Securing supply chains more relevant than ever: new NIS2 law in force
From an historical perspective, supply chains have always been the target of attacks, but especially since the covid crisis and the war in Ukraine, the authorities are aware of the increased risks: impaired supply chains can disrupt not only companies but also an entire society. Therefore, new regulations recently came into force, of which the NIS2 directive in particular will have profound effects on transport and logistics companies.
Over the past few years, supply chains have indeed been under even more threat than before. These menaces are not only physical (theft, natural disasters… and sabotage) but also digital (cyber attacks). A new phenomenon is that companies – and infrastructures – are targeted not only by criminals but also by terrorist or hostile-state attacks. Some of these have been widely covered in the media, but often (if possible) they have not been wildly announces to avoid or limit reputational damage. We will limit ourselves to three actual examples to illustrate the risks.
In 2017, Maersk was the target of a cyber attack using the NotPetya ransomware. That attack brought down its IT systems worldwide, leading to widespread supply chain disruptions. Recovery took weeks as all servers and computers worldwide had to be replaced. The total damage to Maersk was estimated for at least $300 million.
Two years ago, the port of Lisbon was also attacked by ransomware criminals, who severely disrupted the port’s operations and threatened to release sensitive data. The government refused to pay a ransom, but the attack caused significant operational problems for a long time.
In July this year, a package caught fire at DHL in Birmingham. Shortly before that, the same thing happened at DHL in Leipzig. Because a plane was delayed, the fire just did not start on board. British and German anti-terrorism investigators suspect that both attacks were the work of a Russian secret service. According to Ken McCallum, head of the British secret service MI5, Russian GRU agents have been setting up several operations since the war in Ukraine to cause chaos in Europe.
Physical threats in supply chains
A major physical risk for European supply chains is the threat of theft. High-value goods, such as electronics, medicines, and luxury goods, are particularly targeted. These thefts often take place at ports, distribution centres or during transport. In some regions, logistics has actually been threatened by organised crime targeting trucks, containers or even terminals. Besides direct financial damage, this also causes disruptions in the chain, and can damage trust between the involved parties.
Geopolitical tensions, such as the conflict between Russia and Ukraine, also show how vulnerable supply chains are to political instability. This conflict led to disruptions in energy supply, driving up costs for businesses and consumers across Europe.
The risk of sabotage is also increasing, though this remained somewhat under the radar for now. For example, the incidents involving fire parcels at DHL in Birmingham and Leipzig were only revealed months later by British and German journalists. In parallel, there is growing awareness that transport infrastructure such as ports and logistics zones can be targeted by sabotage.
Digital threats to supply chains
The biggest digital threat is that of cyber attacks. The digitisation of supply chains enabled higher efficiency, but it also increases exposure to cyber threats. Cybercriminals target vulnerable links in the chain to steal sensitive data or sabotage processes.
Ransomware attacks in particular can cause great damage; a successful attack can shut down entire chains, as the attack on Maersk proved. European companies and their employees use a wide variety of connected digital assets – not only PCs and laptops but also tablets and smartphones – or even Internet of Things (IoT) devices, which increases the number of potential attack points. As a result, digital supply chain security has become essential.
On top of this, supply chains handle a lot of sensitive information, including customer data, financial data and even trade secrets. Leaking or stealing this information can have serious consequences for companies. A single vulnerability at a third party can compromise an entire network of companies.
A double challenge
European companies thus face the dual challenge of physical and digital threats. They must therefore act proactively to guard against both threats (organising their own security and ensuring resilience) and take measures to comply with new regulations designed to protect supply chains. The most important of these is the NIS2 Directive.
The NIS2 Directive
The European NIS2 Directive entered into force last October. It is an expansion of the NIS legislation that already existed but had a more limited scope. With the NIS2, the European authorities impose cyber security measures on a whole range of companies and organisations in different sectors. These are considered to be of great social importance because if they were to shut down in a cyber-attack, the economy and by extension society would suffer serious damage.
In doing so, the legislator makes the distinction between ‘highly critical’ and ‘critical’ sectors (also called ‘essential’ and ‘important entities’).
There are 11 ‘highly critical’ sectors, including energy, banking, digital infrastructure, drinking water, public administrations and transport (air, rail, water, road). This means that all organisations operating transport infrastructure – such as ports, airports, railways and waterways – fall under the NIS2 ‘highly critical’ sector (but not individual carriers or logistics companies active in this sector). These organisations are under stricter scrutiny and have to implement stricter security measures. They are subject to more frequent audits, which means more frequent reporting, mandatory risk assessments, and mandatory implementation of security standards.
The ‘critical’ sectors are slightly more numerous: there are 18 of them. They include aerospace and the digital infrastructure services, but also postal and courier services; the production, processing and distribution of food; and the production and distribution of chemicals essential to other industries. Companies in these sectors are also subject to compliance requirements, but these are often less stringent. Also, auditing is usually less intensive.
Impact on logistics through trickle-down effect
Transport and logistics companies are thus not explicitly named as critical companies (outside postal and courier companies), but food and chemical distributions are mentioned. This means that companies with a significant logistics role in the distribution of these products probably do fall under NIS2.
Clearly, it is expected that NIS2 measures will have a trickle-down effect and that suppliers and service providers to critical sectors will also be subject to stringent cybersecurity requirements. In other words, companies subject to NIS2 will require their (service) providers to demonstrate that they have their digital security in order, in line with the NIS2 rules.
Companies and organisations have until 18 March 2025 to declare (by themselves) whether they belong to a critical sector category. Belgian companies must register on the portal at atwork.safeonweb.be.
Belgium sets the standard for NIS2
For once, Belgium is on time with its legislative homework. Evidently, our country is the first European member state to fully implement the new NIS2 directive. Its rollout has been entrusted to the Centre for Cybersecurity Belgium (CCB).
According to the CCB, it is estimated that at least 2,500 Belgian companies and organisations are required to take security measures and register on the aforementioned website. ‘Currently, around 200 organisations are already registered with us, but we expect this to increase significantly in the coming weeks,’ said Miguel De Bruycker, director general of the CCB.
Companies covered by NIS2 will have to demonstrate that they have taken their responsibilities regarding cyber security. To do so, they will undergo regular audits based either on the ISO 27001 standard or the so-called ‘CyberFundamentals’. The CyberFundamentals framework was designed by the CCB itself. This framework contains, for each security level, incremental additional measures based on international cyber security standards and insights gained from the analysis of thousands of incidents.
Which certification method should you choose? If your company has a purely Belgian operation, you can choose the Belgian CyberFundamentals standard. If it operates internationally, it is better to opt for ISO 27001 certification.
To find out whether your company falls under the NIS2 rules or not, contact the CCB.
Would you like to learn more about physically and digitally securing your transport and logistics operations? Until 19 December, Log!Ville organises a themed tour around Supply Chain Security. During this interactive tour, you will discover the latest technologies that can increase the security of your processes. More info and registration? Click here.
