Industries considered essential to the functioning of society and the economy are in an arms race as threat actors – cyber criminals and nation states – target digital vulnerabilities of the suppliers connected to them, according to new DNV Cyber research. Regulation is tightening to combat the rapidly growing supply chain cybersecurity threat, and organizations must strengthen their capabilities to ensure resilience.  

Just half (53%) of professionals working in critical infrastructure are confident that their organization has full visibility of the cybersecurity vulnerabilities that their supply chain exposes to their business. This situation raises the risk of cyber-attacks through connected networks, components, software, and third-party service providers. 

Over a third (36%) believe cyber-attackers may have infiltrated their supply chain without suppliers reporting it, according to a survey of more than 1,150 professionals across critical infrastructure industries including energy, maritime, manufacturing, and healthcare. 

“You can’t secure what you don’t know. Organizations need to better understand the vulnerabilities in their supply chains, employing approaches that provide greater oversight of suppliers. To strengthen supply chain security, they should better address cybersecurity requirements in procurement and supplier contracts, increase focus on security in the design of processes and assets, and involve cyber teams earlier in projects. Ongoing testing and detect and response capabilities are essential to identify and reduce the impact of breaches from the supply chain,” says Auke Huistra, Director of Industrial and OT Cybersecurity at DNV Cyber. 

Supply chains are an attractive target for cyber-attacks as they provide a potential single-entry point to multiple organizations and systems, including to critical infrastructure organizations. Adversaries are constantly changing their approach and developing more sophisticated tactics. Three quarters (76%) of professionals believe their organization’s cybersecurity training is not advanced enough to prepare employees for more sophisticated threats. 

Recent high-profile, sophisticated supply chain attacks include the 2020 SolarWinds hack, in which according to the US government, Russia’s Foreign Intelligence Service (SVR) breached software belonging to the IT monitoring company SolarWinds. They subsequently gained access to the networks, systems, and data of thousands of customers, including governments and critical infrastructure organizations.  

In 2024, an attack on one of the UK’s largest healthcare providers, Guy's and St Thomas' NHS Foundation Trust, targeted a pathology service provider. The ransomware attack caused delays to urgent and emergency care and led to the postponement of thousands of outpatient appointments and elective procedures.  

In 2023, a breach at file-transfer program MOVEit led to theft of data from thousands of organizations globally, including in critical infrastructure sectors such as energy and healthcare. 

Organizations operating critical infrastructure are investing more in cybersecurity and taking steps to secure IT and operational technology (OT), the systems that monitor and control physical devices, processes, and infrastructure. But this could make little difference if the cybersecurity of an organization’s supply chain is not similarly strengthened, warns DNV Cyber in the research. Cyber-physical attacks are a growing concern, in which attacks on digital technologies directly impact the “real world” of physical assets and operations.  

Some 60% of critical infrastructure professionals are confident that their organization is able to build cybersecurity obligations into new contracts with suppliers, while 70% say their organization incorporates cybersecurity in the early phases of new infrastructure projects.   

“Vendors and suppliers can be game changers in enhancing security. It is important that asset owners set requirements for suppliers based on their company’s risk profile and regulation but also check on the actual implementation of those requirements. Cooperation along the supply chain is crucial, including information sharing about vulnerabilities and incidents.”  says Huistra.

Tightening regulation a timely response to supply chains threats 

Regulation is the greatest driver of investment in cybersecurity among critical infrastructure industries, according to the Cyber Priority research, and is among the best drivers to strengthen cyber resilience and address supply chain risk.  

Governments are tightening regulation. The EU Network and Information Systems Directive 2 (NIS2), for example, addresses risk from supply chains and supplier relationships. The EU Cyber Resilience Act (CRA) requires suppliers of everything with a smart element in it (including industrial IoT products) to meet enhanced cybersecurity standards, impacting design, development, and deployment processes. 

Regulation at the industry level is also making a difference. In the maritime industry, the International Association of Classified Societies’ (IACS) unified requirements (IACS UR-E26 and UR-E27) have set mandatory cybersecurity requirements for new vessels contracted after 1 July 2024 and on-board systems and equipment. This has given an enormous push for implementation of cybersecurity controls for yards, designers, original equipment manufacturers, and owners during, vessel design and operation.  

Collaboration key to strengthening cybersecurity 

Companies should stay ahead of regulation to ensure resilience against evolving threats. Collaborative examples include joint efforts like the development of the IEC 62443 standards that address security for operational technology in industrial control systems, and the creation of recommended practices for cyber resilience in the maritime and energy industries. There is strong support for such an approach, as 93% of critical infrastructure professionals agree there should be more collaboration to ensure aligned approaches to cybersecurity. 

There are several relevant cybersecurity standards, but to make them easy to implement it is important to have good practices for each industry sector, which make clear what is expected from all parties in the supply chain.  

An example is the initiative of a Joint Industry Project to address cyber threats in the offshore wind sector, which has been launched by DNV and Siemens Energy to establish common practice. Companies from across the supply chain have showed commitment to join in. This collaboration is key, as critical assets are heavily dependent on their suppliers.  

Security of supply chains one of several areas for improvement 

In addition to securing supply chains, DNV Cyber’s Cyber Priority research finds that critical infrastructure industries should strengthen OT security, improve employee vigilance, build cyber culture, and accelerate the use of AI in cybersecurity.  

DNV Cyber has published detailed Cyber Priority reports addressing Energy and Maritime sectors.