Energy Supply Chain Security Obligations Under NIS and the CAF

The supply chain duty under NIS and the CAF

The CAF dedicates a principle under Objective A to supply chain security, requiring operators to understand and manage the risks to their essential service that arise from dependencies on third parties. This is not a soft expectation: an OES that suffers disruption through a supplier it failed to assess has not met its NIS duty. The obligation covers the full spectrum of suppliers, from software vendors and cloud providers to the engineering firms that commission and maintain control systems.

• Identify and risk-assess all suppliers touching the essential service
• Understand third-party access to IT and OT systems
• Set and enforce security requirements in contracts
• Maintain assurance over the life of the relationship

OT-specific supply chain risks

Energy supply chains carry risks that software-only sectors do not face. RTU and PLC firmware is often built by a handful of vendors and updated infrequently, so a vulnerability or backdoor can persist across an entire fleet of field devices. ICS integrators routinely hold privileged remote access for commissioning and support, and their own security posture becomes your exposure. Hardware components can be compromised before they ever reach the substation. Each of these requires assurance that goes beyond a standard IT vendor questionnaire.

• RTU and PLC firmware vulnerabilities across device fleets
• Privileged remote access held by ICS integrators
• Hardware tampering before installation
• Managed service providers with persistent connectivity

From point-in-time to continuous assurance

Many energy operators still manage supplier risk with an annual spreadsheet questionnaire, a snapshot that is out of date the moment it is filed. The CAF expectation, and the direction of NIS reform and NIS2, is toward continuous assurance: knowing in near real time whether a critical supplier has suffered a breach, exposed a vulnerable service or let its certification lapse. For an energy operator with hundreds of suppliers, continuous monitoring is the only way to keep pace.

Contractual and technical controls

Managing supply chain risk combines contractual and technical measures. Contracts should mandate baseline certifications such as Cyber Essentials, require breach notification, and grant audit rights. Technically, operators should constrain third-party access through just-in-time and least-privilege controls, segment supplier connectivity away from control zones, and monitor everything a supplier does inside the estate. The goal is to ensure that a compromised supplier cannot become a compromised grid.

How Kyanite Blue helps you secure the supply chain

Kyanite Blue helps energy operators build a defensible supply chain security programme that satisfies the CAF supply chain principle, from contractual baselines to technical access controls. Panorays automates third-party risk assessments and provides continuous external monitoring of your vendors, RTU and PLC suppliers and ICS integrators, replacing stale annual questionnaires with live, evidenced assurance that shows your regulator you are actively managing supplier risk rather than hoping for the best.

Frequently Asked Questions