In part II of the series of articles on Cyber Security, Dharmesh B. Rathod, Independent IT & Cyber Security Strategist, Architect & Adviser, circles around Cyber Security within the Supply Chain domain and gradually gains a comprehensive big picture through various impending aspects such as the risk around the partner ecosystems, how the industry had seen cyberattacks & its impact in supply chain. The article also aims to make readers understand the business impacts over organizations related to these cyberattacks and the offers ways to mitigate these cyber risks in supply chain. As the author professes, right thought of plugging Cyber Security treatment right from day 1 will ensure that the Supply Chain ecosystem executes functionally in a secured manner end to end.
“Digitalization of businesses” globally has been evidently growing stronger year on year since I presume it all started three decades ago. While the quantum and complexity may differ from time to time, the spread has increased from one secluded corner of the organization to its various partners that traverse across the supply chain. The West may have been the early adopter, however since the past decade, the “BRICS” and similar regimes have spearheaded digitalization much quicker. This apparently has also resulted into an amalgamated world of more integrated cross-networks of several enterprises and their partners. And eventually since Digitalization primarily has enforced acceptance of Information Technology and its various services, we now find almost every business far more and largely, I must say, being completely driven by IT.
With all the goodies that digitalization brings to any organization through IT initiatives, we also inherit its aftermath if IT is not secured. Effectively, Cyber Security finds itself to be a vital and critical component when IT drives digitalization for all of these business and their partners, thus end to end what we call across the supply chain. Every company/partners/ service provider, etc., contribute to Cyber Security in the supply chain, the magnitude of level of compliances and adequacy may and do differ across them though.
An organization say for e.g. manufacturing company deals with its suppliers of raw materials, transport and logistics partners, go to market partners and of course project and operations partners sum up to the supply chain of the manufacturing product lifecycle. All of these partners involved may not necessarily have equally healthy Cyber Security posture of themselves as well as the way they should be protecting their clients/customers.
Supply chain ecosystem at large with Cyber risks & threats
As emphasized earlier, most of the organization integrates itself with varied partners and any loose end related to Cyber Security within the end to end chain may result into a cascading effect and impact across. I have come across several Cyber Security incidents that have erupted in the past decade having no relation to the parent organization, however some weak links within the partner ecosystem resulted into a cyber-security incident causing substantial damage to the organization.
Target breach was a result of lax security at an HVAC vendor, causing one of the major cyber security exploits in the history of cyber security. The attackers infiltrated the 3rd party access of HAVC systems and it eventually resulted into a fraud that impacted the credit cards and debit cards of 40 million customers.
Equifax blamed vulnerable 3rd party application within its IT landscape for the giant breach. The attackers exploited the vulnerability in a web application and accessed personal information of up to 143 million individuals, including Social Security numbers, personal names and addresses, and in some cases driver’s license numbers.
Ukraine Power plant hack that happened in December 2015 was considered to be one of the 1st known successful cyberattacks on a critical infrastructure (power plant). Though the end impact brought the Power Plant to its knees, the entire kill chain was its partner was also involved, infact it all started with one of its partners wherein the exploit worm was infected through a compromised USB and it propagated further to result into the effect it was meant for.
Recently adware named “Superfish” was found to be installed in Lenovo notebooks. Since by default installed, it was “Trusted” and thus Superfish software would tend to install a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits.
An organization in the pharmaceutical sector was attacked by a Cyber Espionage group called Dragonfly by setting up trojans in legitimate software. Eventually the Dragonfly group replaced legitimate files with malicious files in the software. This malicious software in result, when downloaded from the supplier’s website, provided remote access functionalities that could be used to take complete control over the system where the software was installed, or it could have been used to make the remote system act like a bot. Such a situation directly impacted the organization’s brand value, revenue loss & for certain legal non-compliances.
Shylock banking Trojans is another great example. Attackers used the website builders to compromise legitimate websites by redirecting their requests to a malicious domain. Attackers targeted the website builder used by many companies, thereby infecting at a large magnitude.
Most of the governments across the world, though they have their units like Pentagon, NSA etc., none I presume would be functional without their hired contractors. Likewise, within the manufacturing industry segment, it’s a well elongated series of partners that form the end to end supply chain. In my past experiences, through my role of CISO, I had managed business houses that spread across multiple lines of businesses such as oil & gas refinery, steel industry, ports & logistics, coal mining, EPC and agro business. Each of these businesses have exposure to several partner ecosystems and thus have direct exposure to their (partner’s) weaknesses & strengths.
Lacunae of Cyber security in Supply chain
Let’s see various Cyber Security risks we encounter to when dealing multiple partner ecosystem, though not limited to below list:
Compromised hardware/ infrastructure: Any contaminated IT infrastructure/application poses direct threat of propagating Cyber Security threats. During WannaCry outbreak, many organizations were infected due to compromised partner IT systems.
Poorly managed IT Risk posture: Not all partners would be mature enough to maintain and sustain a minimal risk based Cyber Security posture of their IT landscape. Lack of security policies resulting into non-compliance towards Cyber Security best practices and thereby escalating IT risk situations beyond controls would not be a healthy situation to deal with when interfacing with any partner having such fate of their IT landscape.
Vulnerable applications: We deal with heaps and loads of application integration and day by day the ecosystem gets more and more complex. With the invention of Cloud ecosystems since past few years, the realization and turn-around time is getting minimized, thereby leading to a high level of acceptability. In such exciting times, application developers have been observed to be the least concerned about the cyber security safe guards/ control & measures by and large. This results into a direct infiltration of vulnerable partner applications within the organization and have, at most of the times, no control over the aftermath.
Compliance shortcomings: Any deficits of adhering to compliances by the partner will have direct effect to the organization that utilized such a partner’s services.
Below are a few statistics from NIST (as shared during RSA 2016) that explains Cyber Security’s impact onto Supply Chain:
80% of all information breaches originate in the supply chain
45% of all cyber breaches were attributed to past partners
72% of companies do not have full visibility into their supply chains
59% of companies do not have a process for assessing cybersecurity of their party providers with which they share data or networks
40% of attack campaigns targeted manufacturing and service sectors.
These attacks are getting more prevalent and dangerous, according to the latest quarterly Global incident response threat report from cyber security firm Carbon Black. The industries most targeted by island hopping, the report said, are financial (47%), manufacturing (42%) and retail (32%). The above statistics are alarming and have been escalating year by year, more because of prevalent increase in registering the incidents/outbreaks.
What finally impacts the organization that may fall prey to any of the Cyber Security incidents in Supply Chain:
May face direct negative impact to the brand value – Target, Equifax all have gone through this ordeal.
Loss of intellectual property as a resultant: Pharmaceutical companies are the ones getting largely affected, resulting in the business being brought to a standstill most of the time.
May land into legal turmoil and obligations: With PII data being taken up much more seriously in the western world, many threats affected organization have faced legal litigations against the breaches that they have been faced with.
Impacting revenues: Cyber security incidents and outbreaks have also caused loss of operating revenues as a result of loss of availability of the IT systems post the incident.
How can we mitigate cyberattacks in supply chain?
It appears to be a scary perspective so far, however we have seen reasonable maturity in terms of dealing with cyberattacks in supply chain through a comprehensive risk management & various technical & process based mitigation controls & overall best suited approach and methodology. Several precautionary measures, wherein such dire situations can be avoided, have been adopted by organizations within the supply chain as day by day we get a clearer picture about the weak links and various mitigations around them.
Reactive or proactive, one must embed “Defense by Depth”, i.e., induce Cyber Security best practices right from the embryonic states of any IT initiative & projects. Listed below are a few vital questions that should be pondered upon by the organization when dealing with preparatory position for Cyber Security threats in the supply chain:
How well do we know the IT landscape of the partners/suppliers?
What are the interfaces that are being interconnected with them?
What level of technical details are being known and adjudged by both sides?
Level of agreement towards the data flow across both ends?
How would partners handle the data in terms of security safe guards?
Gap analysis, assessments of IT systems, processes around them and their risk posture
Once integrated, is there a healthy engagement?
How should the assurance methodology be by the partners/ suppliers?
What level of compliance/ certifications should prevail that can assure expected level of security controls and that should result into acceptable Cyber Security risk posture of the partners in the supply chain?
What are the technical capabilities and process level controls that the partners have to achieve a reasonable secured technical integration with the partners?
Monitoring & surveillance should ensure a steady and controlled sustenance of the IT integration – how well the organization and the partners make this acceptable?
Cyber Security risk management and related security controls have, now a days, seen considerable amount of maturity and there are various niche Cyber Security firms that are proficient in this domain. An organization can avail such assistance from such consulting firms and make sure no stone is left unturned when dealing with Cyber Security in supply chain.
Taking partners along the process
Many suppliers/contractors would not want to readily adopt regulations joining the supply chain, as this could hinder the process and deter potential partners and/or leads. The best way is to plug expectations right from the design & contractual phase. Necessary binding has to exist from day-1 between both sides and there are several standards to ensure uniformity of Cyber Security safe guards across both ends. ISO27001 has a very detailed 3rd party related safe guard/controls guidelines. Similarly, NIST also has such in a very elaborated fashion. It’s important for the organization to first build the mindset for protecting supply chain from Cyber threats, and this mindset has to be at the same level of understanding among all the partners/suppliers.
With the advent of Cloud (Public, Private, Hybrid) and its related models like IaaS, PaaS & SaaS, the integrations, these days, have been much swifter and without major complexities like it has been during their legacy. As the boundaries expand, with no restrictions on geographies, organizations integrated more and more, outsource non-vital components to partners, and thus end up into a supply chain environment that fuels their business goals and provides agility as the business expands. Evidently, a right thought of plugging Cyber Security treatment right from day 1 will ensure that the Supply Chain ecosystem executes functionally in a secured manner end to end.
My personal opinion to organizations is to have a thorough and deep knowledge and the nature of integration one is looking at with the partners / suppliers and have a detailed risk assessment done in the prior planning & design stage. This will yield a clear picture and road map upon the risks that have to be mitigated and thus, as a result, prevail controls and secure third party integrations.