Top 3 things you should know about securing your supply chain in line with the Network and Information Systems (NIS) Directive
At the time of writing, the EU's Network and Information Systems Directive (NIS-D) has been incorporated into national laws for just over three years depending on which country you are reading this from.
As we see a surge in supply chain cyber security attacks targeted at critical national infrastructure organisations, I thought it would be useful to share some of the key things organisations need to be doing to secure themselves and to avoid penalties enforced through the NIS-D if they suffer an incident that could have been prevented.
If you aren't familiar with the NIS-D and you aren't sure whether it applies to you in your role, read here for a quick introduction.
The NIS-D obligations and enforcement regime for OES are more strict than those put in place for RDSPs. This blog is focused on the obligations for OES in the UK however the points are highly relevant to RDSPs.
How should you be managing your supply chain to comply with NIS-D?
Unfortunately for you (and for me as I write this blog), there isn't a simple answer for this question or any other aspect of the NIS-D because the law and the guidance from the NCSC takes an outcomes based approach which isn't prescriptive about what organisations should be doing. They focus on what relevant organisations achieve by implementing measures in terms of securing their network and information systems.
However, in this blog, I will use a combination of the published materials from the NIS-D authorities coupled with Risk Ledger's supply chain risk management expertise and experience gained by working with Competent Authorities and OES clients including over 30% of the UK water market, to outline the top 3 things you need to know about supply chain risk management as an organisation subject to the NIS-D.
1. Get a comprehensive understanding of your supply chain, your organisation's third party dependencies and the inherent risks faced by that supply chain.
You will have to forgive me for stating the obvious here but in our experience at Risk Ledger, it is this first basic step where many organisations have a major gap in their supply chain security risk management regime - albeit with justifiable reasons.
A comprehensive understanding of your supply chain should include:
- knowing who your immediate third parties are, what services they provide to your organisation, what type of data you share with them and how your organisation depends on them,
- knowing which fourth parties are critical to the consistent delivery of services by your key third parties,
- understanding the security risks faced by your supply chain and the security regimes implemented by suppliers to secure themselves from security incidents; and
- identifying concentration risks and single points of failure in your supply chain.
This is no mean feat.
The challenge faced by even the most well resourced organisations is collecting this data at scale across the supply chain in a way that is understandable, actionable and continuously accurate. However, the NCSC's CAF is clear on the desired outcome for OES:
"Have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract."
This basic outcome is of particular concern to NIS-D authorities because failure to comprehensively understand your supply chain is the root cause of many supply chain incidents.
In our experience at Risk Ledger, we have seen that so many organisations struggle to identify all of their suppliers and even those with mature supply chain risk management programmes review less than 10% of their suppliers - remaining largely blind to the security risks inherent within most of their supply chain.
I propose a solution to this supply chain risk visibility challenge towards the end of this blog.
2. Clearly communicate your security requirements for suppliers to them and codify them in contracts.
Supply chain security can only be improved if all parties work together collaboratively so when it comes to minimum security standards for your suppliers, it is essential that they are aware of, understand and agree to them and the method by which you will work together to achieve them before the supplier is in a position to materially impact your network and information systems.
In the NCSC's CAF, the outcome they want you to achieve is to: "Clearly express the security needs you place on suppliers in ways that are mutually understood and are laid in contracts. There [should be] a clear and documented shared-responsibility model."
For OES, this outcome is a clear target and can be implemented relatively easily with good cooperation from your procurement and compliance colleagues and the right policies to entrench this good practice across your organisation.
This is not just good practice for the sake of it. Security expertise and the implementation of risk controls comes at a cost so there is a natural tension between the security risk controls you will require your suppliers to have in place and their commercial considerations - particularly if they are low margin business service providers.
Good relationships and collaboration across security, compliance and procurement teams help to maintain a consistent approach to setting clear contractual requirements which eases this challenge
There are two very important parts of this contractual requirement that aren't as clear in the CAF as I think they should be. At Risk Ledger, we have seen that agreeing with suppliers how they will share data and information about their security regime with you is almost as important as getting agreement that they will share information in the first place.
Secondly, static security schedules in contracts do not work because the risk environment changes over time. Security requirements must be flexible to stay relevant. The gold standard is for the security requirements to be communicated through a dynamic security schedule on a platform like Risk Ledger with agreement that they will change over a shorter cycle than than the contract length.
Traditionally, the security due diligence process is very onerous for suppliers and a drain on resources because they are asked to complete security questionnaires from all their clients - often in slightly different ways each time. As a result, many suppliers have tried to reduce their security due diligence questionnaire burden by engaging minimally with the process in a way that provides limited, often out of date, information to their clients about the security regime they have in place.
By agreeing in the service contract that the supplier will engage with your preferred supply chain security risk assurance method, you will reduce friction for you and your suppliers.
You can also make it as easy as possible for your suppliers to showcase their security regime to you by using a platform like Risk Ledger to run your supply chain risk management programme because it allows them to complete one, continuously maintained supplier profile that is a single point of truth about their security regime and then share access to that profile with any client they choose - saving time and resources in a 'do once, use many' model. More on this towards the end of this blog.
3. Ensure that information essential to the good function of your essential service that is shared with third parties will be adequately protected from capable bad actors.
The protection of sensitive information in your supply chain is nigh on impossible if you don't know which third parties you share information with so I want to restate how important point one discussed above is as a foundation for a securing your supply chain in line with NIS-D's requirements.
If a security incident takes place that compromises the confidentiality, integrity, authenticity and/or availability of this type of data, you will need to be able to show your Competent Authority that you put measures in place and ensured your suppliers took measures to mitigate an adequate level of risk.
You will notice that 'authenticity' has been added to the traditional cybersecurity CIA triad. This additional concept of protecting authenticity was introduced in the NIS-D.
The outcome you are required to aim for in the CAF is to:
"Have confidence that information shared with suppliers that is essential to the operation of your function is appropriately protected from sophisticated attacks."
The last two words here add clarity to the level of risk mitigation required. Are you confident that your essential information is appropriately protected from nation state attacks, all the way down your supply chain? This is a big ask, but it is something you are legally responsible for as an OES. You should expect a 'sophisticated attack' to be targeted and well-resourced so your mitigation efforts must reflect this.
What does the gold standard look like?
The main challenge for OES attempting to comply with NIS-D is the scale of the task of gaining a deep understanding of supply chains that are constantly growing and changing.
It is now impossible to comprehensively achieve the CAF standard without the use of tools and services to overcome the scale of the task and to make your programme more responsive to risks and incidents as they are uncovered.
I mentioned earlier in the blog that the Risk Ledger platform is currently used by OES across several industries to address some of challenges identified above.
An innovative solution
OES clients using the Risk Ledger platform to comply with the NIS-D give us very consistent feedback about how they benefit from the platform:
- Risk Ledger's secure social network model drastically reduces the volume of work required to maintain a good level of supply chain security assurance.
- The platform provides them with in-depth visibility of risk controls implemented across their supply chain - even beyond third parties which was previously impossible. This helps them identify and fix security issues that were previously invisible to them.
- Suppliers being continuously monitored by the Risk Ledger platform eliminates the need to annually assess suppliers and frees up security resources to focus on high risk issues.
Anthony Smith, Information Security lead at Northumbrian Water, an OES said: "Before we implemented the Risk Ledger platform, the volume of work required to review our supply chain risk was becoming unsurmountable. We estimated it would take another two to three resources (c£150kpa) just to maintain an acceptable level of assurance. The Risk Ledger platform offered a more efficient way of managing this.
The approximate response time for our assurance requests has reduced from seven to two days (70%+ reduction) since the introduction of Risk Ledger. If a supplier is already on the platform, which many of our suppliers now are, this can happen in a matter of minutes as opposed to weeks which is a huge efficiency and supports fast implementation right across the business."
About Risk Ledger
The platform is based around a comprehensive, control-based, standardised Supplier Framework that allows organisations to complete a single profile setting out the controls they have in place supported by contextual notes and evidence showing how the control has been implemented. The framework was developed with support from the NCSC after Risk Ledger won their Cyber Den innovation competition.
Access to this single profile can then be shared with any client they work with in a ‘do once, use many’ model. This can take less than a minute to do.
The organisation only has to maintain that single, comprehensive profile. When anything about their risk management regime changes, all clients connected with them on the platform can see and assess those updates in near real-time, facilitating continuous monitoring for clients and drastically reducing the time and cost of administering and responding to due diligence requests for suppliers.
Can you try the Risk Ledger platform?
If you work for an OES or an RDSP subject to NIS-D, I invite you to book a short demonstration of the platform with one of our product specialists to see how it works in practice and to discuss your challenges.
If you are in a hurry, you can get signed up straight away, connect with up to 5 of your suppliers for free and see how the platform works for yourself.
You won’t regret it.