How to protect your business from a supply chain cyber-attack

"A nation’s critical infrastructure is the cornerstone of its national security," cyber expert Annie Priljeva tells Areti Ntaradimou.   

In the words of Annie Priljeva, the Cybersecurity Third-Party Risk Management team at Siemens Energy is dedicated to “understanding the company’s supplier ecosystem, identifying business-critical suppliers, and assessing cyber-risks resulting from third-party engagements." 

It then works on “developing risk treatment plans, mitigating risks to an acceptable level, and making cyber risks in the supply chain transparent to the leadership team."

Priljeva is the global Head of Cybersecurity Third-Party Risk Management at Siemens Energy and that is how, in a nutshell, her team ensures cybersecurity risks are identified and managed throughout the supply chain.

But let us take things from the beginning, shall we?  

As new technologies constantly blur the line between what is human and what is artificial, what is reality and what is simulation, the more vulnerable they render everybody to cyber-attacks.  

Nowadays, most types of hostilities happen in cyberspace and in many cases, we do not even hear about it. Mind you, that is a good thing. It means that our protective shield is apparently working. But for how long? 

For critical infrastructure like electricity, water, and gas, the consequences of a successful cyber-attack could be potentially disastrous. Unfortunately, dystopic scenarios are not far-fetched: we experienced it in 2021 when a cyber-attack on the Colonial Pipeline took down the largest fuel pipeline in the US and led to shortages across the East Coast. 

“A nation’s critical infrastructure is a cornerstone of the country's national security. And such critical infrastructure is increasingly a target of cyber-attacks for a variety of reasons” says Priljeva. Therefore, “as a supplier to the nation's critical infrastructure, we cannot allow for our products to be vulnerable, and we expect the same from our suppliers. Every aspect of our product security that contributes to our customers’ security is vital.”   

Also of interest:
Cybersecurity – a global issue that needs cross-sector collaboration
Trends shaping cyber resilience in the energy sector

Every utility, solution provider, consumer, and prosumer that is digitally connected to the grid via smart meters, cloud, IoT, etc., is a potential cyber target. “In today’s connected world, business data is often hosted, processed, or otherwise shared with our external partners.  We frequently hear that data is the new gold, so protecting it is imperative for the success of any organisation,” says Priljeva.

In order to profoundly and skilfully protect anything in this world, one needs to know where the vulnerability lies, and quite often cyber security experts must anticipate security risks and breaches.

A recent report from the European Union Agency for Cybersecurity (ENISA) – which is based in Greece – reveals that an organisation could be vulnerable to a supply chain attack even when its own defenses are quite good.  

Indeed, a cyber-attack could be executed by exploiting a vulnerability in a third-party product or by infiltrating an IT system managed by a third-party provider.   

But how do you solve or even identify a problem that creeps up on you via third-party suppliers, which no one knows exists? Well, here is where cybersecurity experts get creative.

According to Priljeva, “Siemens Energy has policies and procedures in place as well as technical controls to detect and divert most of these attacks; however, some of our external partners do not necessarily have comparable security capabilities, and our role is to identify and evaluate the cyber risks.

“Threat actors are becoming more sophisticated and craftier when planning and executing their attacks and often target the third parties providing services to the target organisation. For that reason, it is imperative for Siemens Energy to assess the third-party supplier’s security posture, identify cyber risks which could affect our products or jeopardize the security of our business-critical data."  

The assessments work as a sort of prevention mechanism where Priljeva and her colleagues “evaluate whether our third-party suppliers have the necessary controls in place." They also utilize some commercially available tools to assist them, which helps the team to “monitor our suppliers’ security posture and notify of reportable incidents."

Also of interest:
Enzen unveils cybersecurity offering amid growing cyber tension
Energy sector cybersecurity still a growing priority

At the same time, threat analysis tools “can help gain visibility into potential, yet unreported issues," she says.  

However, Priljeva notes that technology “gets you only so far. The human aspect needs to be considered. That is why following a multiple factor approach is of the essence.”  And this is also one of the reasons why on-site visits are also crucial.

The on-site visits assist in “building a relationship with the supplier and experiencing the company’s culture." The latter is vital as it helps experts get a sense of whether the company is committed to providing secure products, solutions, and services to its customers. 

“On-site visits should not be about identifying security findings only, but rather they should be about aligning on the expectations, close collaboration and building strong partnerships based on mutual understanding, respect, and trust," says Priljeva. And she should know. With over 20 years of experience in the energy sector and a special “attachment” to cybersecurity, she has experienced first-hand the importance of the human factor and of building strong relationships. 

Priljeva demonstrates by sharing her feelings on a personal level for the benefit of all others out there that are yet to find their passion.

“I am very passionate about cybersecurity, and I am very passionate about the energy [sector]”, she says. “In my experience, the cybersecurity field is exciting because you can see the contributions, the value-add, and the difference we as individuals make towards the success of our organisations, and then, the impact that our companies make in the world – energizing society!  

“You can see this kind of a domino effect throughout the entire process, and that is truly rewarding. I would like to encourage everybody out there, especially the next generations, to come and join us on this important mission.” 

Claudia Street, Cybersecurity Third-Party Risk Management expert at Siemens Energy:

“No day here is the same. Of course, there are some activities that by their nature are very similar, but the opportunities at TPRM for learning different aspects of cybersecurity are seemingly endless.

Currently on my to-do list is a vast array of different activities, from reviewing a penetration test report on a cloud solution to working with a small five-person company to determine how we can work together to enhance their cybersecurity practices. On any given day I could be presenting a vendor risk statement to a senior manager in the morning and visiting a manufacturing site in the afternoon to see first-hand what a specific software solution does to improve quality. Working with people throughout the business and with our third parties is very rewarding: We get to build relationships where you can see the benefits being realized.

The role can be challenging, and sometimes even a little overwhelming. We get to experience not just how Siemens Energy “does things” but also learn from other organisations. Every day is an opportunity to discover something new.”

Visit: www.siemens-energy.com/cybersecurity