Another view of control system supply chain risks – third party equipment suppliers

Sept. 30, 2020
Industrial and manufacturing facilities commonly use “skid-mounted” equipment which are generally from third-party suppliers and not part of the facility cyber security program. This is a gap that can lead to unintentional incidents or malicious attacks.

Several years ago I was doing a control system cyber risk assessment for a regional transit agency. The most significant safety issue was the Liquified Natural Gas (LNG) transit bus refueling facility. The LNG facility was on the transit agency property and was for use for the LNG-powered transit buses and other LNG-powered agency vehicles. The transit facility was built and operated by a third-party LNG refueling company that does this for many transit agencies. By contract, the transit agency was not allowed into the LNG facility without approvals from the LNG facility operator.

When we contacted the LNG facility organization about their control systems, we were informed they had IT network (not control system) cyber security policies and had standardized on a specific control system supplier who met their cyber security requirements. Consequently, the LNG operator felt their cyber risk was addressed. As these policies had not been shared with the transit agency, the transit agency could not validate the actual risk and therefore assumed the cyber risk was adequately addressed.

After getting permission from the LNG facility operator, we did a walkdown of the LNG facility and found a control system major supply chain issue that didn’t involve foreign malicious actors. As part of the design of the LNG facility, the LNG facility operator had contracted for what is called “skid-mounted” equipment for a critical part of the LNG production operation. The skid-mounted equipment included the large hardware as well as the control systems for the hardware.

In this case, the skid-mounted vendor had selected a different control system supplier than the one the LNG operator had selected. Consequently, from a cyber-perspective, the LNG operator was unaware of the “foreign” control system equipment in their LNG process and the “foreign” control system vendor did not necessarily conform to the LNG facility operator’s cyber security policies. The transit agency was totally in the dark. At that time, we weren’t looking to find if there was Chinese-made control system devices in this facility. From a risk perspective, the LNG facility is sited near a diesel storage tank for the site emergency diesels, close to a very busy freeway, and near other industrial businesses which made it an attractive target.

This type of third-party risk for skid-mounted equipment is common to every industrial and manufacturing facility.

Joe Weiss

Sponsored Recommendations

2024 Industry Trends | Oil & Gas

We sit down with our Industry Marketing Manager, Mark Thomas to find out what is trending in Oil & Gas in 2024. Not only that, but we discuss how Endress+Hau...

Level Measurement in Water and Waste Water Lift Stations

Condensation, build up, obstructions and silt can cause difficulties in making reliable level measurements in lift station wet wells. New trends in low cost radar units solve ...

Temperature Transmitters | The Perfect Fit for Your Measuring Point

Our video introduces you to the three most important selection criteria to help you choose the right temperature transmitter for your application. We also ta...

2024 Industry Trends | Gas & LNG

We sit down with our Industry Marketing Manager, Cesar Martinez, to find out what is trending in Gas & LNG in 2024. Not only that, but we discuss how Endress...