Supply chain exploits: the blind spots operators need to address

Severe cyberattacks originating from IT and OT supply chains are on the rise. Often these attacks exploit third parties that may be connected to — or have intermittent access to — the operator’s internal network. Changing suppliers, systems and personnel is known to introduce new security risks and vulnerabilities; however, many fail to monitor and manage these changes effectively.

Only a handful of third-party suppliers — typically the largest — are considered “Critical” from a regulatory standpoint (see European cybersecurity regulation and its impact on digital infrastructures). However, “Non-critical” partners — those often smaller and contracted for shorter terms — are just as likely to pose risks. But they are unlikely to receive the same oversight. Legacy partners present another category of risk, since they may be considered entirely disconnected and therefore no longer monitored.