Another view of control system supply chain risks – third party equipment suppliers

Sept. 30, 2020
Industrial and manufacturing facilities commonly use “skid-mounted” equipment which are generally from third-party suppliers and not part of the facility cyber security program. This is a gap that can lead to unintentional incidents or malicious attacks.

Several years ago I was doing a control system cyber risk assessment for a regional transit agency. The most significant safety issue was the Liquified Natural Gas (LNG) transit bus refueling facility. The LNG facility was on the transit agency property and was for use for the LNG-powered transit buses and other LNG-powered agency vehicles. The transit facility was built and operated by a third-party LNG refueling company that does this for many transit agencies. By contract, the transit agency was not allowed into the LNG facility without approvals from the LNG facility operator.

When we contacted the LNG facility organization about their control systems, we were informed they had IT network (not control system) cyber security policies and had standardized on a specific control system supplier who met their cyber security requirements. Consequently, the LNG operator felt their cyber risk was addressed. As these policies had not been shared with the transit agency, the transit agency could not validate the actual risk and therefore assumed the cyber risk was adequately addressed.

After getting permission from the LNG facility operator, we did a walkdown of the LNG facility and found a control system major supply chain issue that didn’t involve foreign malicious actors. As part of the design of the LNG facility, the LNG facility operator had contracted for what is called “skid-mounted” equipment for a critical part of the LNG production operation. The skid-mounted equipment included the large hardware as well as the control systems for the hardware.

In this case, the skid-mounted vendor had selected a different control system supplier than the one the LNG operator had selected. Consequently, from a cyber-perspective, the LNG operator was unaware of the “foreign” control system equipment in their LNG process and the “foreign” control system vendor did not necessarily conform to the LNG facility operator’s cyber security policies. The transit agency was totally in the dark. At that time, we weren’t looking to find if there was Chinese-made control system devices in this facility. From a risk perspective, the LNG facility is sited near a diesel storage tank for the site emergency diesels, close to a very busy freeway, and near other industrial businesses which made it an attractive target.

This type of third-party risk for skid-mounted equipment is common to every industrial and manufacturing facility.

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.