The report shows that only half (53%) of critical infrastructure professionals feel confident that their organisation has full visibility into the cyber security risks their supply chain potentially exposes the business to. Over a third (36%) of respondents suspect that cyber attackers may have infiltrated their supply chain without the suppliers themselves reporting it. This lack of transparency increases the risk of large-scale cyber attacks via connected networks, components, software, or third-party vendors.

"You can't secure what you don't know. Organisations need to gain a better understanding of the vulnerabilities in their supply chains and use methods that provide greater oversight of suppliers. To strengthen supply chain security, they should better manage cyber security requirements in procurements and supplier agreements, increase the focus on security in the design of processes and assets, and involve cyber security teams earlier in projects. Continuous testing and the ability to detect and act are critical to identifying and mitigating the impact of breaches through the supply chain," says Marek Rejmer, Director of Identity and Access Management at DNV Cyber.

Supply chains are an attractive target for cyber attacks because they can provide a common attack vector to multiple organisations and systems, including critical infrastructure. Previous attacks, such as those against Kaseya (2021) and SolarWinds (2020), have clearly shown how vulnerable supply chains can be and the wide-ranging consequences these can have. The Kaseya attack also affected Swedish companies, especially in the retail sector, underscoring the importance of strengthening security throughout the supply chain.

Supply chain security needs to be strengthened

Organisations that operate critical infrastructure are increasingly investing in cyber security and taking steps to secure IT and OT (Operational Technology). Despite these investments, DNV Cyber warns that these efforts risk being insufficient unless cyber security in the organisation's supply chain is similarly strengthened. For this, cyber security must be included already in procurements and supplier agreements. In addition, a structured approach with continuous testing is required to be able to prevent, detect and act on any threats at all times.

Tighter regulations an important response to growing threats

Regulations are the biggest driver of cyber security investments in critical infrastructure. The EU's NIS2 directive, which will be implemented in Sweden during the summer at the earliest, and the Cyber Resilience Act (CRA) are important examples of how governments are tightening requirements to strengthen security in the supply chain and reduce risks. Here it is a matter of not only meeting the requirements of the regulations, but of continuously acting according to them and preferably doing more than is required.

Cooperation and standardisation key to increased resilience

To effectively address the growing cyber threats, collaboration and standardisation are crucial. Companies should stay ahead of regulations and actively participate in joint efforts to develop and implement best practices. DNV Cyber's research shows that as many as 93 percent of critical infrastructure professionals believe that more coordination is needed to ensure common approaches to cyber security.

In addition to securing supply chains, DNV Cyber's Cyber Priority survey also shows that critical infrastructure industries should prioritise strengthening OT security, increasing employee awareness and vigilance, building a strong cyber security culture, and accelerating the use of AI in work.