供應(yīng)鏈網(wǎng)絡(luò)安全最佳實踐

GOOD

PRACTICESFOR

SUPPLY

CHAINCYBERSECURITYJUNE20230GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune2023ABOUTENISATheEuropeanUnionAgencyforCybersecurity(ENISA)

isthe

EU’sagencydedicatedtoachievingahighcommonlevelof

cybersecurityacrossEurope.Establishedin

2004and

strengthenedby

theEUCybersecurityAct,ENISAcontributesto

EUcyber

policy,enhancesthetrustworthinessofICTproducts,servicesandprocesseswithcybersecuritycertificationschemes,cooperateswithMember

StatesandEUbodies,andhelps

Europeprepareforthecyberchallengesoftomorrow.

Throughknowledgesharing,capacitybuildingandawarenessraising,theAgencyworkstogetherwithitskeystakeholderstostrengthentrustin

theconnectedeconomy,toboostthe

resilienceof

theEU’sinfrastructureand,

ultimately,tokeepEurope’ssociety

andpeopledigitallysecure.MoreinformationaboutENISAandits

workcan

befoundhere:www.enisa.europa.eu.CONTACTForcontactingtheauthors,pleaseuseresilience@enisa.europa.euFormediaenquiriesaboutthispaper,

pleaseusepress@enisa.europa.euAUTHORSMariaPapaphilippou,KonstantinosMoulinos,MarianthiTheocharidouACKNOWLEDGEMENTSVolker

Distelrath,SiemensLEGAL

NOTICEThispublicationrepresentstheviewsandinterpretationsofENISA,unlessstatedotherwise.ItdoesnotendorsearegulatoryobligationofENISA

orofENISA

bodiespursuantto

Regulation(EU)2019/881.ENISAhastherighttoalter,updateorremovethepublicationorany

of

its

contents.It

isintendedfor

informationpurposesonlyanditmustbeaccessiblefreeof

charge.Allreferencestoit

or

itsuse

asawholeorpartiallymustcontainENISA

asitssource.Third-partysourcesare

quotedasappropriate.ENISAisnot

responsibleor

liableforthecontentoftheexternalsourcesincludingexternalwebsitesreferencedin

thispublication.NeitherENISA

noranypersonactingon

its

behalfis

responsiblefortheusethatmightbemade

oftheinformationcontainedin

thispublication.ENISAmaintainsitsintellectualpropertyrightsinrelationto

thispublication.COPYRIGHT

NOTICE?EuropeanUnionAgencyfor

Cybersecurity(ENISA),2023Unlessotherwisenoted,thereuseofthisdocumentis

authorisedunder

theCreativeCommonsAttribution4.0International(CCBY

4.0)

licence(/licenses/by/4.0/).Thismeansthatreuseisallowedprovidedappropriatecreditisgivenandanychangesareindicated.Forany

useor

reproductionof

photosor

othermaterialthat

arenot

ownedbyENISA,permissionmayneedtobesoughtdirectlyfrom

therespectiverightholders.ISBN978-92-9204-636-1doi:10.2824/805268TP-03-23-145-EN-N1GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune2023TABLEOF

CONTENTS1.

INTRODUCTION41.1

SUPPLY

CHAIN

IN

THE

NIS2

DIRECTIVE1.2

AIM

AND

AUDIENCE4561.3

METHODOLOGY

AND

STRUCTURE2.

CURRENT

PRACTICES82.1

FINDINGS2.2

SUMMARY8173.

SUPPLY

CHAIN

CYBERSECURITY

GOOD

PRACTICES193.1

STRATEGIC

CORPORATE

APPROACH19212224263.2

SUPPLY

CHAIN

RISK

MANAGEMENT3.3

SUPPLIER

RELATIONSHIP

MANAGEMENT3.4

VULNERABILITY

HANDLING3.5

QUALITY

OF

PRODUCTS

AND

PRACTICES

FOR

SUPPLIERS

AND

SERVICE

PROVIDERS4.

CHALLENGES3233363839REFERENCESANNEX

A:

RECENT

SUPPLY

CHAIN

ATTACKSANNEX

B:

STANDARDS

AND

GOOD

PRACTICESANNEX

C:

TERMINOLOGY2GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune2023EXECUTIVESUMMARYDirective(EU)2022/2555(theNIS2directive)

requiresMemberStatesto

ensurethatessentialand

importantentities1take

appropriateandproportionatetechnical,operationaland

organisationalmeasuresto

managetherisksposedtothesecurityof

networkandinformationsystems,

whichthoseentitiesuseintheprovisionoftheirservices.Supplychaincybersecurityisconsideredan

integralpart

ofthecybersecurityriskmanagementmeasuresunderArticle21(2)oftheNIS2

directive.Thereportprovidesan

overviewofthecurrent

supplychaincybersecuritypractices

followedbyessentialandimportant

entitiesin

the

EU,basedontheresultsofa2022ENISAstudywhichfocusedon

investmentsofcybersecuritybudgetsamongorganisationsin

theEU.Among

thefindingsthefollowingpointsareobserved.?86%of

thesurveyedorganisationsimplementinformationand

communicationtechnology/operationaltechnology(ICT/OT)supplychaincybersecuritypolicies.???47%allocatebudgetforICT/OTsupplychaincybersecurity.76%do

nothavededicatedrolesandresponsibilitiesforICT/OTsupplychaincybersecurity.61%requiresecuritycertificationfrom

suppliers,43%usesecurityratingservicesand

37%

demonstrateduediligenceor

riskassessments.Only9%of

thesurveyedorganisationsindicatethattheydonotevaluatetheirsupplychainsecurityrisks

in

any

way.??52%havearigidpatchingpolicy,inwhichonly0to20

%oftheirassetsarenot

covered.

Ontheother

hand,13.5%haveno

visibilityoverthepatchingof50

%or

moreof

their

informationassets.46%patchcriticalvulnerabilitieswithinlessthan1month,whileanother46

%patchcriticalvulnerabilitieswithin6monthsor

less.Thereportalsogathersgoodpracticeson

supplychaincybersecurityderivedfrom

Europeanandinternationalstandards.It

focusesprimarilyonthesupplychainsofICTor

OT.Goodpracticesareprovidedandcanbeimplementedby

customers(suchas

organisationsidentifiedasessentialandimportantentitiesundertheNIS2directive)or

their

respectivesuppliersandproviders.Thegood

practicescoverfiveareas,namely:?????strategiccorporateapproach;supplychainrisk

management;supplier

relationshipmanagement;vulnerabilityhandling;qualityofproductsand

practicesfor

suppliersand

serviceproviders.Finally,

thereportconcludesthe

following.??There

isconfusionwithrespecttoterminologyaroundtheICT/OTsupplychain.Organisationsshouldestablishacorporate-widesupplychainmanagementsystembasedon

thirdpartyriskmanagement(TRM)andcoveringriskassessment,supplierrelationshipmanagement,vulnerabilitymanagementand

qualityof

products.?Goodpracticesshouldcover

allvariousentities

whichplay

arolein

thesupplychainof

ICT/OTproductsandservices,fromproductionto

consumption.??Notallsectorsdemonstratethe

samecapabilitiesconcerningICT/OTsupplychainmanagement.TheinterplaybetweentheNIS2

directiveandtheproposalforacyberresilienceactor

otherlegislation,sectorialor

not,whichprovides

cybersecurityrequirementsforproductsandservices,shouldbe

furtherexamined.1

Directive(EU)2022/2555oftheEuropeanParliamentandofthe

Councilof14

December2022

on

measures

forahighcommonlevel

ofcybersecurityacrossthe

Union,amendingRegulation(EU)No910/2014andDirective(EU)2018/1972,andrepealingDirective(EU)

2016/1148(NIS

2Directive)(OJL333,27.12.2022,p.

80).https://eur-lex.europa.eu/eli/dir/2022/25553GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune20231.

INTRODUCTIONSurveysfromtheWorldEconomicForum(WEF)

and

Anchorereportthatbetween

39

%2and

62

%3oforganisations

were

affected

by

a

third-party

cyber

incident.Moreover,accordingtoMandiant4,supply

chaincompromises

were

the

second

most

prevalent

initial

infection

vectoridentifiedin

2021.Theyalsoaccountfor17%of

theintrusionsin

2021comparedtolessthan1%in2020.In2021,ENISA’s

Threatlandscapefor

supplychainattacksshowsthat

in

66%ofthesupplychainattacksanalysed,suppliers

did

not

know,

or

were

not

transparentabout,howtheywerecompromised.Incontrast,lessthan9%ofthecustomerscompromisedthroughsupplychainattacksdidnot

know

howtheattackshappened.Thishighlightsthegapin

termsof

maturityin

cybersecurityincidentreportingbetweensuppliersand

end-userfacingcompanies.Around62%of

theattacksoncustomerstookadvantageof

theirtrust

in

their

supplier.In

62

%of

thecases,

malware

wastheattacktechniqueemployed.When

consideringtargetedassets,in66

%oftheincidents,attackersfocusedonthesuppliers’

code

in

orderto

furthercompromisetargetedcustomers.ThelatestENISAthreatlandscapereport(2022)alsoobservesanincreasedinterestof

threatgroupsin

supply

chainattacks

and

attacks

againstmanagedserviceproviders(MSPs)5.Moreover,thereportconsidersitlikelythat

wewillsee

anincreasedinvestment

ofresourcesintovulnerability

research

inthesesupplychainsin

thenear

future.This6isoneof

thereasonswhythreatgroupshavebeentargeting

securityresearchersdirectly.

Another

targetis

commonandpopularopen-source

repositories

likeNPM,Python,andRubyGems,whichareeitherclonedon

infectedwithmalware,withthegoalof

infectinganyonewho

implementstheseastoolsor

packageswithintheirproject.Asanyonecan

publishpackagestoopen-sourceplatforms,malwareinjectionoftenremainsundertheradarforalongtime.Itis,

therefore,evidentthatcyberrisks

arisingfrom

partners,suppliersandvendorscouldhavesystemicimplications.Thisisalsoconfirmedby

theresultsofarecentsurveyamongcyber

leadersandCEOs

–almost

40%of7respondentssaidtheywerenegativelyaffectedby

acybersecurityincidentrelatingtotheir

third-partyvendors/supplychain.Theriseinincidentshas

concernedthemajorityof

thesurveyedCEOs(58%),whoindicatedthattheyfeeltheir

partnersand

suppliersare

lessresilientthantheirownorganisation.Thiswillresultinthegreatestinfluenceontheir

organisations’approachto

cybersecurityin

thefuture.1.1

SUPPLY

CHAIN

IN

THE

NIS2

DIRECTIVEIn

this

complex

environment

of

supply

chains,

establishing

good

practices

for

supply

chain

cybersecurity

at

the

EU

levelisnowmoreimportantthanever.TheNIS2directive1

enhancessupplychaincybersecurityby:??eliminatingthedistinctionbetweenoperatorsofessentialservicesand

digitalserviceproviders;extending

the

coverage

to

a

larger

portion

of

the

economy

and

society

by

adding

more

sectors

with

thedifferentiationof

essentialand

important

entities;????addressing

supply

chain

cybersecurity

and

supplier

relationship

by

requiring

individual

entities

to

addressrespectivecybersecurityrisks;introducing

focused

measures

including

incident

response

and

crisis

management,

vulnerability

handling

anddisclosure,cybersecuritytestingand

theeffectiveuseofencryption;introducing

accountability

of

each

entity’s

management

for

compliance

with

cybersecurity

risk

managementmeasures;suggesting

that

the

NIS

Cooperation

Group

may

carry

outcoordinated

security

risk

assessments

of

specificcriticalinformationandcommunicationtechnology(ICT)

services,systemsorproducts.2

WEF,GlobalCybersecurityOutlook2022./reports/global-cybersecurity-outlook-2022/3

Anchore,‘2022

securitytrends:Softwaresupplychainsurvey./blog/2022-security-trends-software-supply-chain-survey/4

Kutscher,J.,‘M-TRENDS2022’,Mandiant./resources/m-trends-20225

ENISAThreatLandscape2022

report.6

PWC2022GlobalDigital

TrustInsightsSurvey./gx/en/issues/cybersecurity/global-digital-trust-insights.html7

WEF,GlobalCybersecurityOutlook2022./reports/global-cybersecurity-outlook-2022/4GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune2023TheNIS2directiverequiresessentialand

importantentitiesto

addresscybersecurityrisksin

supplychainsandsupplier

relationships.Itdoessoby

requestingin

Article21

essentialandimportantentitiestotakeappropriateandproportionatetechnical,operationalandorganisationalcybersecurityriskmanagementmeasuresandtofollowan

all-hazardsapproach.Thesemeasuresshouldaddress,amongstother

areas,

supplychainsecurityincludingsecurity-relatedaspectsconcerningtherelationshipsbetweeneachentityand

its

directsuppliersor

serviceproviders.Moreover,

entitiesshouldtake

into

accountthevulnerabilitiesspecificto

eachdirectsupplierand

serviceproviderandtheoverallqualityofproducts

and

cybersecuritypracticesof

their

suppliersand

serviceproviders,includingtheirsecuredevelopmentprocedures.MemberStatesshallalsoensurethat,whendefining

appropriatemeasures,entitiesarerequiredtotakeintoaccounttheresultsof

thecoordinatedriskassessmentscarriedoutin

accordancewithArticle22(1)

.81.2

AIM

AND

AUDIENCEThe

aim

of

this

report

is

to

provide

an

overview

of

the

current

ICT

/

operational

technology

(ICT/OT)

supply

chaincybersecurity

practices

followed

by

the

operators

in

the

EU

as

well

as

to

identify

good

practices

on

ICT/OT

supplychain

cybersecurity.

The

report

focuses

primarily

on

the

relationship

of

essential

and

important

entities

with

differentkinds

of

direct

suppliers

and

service

providers

,

e.g.

manufacturers,

distributors,

integrators,

MSPs,

managed9security

service

providers

(MSSPs)

or

cloud

computing

service

providers.

It

thusidentifiesgoodpractices

for

essentialandimportantentities,andfordifferenttypes

of

suppliersand

providers.Essential

and

important

entities

typically

operate

critical

infrastructure

and

use

products,

systems

and

solutions

frommanufacturers,

distribution

channel

providers,

system

integrators

and

digital

service

providers.

Some

entities

domanufacture

their

own

products

(hardware

and

software)

andcan

in

thiscase

be

considered

as

important

entities

too.Recommendedgoodpracticesformanufacturingcanbe

appliedforsuch

organisationsaswell.An

entity

typically

has

a

contractual

relation

with

its

direct

suppliers

and

service

providers

where

organisational,

processandtechnicalmeasurescanbe

definedforrespectivedeliveryorserviceacquired.Therangeofcontractualagreeablemeasures

is

limited

to

the

procurement

power

of

an

organisation

and

the

capabilities

of

a

supplier

or

service

provider.Some

measures

cascade

alongthe

supply

chain,

butthe

overall

control

of

implementationbyarespectiveorganisationis

typically

not

possible,

as

there

is

no

general

contractual

relation

in

place

which

could

for

example

provide

an

auditright

or

the

right

to

request

detailed

information

on

security

measures

from

all

suppliers

along

the

supply

chain.

Onetypical

example

of

this

lack

of

control

in

the

supply

chain

of

products

and

components

is

the

open-source

software,whichis

publiclyavailableandtherules

of

useof

whicharedeterminedin

non-negotiablelicenseagreements.Anotherexample

of

the

need

to

maintain

control

is

when

procuring

services

from

a

cloud

computing

service

provider,

as

thisrequiresadditionaleffort

toensurethattherequirementsoftheGeneralDataProtectionRegulationaremet.Table

1

includes

a

brief

description

of

the

role

of

the

various

types

of

suppliers

and

providers

in

the

ICT/OT

supply

chain.Table

1:

SuppliersandprovidersType

of

supplierFunctionand

provider?

Design,develop,manufacture,anddeliverproductsandcomponentsto

theircustomers.?

Sourcehardwareandsoftwarecomponentsin

theirsupplychain.?

Deliver

productswhich

can

serve

multiple

purposes;

i.e.

similar

products

are

soldtodifferentproductusers

withdifferentusescenarios.Manufacturers

10?

Liablefor

theirpartof

deliveryand

serviceprovided.?

Engineersystemsthatare

usedin

productionenvironments.Systemintegrators?

Design

and

deploy

systems,

such

as

automation

solutions

used

in

industries

and

critical(serviceprovidersinfrastructure.8

EUcoordinatedrisk

assessmentsofcriticalsupplychains.9

NIS2directive,Article21(2),point(d).10

Importantentities(NIS2directive,AnnexII).5GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune2023forengineeringservices)?

Canincludecivilwork

suchasdeployment

of

networkinfrastructureor

pipelinesfor

exampleinturnkeysolutions.?

Playanessentialpartin

cybersecuritydesignandimplementationin(critical)infrastructure.ManagedServiceProviders(MSPs)?

Provide

services

related

to

the

installation,

management,

operation

or

maintenance

of

ICTproducts,

networks,

infrastructure,

applications

or

any

other

network

and

informationsystems,

via

assistance

or

active

administration

carried

out

either

on

customers’

premises

orremotely.ICTserviceMSSPmanagement?Assists

entities

in

areas

such

as

incident

response,

penetration

testing,

security

audits

andconsultancy(NIS2directive,Article6(40)).?

Offersservices,suchas:?

assessment–

e.g.

penetration

testing,

or

conformance

to

specific

security

requirementsorstandards;?

implementation–

e.g.

implementation

of

security

controls

such

as

malware

detection

inaninfrastructure;?

management

–e.g.securityoperatingcentre(SOC)servicesfor

incidentresponse.Cloudcomputingservices,include:Providersofdigitalservices

11

12?

infrastructureasaservice,?

platformasaservice,?

softwareasaservice(SaaS),

and?

networkasaservice.In

this

report,

supply

chain

cybersecurity

measures

will

be

recommended

for

providers

of

digital

services

that

fall

intothe

category

of

SaaS.

Examples

of

such

a

service

are

digital

tax-accounting

services

13,

multi-tenant

asset

monitoringservices

14,securityoperatingcentreservices

15

orevensupply

chainservices

16.Addressingsupplychaincyber

risksrequiresarisk-basedapproachfromorganisationsin

thesupplychain.Thisreportwilladdresscybersecurityrisks

for

thesupplychain,butwillnot

touchothersupplychainrisks,suchasgeopoliticalriskslikedependencieson

non-EUcountryshipments,e.g.photovoltaic(PV)inverteror

chipsetforelectronicdeviceswhicharenearlyentirelysourcedinAsia

17.1.3

METHODOLOGY

AND

STRUCTUREInan

effort

toidentifyhow

MemberStates

implementedtheNISdirective’srequirements,andwhethertheyinvestincybersecurity,ENISA

surveyed1081organisationsin

all27

MemberStates(andtoensurearepresentativeaccount,11

Adigitalserviceisdefinedby

NIS2directive,Article6.Clause(23):‘digital

service’

meansaservicewithinthe

meaningofArticle1(1)(b)ofDirective(EU)2015/1535of

theEuropeanParliamentandof

theCouncil.Clause(28):‘onlinemarketplace’meansadigital

servicewithinthe

meaningof

Article2point(n)ofDirective2005/29/ECofthe

EuropeanParliamentandof

theCouncil.Clause(29):‘onlinesearchengine’meansadigital

servicewithinthe

meaningofArticle2(5)ofRegulation(EU)2019/1150of

the

EuropeanParliamentandof

theCouncil.Clause(30):‘cloudcomputingservice’

means

adigital

servicethatenables

on-demandadministrationandbroadremoteaccessto

ascalableandelastic

pool

ofshareablecomputingresources,includingwhenthosearedistributedoverseverallocations.12

Essential

entities(NIS2

directive,AnnexI,‘DigitalInfrastructure’).13

Digital

tax-accountingservicesofferingcloud-basedsolutionsforthehandlingoftax,e.g.

theEUmini

OneStopShopforvalue-added-taxdeclarationissuchan

example.14

Multi-tenantassetmonitoringservices

offercustomersforexampleahealthstatusserviceforassetsusedin

theirrespectiveinfrastructure(e.g.turbines)thatcan

optimisemaintenanceschedulesandreplacements.15

SOCisamanagedsecurityservice;theofferingis

typicallyrealisedby

adigitalcloudservicewherecustomersareprovidedwithadashboardonfindingsthatarederivedfromanalyticsonsecurityinformationdeliveredfromthenetwork

by

utilisingacloud-basedsecurityinformation

eventmanagementsystem.Consequently,aSOCservicebelongsin

thecategoryof

adigital

serviceprovideraswellas

inthe

categoryofanMSSP.16

Digital

supplychainas

aserviceofferscustomerstrackingandcontroloptionsviaacloud-basedsolutionto

managetheirsupplychain.Thisincludestrackingof

goods

thatareenrouteandthemanagementof

goodsinwarehouses.17

China’ssanctionsagainstTaiwanareareminderfortheEuropeanUnionofits

dependencyontheisland,andin

particularontheelectronicchipsproducedby

theworld’sbiggestsemiconductorcompany:TaiwanSemiconductorManufacturingCo.6GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune2023aminimumof40

organisationsweresurveyedper

MemberState)

18.Among

otherthings,data

wascollectedconcerningICT/OTsupplychaincybersecurity.Organisationswererequestedtoprovideinformationrelatingtotheirimplementedsupplychainriskmanagement

policiesand

whethertheyallocatebudgetspecifictotheseissues.Theywerealsosurveyedregardingtheir

assignedsupplychainrisk

managementrolesand

responsibilities,theimplementedriskmitigationmethodologiesandwhethertheEUcybersecurityrequirementsaffectdigitalproducts.Chapter

2presentstheresultsofthissurveyand

providesanoverview

ofthecurrentpracticesof

essentialandimportant

entitiesrelatingto

supplychaincybersecurity.Thisallowsfor

abetterunderstandingofthecurrentsituationintheEU.Forthisreport,

goodpracticeswerecollectedfrom

relevantstandardsandguidancethatwouldbe

appropriatefortheimplementationoftheNIS2directive’srequirementsbyessentialand

importantentities

19.Inorderto

identifythesegood

practices,

an

extensivedesktopresearchwasperformedonexistingsupplychainnationalstrategies,regulatoryframeworks,standardsand

goodpractices.Asaresult,19

relevantdocumentsthataddresssupplychaincybersecuritywereidentifiedandanalysed.Theanalysisreflectson

existingEuropean,nationalandinternationalframeworksaswellasontheidentifiedmaterial.Thepractices,identifiedduringthedesktopresearch,mostlyfocusontheMemberStatesideand

supplementtheproposedmethodology.Referencestothesedocumentsareavailableattheend

ofthisreport.InChapter3,

asystematicapproachisprovided,comprisedof

fivesteps,for

thecybersecuritysupplychainproblemtogetherwithrecommendedsecuritypracticesforeachmethodologicalstep.It

covers:????organisationalwideICT/OTsupplychainstrategy;technical,operationaland

organisationalmeasuresin

supplychain,consideringarisk-basedapproach

20;thehandlingof

vulnerabilities

21;andtheoverallqualityofproducts

and

cybersecuritypractices(includingsecuredevelopmentprocedures)

22.Movingforward,

thisreportconcludesbyprovidinginformationfor

furtherconsiderationson

ICT/OTsupplychain.Itwasidentifiedthatdifferenttermsordefinitionsareusedin

theinternationalbibliographyforsimilarconcepts,e.g.ICT/OTsupply,digitalchain,thirdpartyriskmanagement(TRM),or

cybersupplychainrisk

management.In

thisreport,

thetermICT/OTsupplychaincybersecurityisused,whileaselectionof

definitionsfrom

policydocumentsisavailablein

AnnexC.18

ENISA,NISInvestments:November2022.https://www.enisa.europa.eu/publications/nis-investments-202219

Essential

andimportantentitiesaretypicallyoperatorsthatprovideservicesthatareconsideredcritical

totheeconomyandsociety.Essentialandimportantentitiesareanyentitiesof

atypereferredto

inAnnexIandAnnexIIrespectivelyofNIS2directive.20

NIS2directive,Article21(1).21

NIS2directive,Article21(3).22

NIS2directive,Article21(3).7GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune20232.

CURRENT

PRACTICESInan

effort

toprovidefindingsandgoodpracticesforICT/OTsupplychaincybersecurity,asurveywas

executedbyENISAfromAprilto

June2022amongsurveyedorganisationsfrom

variousMemberStates

23.Inordertoensureadequaterepresentationby

all27EUMemberStates,aminimumof40

organisationsweresurveyedperMemberState.Sincethesurveytookplacebeforetheadoptionof

theNIS2directive,thesurveyedorganisationsareoperatorsofessentialservices(banking,

digitalinfrastructure,drinkingwatersupplyanddistribution,energy,financialmarketinfrastructure,healthcare,transportsectors)or

digitalserviceproviders(cloudcomputing,onlinemarketplaces,onlinesearchengines).2.1

FINDINGSOfthesurveyedorganisations,86%haveimplementedICT/OTsupplychaincybersecuritypolicies.Only14%ofthesurveyedorganisationshaveno

approvedsecuritypoliciesrelatedtothirdparties–i.e.partners,vendorsor

suppliers.Thesurveyobserves

thatthelargertheorganisation,themorelikelythatit

has

suchapolicy

in

place.Figure

1:

ApprovedICT/OTsupplychaincybersecurityrisk

managementpoliciesinplaceperorganisationsizeThiswas

further

brokendownpersector,whichindicatedthatthebankingsector

couldbe

consideredas

themostmaturewhenit

comestoICT/OTsupplychaincybersecuritypolicy.23

Seefootnote18.8GOODPRACTICESFOR

SUPPLYCHAINCYBERSECURITYJune2023Figu