Supply chain attacks are mainly particularly pernicious since a single exploited supplier can result in attacks on hundreds of companies or organizations. For many firms, the supply chain is the weak link in their cybersecurity protocols. One can do all the right things to protect yourself from cybersecurity attacks, which also includes the adoption of a zero-trust approach to your network security, but if you don’t make sure your vendors are equally conscientious, you can be exposed to harm from a supply chain attack. Anil Kumar Pandey, PhD Candidate (Finance & Economics), National Institute of Industrial Engineering (NITIE), gives you a sneak peek into the ways to shield the vulnerable supply chains from the threats of cyberattacks.
Here's an astonishing statistic for you… “97% of firms have been negatively highly impacted by a cybersecurity breach or threat that looms largely on global supply chains and have gained traction and occurrence in their supply chain.” In conjunction to this, a leading global security company GreatHorn, stated, “It’s no longer enough to defend only your own organization’s attack surface. You also need to protect against phishing scams and network compromises within business partners up and down the supply chain.”
This current year, according to a 2020 Global Insights Report survey, not only explores the scale of the challenge but also the amount and severity of supply chain breaches is mindboggling. It also tracks the way that different companies, industries, and regions are responding to a year of cyber crisis. The responses show a fractured landscape, with different industries and regions responding differently to the challenges posed by another year of damaging, costly cyber events. Firms across all industries and across all over the globe have been investing largely in the cybersecurity. However, some firms still hesitate to have third-party cyber risk as a strategic priority and to coordinate and formalize their approach to cyber defense and to its remedy. Additionally, many firms struggle to assign the ownership of their third-party cyber risk program. Also, adversaries can now actively scan firms across the globe to identify the supply chain attack vectors that can aid significantly in the adverse cybersecurity events, including damaging data exfiltration and crippling ransomware attacks. Firms need to commit more to incorporating continuous monitoring and remediation into their third-party cyber risk program, as well as raise awareness at the senior executive and board level to help the business understand the resources needed to protect the business.
ENISA, regarded as the European Union Agency for Cybersecurity, monitors supply chain attacks on a day-to-day basis. They have further developed a taxonomy of supply chain attacks, which are vulnerable to the global supply chain that allows for the systematic analysis. The taxonomy is basically based on the four major fundamental elements of a supply chain attack:
Attack technique used to compromise the supplier
Supplier assets targeted
Attack technique used to compromise the customer
Customer assets targeted
What is particularly interesting about this taxonomy is where it begins: While most focus – and certainly most news stories — about supply chain attacks focus on how, which and how many victims are attacked — there is little discussion about the starting point. That is, the fact that a successful attack on the supplier is what sets the full chain in motion.
Supply chains are compromised with the same techniques used in direct attacks: malware, brute force attacks, social engineering, exploiting software vulnerabilities, etc. The ultimate targets can be anything that would be targeted in a direct attack: ransom, extortion, theft of personal data or trade secrets, espionage. The recent supply chain attacks on SolarWinds and Accellion are two attacks are among the highest profile supply chain attacks.
With recent breaches, companies are now starting to understand that their supply chains have become their weakest link. To address this problem, companies should apply similar security methodologies that they use to protect their own infrastructure. Of course, there are some limitations, but this is still possible. The first step is to gain visibility. For example, map all the different assets that the suppliers are using within the company, and/or have access to in a secured (or unsecured) manner. The second step is to introduce or improve controls. Most companies already have some controls in place around the assets that involve the supply chain. The company should improve those controls to address access of an external entity with higher risk (the supplier) or introduce new controls around those assets if they do not exist. The last step is incident response. Companies should realize by now that eventually security incidents will happen. They must include steps and workflows within their incident response process that involves their supply chain. For example, what happens if the source of the leak is the supplier? What should we do if the compromised asset belongs to the supplier? etc.
THE ENHANCED VULNERABILITIES
When I look for key areas where information security may be lacking, one place I always come back to is the supply chain. Businesses are increasingly concerned about managing major supply chain disruptions, and rightfully so. Supply chains are a vital component of every organization's global business operation and the backbone of today's global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.
Security is only as strong as its weakest link. Despite organizations' best efforts to secure intellectual property and other sensitive information, limited progress has been made in effectively managing information risk in the supply chain. Too often, data breaches trace back to compromised vendor credentials to access the retailer's internal networks and supply chain. Mapping the flow of information and keeping an eye on key access points will unquestionably remain crucial to building a more resilient information system.
Organizations need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate data. Information shared in the supply chain can include intellectual property, customer-to-employee data, commercial plans or negotiations and logistics. Caution should not be confined to manufacturing or distribution partners. It should also embrace professional services suppliers, all of whom share access, often to your most valuable assets.
To address information risk in the supply chain, organizations should adopt strong, scalable, and repeatable processes – obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes.
The time to make supply chain security enhancements a priority is now. A well structured supply chain information risk assessment approach can provide a detailed, step-by-step approach to portion an otherwise daunting project into manageable components. This method should be information-driven and not supplier-centric, so it is scalable and repeatable across the enterprise.
PROTECTING AGAINST SUPPLY CHAIN ATTACKS
Supply chain attacks have been notoriously hard for end-victims to defend against since these attacks generally originate with a presumably trusted vendor firm. Since almost all firms depend on vendors that mainly leverage global electronic supply chains, and it’s important to perform the cybersecurity due diligence on vendors, and then monitor them to be sure they continue to follow good cybersecurity procedures and practices. Accellion and SolarWinds have both been sued for negligence around their security practices in global supply chain.
This represents an organizational challenge at the firm level and thus the IT people are often hard-pressed against time to manage internal requirements, much less finding time to check up on external providers. In addition, IT is seldom involved in vetting and approving vendors. To reduce supply chain risk, best practices for customers call for identifying critical vendors and verifying their security practices. “Critical vendors” are those that either provide critical services to the corporation, or who have access to sensitive corporate information.
All critical vendors should be subject to a cybersecurity review as part of the company’s vendor management program. Since site visits may not be practical, you can look for independent audits that have been conducted to verify the vendor complies with cybersecurity best practices, including adoption of zero trust capabilities.
Particular attention should be paid to how the vendors defend their endpoints against web-based malware and phishing, since these delivery channels are involved in most attacks. For instance, remote browser isolation might have stopped the SolarWinds attack before it began, if the original breach was carried out through social engineering. Likewise, micro segmentation might have halted a brute force attack before the malware reached the Orion monitoring platform.
Finally, adopting a Zero Trust approach, which operates on the assumption that breaches will occur, may help limit damage to your own network and data in the event that one of your vendors is compromised. For example, implementing least privilege access can minimize damage that occurs in the event of a breach by restricting what the vendor can access.
The National Cyber Security Centre (NCSC) has also heeded that it has defended the UK from a record number of cyber-attacks in the last year including those targeted at Covid-19 vaccine research, distribution, and supply chains. The agency, which is a part of GCHQ, released its annual report showing that it dealt with an unprecedented 777 incidents over the last 12 months – up from 723 the previous year – with around 20% of firms supported linked to the health sector and vaccines. The health sector and in particular the vaccine rollout was a major focus for the NCSC, as it was forced to tackle threats levied against the NHS, healthcare, and vaccine supplier IT systems from malicious domains billions of times. Over the past 12 months, the NCSC also responded to a rise in ransomware attacks. A range of services have been provided to businesses over the past year to help protect them from ransomware including the Early Warning Service alerting organizations to emerging threats and cybersecurity advice for those working in education.
Last year, cyber criminals took advantage of the surge in home working and people moving to online services due to the pandemic. The City of London Police reported that the first month of lockdown saw a 72% surge in financial losses from cybercrime. There has also been several significant global incidents revolving around global supply chain management attacks in the recent past, including the attack on the SolarWinds IT management platform by the Russia’s Foreign Intelligence Service – one of the most serious cyber intrusions of recent times – and a major ransomware attack on the American software company Kaseya. To shield against attacks of this kind, businesses should utilize technologies such as biometrics to improve upon identity management processes.
Gaining visibility into the supply chain supply chain ecosystems is large, multilayered, and complex. Getting complete visibility into the supply chain is hard. It is necessary, however, to fully understand third-party vendors beyond the first tier or most critical suppliers. Companies should drive supplier risk-reduction activity by building constructive support for suppliers into their third-party cyber risk management program. They should alert the vendor when new risks emerge and provide practical steps for them to follow to solve the problem. Until third-party cyber risk is a clearly defined mandate at the executive level, it is difficult to effectively coordinate resources and define clear strategies. Companies must integrate continuous supply chain monitoring with appropriate reporting to the board and senior executives.
Too many cyber-attacks in 2021 occurred after patches were released, after vulnerabilities were disclosed, or after vendor monitoring systems would have revealed suspicious activity. Auditing or assessing supply chain every few weeks or months is not sufficient to stay ahead of agile, persistent attackers. Continuous monitoring and quick action against newly discovered critical vulnerabilities needs to become the sine qua non of effective third-party cyber risk management. Automate analysis; expand assessment to include the ‘long tail’ of vendors and not a limited number of critical suppliers; identify areas of non-substitutability or where risk is pooled.
Improving cybersecurity education and training for vendors for years, employee education programs have demonstrated outsized impact on organizational cybersecurity. The same is true for vendor education. Too often, vendors are unaware of their cyber risk, and so do not implement appropriate asset management, cybersecurity training, or cybersecurity protocols.
These are a few steps firms should take to secure their global supply chains against cyberattacks and data breaches:
Firms should consider defining reasonable levels of security and associated controls; requiring subcontractors, vendors, and critical supply chain partners to meet or exceed those standards as terms and conditions of established business agreements.
Companies should consider adding vendor-identifiable information to any existing cyber threat intelligence activities to identify instances of emerging threats or active attacks. Threat actors may compromise a lesser-defended vendor network identified as having access to the principal enterprise network. Awareness of these activities would allow the parent company to initiate countermeasures before the threat actor can move laterally onto their network. Cybersecurity, much like life, requires collaboration.
When dealing with your supply chain in a B2B relationship, you are able to be more prescriptive as to how you interact with members of your supply chain and what security measures you are expecting to maintain. When working with a supply chain vendor's organization, assess the vendor's cybersecurity risk for sharing data, interfacing networks/systems and establishing access to networks/systems.
Areas that should be looked at include:
Conducting vendor risk assessments: To mitigate your vendor-related risks, organizations should conduct a thorough, annual vendor risk assessment and perform the necessary due diligence with third party relationships. Due diligence can help you identify what the vendor might require in terms of controls and monitoring.
Defining data ownership/stewardship requirements: Who maintains ownership of data being shared and what is acceptable use of that data?
Defining regulatory compliance requirements: Are there regulatory requirements that need to be met and maintained by both parties? Be able to monitor compliance.
Maintaining incident response plans: Both parties need to have a plan to notify the other if their network, systems, or data have been compromised or a compromise is suspected.
Information and Communication:Written communication plans that address what information is distributed to whom are highly recommended. Third parties involved with your organization's IT security should be considered part of this communication plan, and your organization should be part of theirs, as data breaches on their end could affect your data.