If supply chains were already a lucrative source of revenue for cybercriminals in 2021, the trend is continuing in 2022, writes Zac Warren, Senior Director of Cybersecurity Advisory, EMEA at the cyber firm Tanium.
All it takes is one vulnerability, one successful hack and one compromised victim along the chain to reach the most lucrative target and penetrate corporate networks. The attacks on SolarWinds and Kaseya are prime examples from the last few years.
As simple as the attackers’ methods are, many supply chains are designed to be complex and confusing. So how can supply chains be secured against the growing threats? And what factors need to be considered?
The challenges
Managing supply chains end-to-end is a mammoth task. Unfortunately, many companies still rely on trust or manual spreadsheets when it comes to protecting against cyber risks. However, the lack of visibility into their own IT assets and dependency on partners and suppliers poses a real threat to organisations, in part because there are more third-party vendors in their ecosystems today than ever before.
Therefore, the first step is to answer the following fundamental questions: Who are the suppliers? What is their security like? And how are they using their data? Third-party vendors need to be able to provide a comprehensive and accurate inventory of their IT assets to understand the status of endpoints and installed software versions, and to apply patches in a timely manner to mitigate risks. Since software security vulnerabilities in supply chain management or supplier system can have drastic consequences – as can poor information security practices – it is not only important to perform rigorous due diligence prior to on-boarding, but also to reassess the relationship on a regular basis. At this point, mandatory security standards should be established.
However, many companies check off the topic of supply chain security as a one-time to-do. In addition, security teams are often called in too late in the on-boarding process to be able to eliminate emerging risks. Sometimes, a single vulnerability is enough for attackers. Once they have gained access, they are able to move right up to a company’s most valuable data. This method is called lateral movement: hackers focus on the theft and misuse of credentials and work their way to key assets via creeping lateral movements across the network.
As a result, organisations need maximum visibility to analyse access rights and associated vulnerabilities. Furthermore, IT security teams need to verify that the hardware used does not contain any fraudulent components or malware and is not counterfeited so that, for example, third-party data storage can take place. Software security gaps in supply chain management or in suppliers’ systems could also act as a gateway for criminals.
Increasing demands
What differentiates attacks on supply chains from other targeted cyberattacks is the fact that there is a need for risk management to be applied across corporate boundaries. In doing so, supply chain cybersecurity requirements cannot be allowed to fall by the wayside. The US National Institute of Standards and Technology (NIST), sees the identification, assessment, and mitigation of cyber risks in the supply chain as a critical factor in achieving an adequate level of IT security and calls to mind that globalisation, outsourcing, and digitalisation are leading to increasing dependency within complex supply chains.
Due to the increasing outsourcing of attacks to supply chains, IT security measures that focus exclusively on the company’s own operations are no longer sufficient and legal requirements for cybersecurity in the supply chain are becoming increasingly important as a result. However, as legal regulations and technical measures cannot sufficiently map the required level of security, companies must rely on contractual regulations to contain risks as far as possible. At the end of the day, the companies that have the best security practices in place will operate most successfully.
Best practice
Cyber risks span procurement, supplier management, supply chain continuity and quality, and transportation security. For this reason, it is important to ask the right questions to suppliers. Among other things, it is important to know whether the vendor’s software and hardware development process is documented and if mitigation of known vulnerabilities has been considered in the product design.
The key questions to ask are: What controls are in place to manage and monitor production processes? How is configuration management performed and to what extent are malware investigations performed? What access controls are in place? How is customer data protected and stored? How long is this data retained? Is it destroyed when the partnership is dissolved? And how does the vendor ensure security throughout the product lifecycle?
To mitigate risks, companies can do the following:
-Security requirements should be written into all RFPs and contracts.
-If a vendor is integrated into the supply chain, it is up to the security team to work closely together to eliminate potential vulnerabilities and security gaps.
-A “one strike and you’re out” policy applies to all vendor products that do not meet specifications.
-The purchase of components must be strictly controlled. Source code must be obtained for purchased software. Secure boot processes look for authentication codes so that the system will not boot if the codes are not recognised.
-Automating the build and test processes reduces the risk of human intervention.
-The best form of proactive risk management is tools that provide continuous endpoint visibility and give managers the control they need to respond quickly when it matters most. A centrally manageable endpoint management solution enables organisations to issue questions to managed endpoints, analyse the responses, and distribute actions to the endpoints based on the answers. In addition, the actual state of the security and operational environment can be visualised so that appropriate actions can be taken based on the data collected. By continuously monitoring endpoints for anomalous activity, whether they are online or offline, real-time alerting can be used to notify security teams immediately when they occur, so that actions to protect the network can be taken immediately.
Supply chain attacks have proven to be extremely rewarding targets for cybercriminals over the past year, and security experts predict that the number of attacks in this area will continue to rise in 2022. Companies that rely on platforms and services at various levels of a supply chain need to review their current strategies and be aware that security does not stop at their own network boundary.
