern Co. , cyber regulations for businesses supplying those operators are less so.
“The supply chain is the area where the threats are growing the most for us, but the regulations aren’t targeted to those who are providing the products,” Mr. Henry said, speaking on a virtual panel hosted Thursday by industrial cybersecurity firm Dragos Inc.
“While I agree with the need for regulations for us, in critical infrastructure, oil and gas, manufacturing, that’s an overlooked area that needs to get a lot of focus,” he said.
Mr. Henry’s comments reflect long-held concerns of government officials and security chiefs about the security of supply chains, and the impact that a breach of one company can have on many others.
High-profile examples include the successful breach of a product used by software provider Kaseya Ltd. in July 2021 that resulted in hundreds of companies being infected by ransomware, and an attack on SolarWinds Corp. software in 2020 that resulted in compromises of multiple federal agencies.
Companies in supply chains, which are often small to medium-size businesses, might not have the resources necessary to fund a full cybersecurity program, but a successful attack could stymie production further up the line, said Dawn Cappelli, director of the Operational Technology-Cyber Emergency Readiness Team at Dragos. The OT-CERT provides free cybersecurity resources and runs cyber exercises for companies that use industrial systems.
“We have to be thinking not just about our own companies, but about the whole ecosystem,” she said, speaking on the same panel as Mr. Henry.
Ms. Cappelli, former CISO at manufacturing-tech company Rockwell Automation Inc., said that a supplier doesn’t necessarily need to pose a direct cyber threat to a company, such as through a software or network link, for a disruption to have a significant impact.
During her tenure at Rockwell, she said, manufacturing companies struck by ransomware would be unable to produce parts Rockwell needed to build its products, sometimes for weeks or months at a time.
“They didn’t present a cyber risk to us, but I realized they presented an operational risk,” she said. Larger companies should perform cyber assessments of their suppliers, and where possible, assist them with strengthening their defenses, Ms. Cappelli said.
Write to James Rundle at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
