ICS Community of Interest

Supply chain expert group

Critical Infrastructure operators are continually challenged by the complexities of securing their supply chains. There has been work done in some sectors to address this, such as agreeing common security requirements and developing codes of practice. Others are more in the early stages.

The Supply Chain Expert Group (SCEG) is a volunteer initiative to progress multiple-sector approaches to the challenge of overseeing, managing, and influencing the cyber security of supply chains to critical infrastructure services.

Co-Led on a personal basis by Paul Dorey (Royal Holloway, University of London) and Tania Wallis (National Energy System Operator) the group has membership of experienced experts from different sectors and parts of the supply chain.

To complement the NCSC principles-based guidance, the group is co-producing content specific to ICS and OT by providing illustrations of best practice.

The work items aim to be at a detailed enough level to guide implementation of OT cybersecurity improvements across CNI supply chains.

For the ongoing improvement of OT guidance, we welcome and request feedback. Feedback links are in each document.

Formal ICS COI Guidance

The group is working on formal guidance which will be reviewed every 18 months to keep aligned with NCSC guidance and other industry standards. The first formal paper will be published here by the end of 2025.

Working Papers Shared for Wider Review and Use

The following informal working documents produced by the group are now available for wider review and use.

  • The Path to Partnership: Cyber Security in the Supply Chain – a dynamic slide presentation of the interactions between customer and supplier in addressing cyber security concerns from selection and through the life of a contract – view here.
  • OT Supply Chain Cyber Security Assurance Standards for Critical National Infrastructure – An Infographic Introduction and Guide – view here.
  • Re-prioritisation of SOC2 Trusted Services Criteria (TSC) for OT by mapping SOC2 TSC Points of Focus to NCSC Cyber Assessment Framework (CAF) and to the IET Code of Practice on Cyber Security and Safety – view mapping here and guidance document here
  • Guidance for developing Supply Chain Incident Response and Management within your organisation – view here.

Academic Papers Relevant to SCEG Work

In the course of our work we have contributed to or benefitted from work described in academic publications, and we are happy to reference some of these here for those interested in supply chain cyber security. Please note that these are external links and not managed by the ICS COI or NCSC:

Wallis, T.; Dorey, P. Implementing Partnerships in Energy Supply Chain Cybersecurity Resilience. Energies 2023, 16, 1868. https://doi.org/10.3390/en16041868

Wallis, T.; Dorey, P. Collaboration Practices for the Cybersecurity of Supply Chains to Critical Infrastructure. Appl. Sci. 2024, 14, 5805. https://doi.org/10.3390/app14135805

How to Join the SCEG:

If you would like to join an Expert Group, there is a 2 Stage process:

Stage 1 – You must be an existing member of the ICS COI community to join an Expert Group.

If you are not already a member of ICS COI, then please complete this Application Form.

The application process requires you to provide a short bio outlining your ICS and OT related experience.  It will take up to 4 weeks for the necessary membership approval from the ICS COI Steering Group.

Stage 2 – When you have been accepted as a member of the ICS COI you will be able to apply to join the SCEG using the following form:

It will take up to 4 weeks for your Expert Group application to be assessed and approved by the ICS COI Steering Group.

You will find further information about the ICS COI here.