Risk in the Supply Chain
This extract from our Supply Chain Security Trends, Australia report explains why supply chain are a pressing and relevant modern cybersecurity concern that organizations everywhere must consider
Whether it’s accounting software, computer and networking hardware, contracted employees, or hired consultants, third-party suppliers can sometimes plug deeply into customer organizations, gaining access to networks, systems, and data to ensure highly productive partnerships.
This engagement represents a considerable risk area for cybersecurity leaders to monitor and manage. The Australian Cyber Security Centre, the Australian Government’s lead agency for cybersecurity, has advised that all organizations should consider cyber supply chain risk management.
The agency states: “If a supplier, manufacturer, distributor, or retailer are involved in products or services used by an organization, there will be a cyber supply chain risk originating from those businesses. Likewise, an organization will transfer any cyber supply chain risk they hold to their customers.”
One of the most recent high-profile supply chain breaches was the attack on IT software vendor SolarWinds in 2020, in which hackers were able to gain access to the software and from within deploy malicious code to its customers via an update.
It was reported that some 18,000 customers around the world installed the tainted patch, including US Fortune 500 companies and government departments. 2017’s NotPetya attack is another notable recent supply chain attack.
The European Union Agency for Cybersecurity describes the incident as originating when an accounting software vendor had its infrastructure compromised by a threat actor, who then tampered with the software and pushed a malware-laden version of it out to the vendor’s customers as a legitimate update.
In the event of a supply chain security incident, customers of a breached operator can be subject to spying, data theft, ransomware, or loss of control of their critical operations. In addition to huge costs to remediate, these breaches can destroy brand reputations and expose the private details of citizens.
The Supply Chain Attack Surface
Part of the reason cybersecurity leaders must be more conscious than ever of supply chain risk has to do with the increasing reliance on technology solutions to operate organizations efficiently and competitively in the modern age.
“Organizations need to focus on their core competencies, so they rely on suppliers and partners to fulfill their broader requirements,” says Rapid7 Regional Manager, Incident Detection and Response, APAC, Robin Long.
The market is full of solutions and practitioners pitching to help alleviate administrative, logistical, or technological tasks so business leaders can get on with the core jobs of running their companies.
“There are all of these new partnerships that can be formed to help companies achieve success in the market,” Long says.
He continues: “The need to remain competitive has organizations relying on a really interconnected world of technologies and suppliers that is driving up the risk to most organizations to these sorts of supply chain attacks.”
The more partnering and outsourcing that occurs, the more likely that organizations will witness or even feel the effects of third-party security incidents, Origin Energy Chief Information Security Officer Christoph Strizik says.
“With more and more companies moving to software-as-a-service type offerings, we will continue to see an explosion of third parties within our ecosystem,” says Strizik.
He continues: “Given that ransomware attacks have drastically increased five-fold over the past 12-18 months, it becomes much more likely that a third-party organization in the supply chain will suffer an incident that impacts the availability of their services or confidentiality of data, which in turn will adversely impact any organization that consumes those services.”
Jo Stewart-Rattray, who runs a technology and security practice and currently serves as Silver Chain Group’s CISO, says another concern for cybersecurity leaders is that there are more IoT and network-connected devices on IT systems than ever before.
“It could be anything from CCTV systems, intercom systems, vaccine fridges, HVAC systems, heating, and air conditioning controls. All of those things could either reside on or traverse your network and present a supply chain risk,” she says.
The Job of Managing Third Party Suppliers
How cybersecurity leaders conduct supply chain cybersecurity management varies by organization and supplier type, but there are common considerations cybersecurity leaders should make for each.
“From a security perspective, you really want to know at a minimum what their security culture is and the maturity of their key security controls in place to protect your data and securely deliver the service they offer you,” says Origin Energy CISO Christoph Strizik. “Do they have basic security hygiene (patching and hardening), data protection controls (for example, encryption), sound access management, ability to detect intrusion, and ability to respond to an incident? This should be covered in the contract.
He continues: “Governance controls are also important. Do they have a security officer? Policies that guide them? Do they align to industry frameworks and practices? Do they do user education and awareness? Do they validate that their controls are working or are there gaps? Vulnerability assessments, independent penetration testing, and security attestations play a role here. These are the high-level areas we would explore.”
Once due diligence is done, ongoing security assessments must be conducted to ensure security positions do not shift over time.
“The initial risk assessment is only a point-in-time measure, so if in 12 months’ time that organization isn’t managing their security controls as well as they were when they were onboarded, you’re just as exposed as you would have been without a risk assessment,” says the Former Queensland University of Technology CISO and cybersecurity consultant Rob Wiggan.
Cybersecurity leaders must also be thinking ahead to when supplier contracts will end, says Origin Energy’s Christoph Strizik.
“Can the service provider or vendor delete all of your data from their systems or is that something that will be hard for them to do? Can you easily switch from one provider to another (data migration)? You need to really think about these exit aspects of the relationship upfront,” he says.
In the case of consultants or technicians requesting access to an organization’s network, Silver Chain’s Jo Stewart-Rattray applies scrutiny.
“If somebody claims they need to be really deeply entrenched at a network-access level, they will have to do the same security checks that my own staff do,” she says. “I’ll want to see national police clearance and everything on top of a standard risk assessment. Do they have the credentials? All of that has to be verified. Establish trust and verify.”