Security experts are alarmed: While supply chains were already a lucrative source of income for cybercriminals in 2021, the trend is likely to continue in the new year. One vulnerability, one successful hack, and one compromised victim along the chain are all it takes to reach the most worthwhile goal and penetrate more corporate networks. Greetings from SolarWinds and Kaseya. As simple as the attackers’ methods are, many supply chains are complex and confusing. So how can supply chains be secured against the growing threats? And which factors should be taken into account?
The challenges of supply chain security
Managing supply chains end-to-end is a mammoth task. Unfortunately, many organizations still rely on trust or manual spreadsheets to protect against cyber risks. However, the lack of visibility into their own IT resources and dependency on partners and suppliers poses a real threat for companies, partly because there are now more third-party providers in their ecosystems than ever before. Therefore, the first thing to do is to answer fundamental questions: Who are the suppliers? How is their security? And how do they use their data?
Third-party providers must be able to provide a comprehensive and accurate inventory of their IT assets to understand the status of endpoints and installed software versions, and to deploy patches in a timely manner to mitigate risk. Since software vulnerabilities in supply chain management or supplier systems can have consequences that are just as drastic as poor information security practices, it is not only important to conduct rigorous due diligence prior to onboarding, but also to regularly reassess the relationship. Binding safety standards should be set at this point.
However, many companies tick off the topic of supply chain security as a one-time to-do. In addition, the security teams are often involved too late in the onboarding process to be able to eradicate emerging risks. Sometimes a single vulnerability is enough for the attackers: once they have gained access, they are able to move to the most valuable data of a company. The method is called Lateral Movement:
Hackers focus on credential theft and misuse, working their way to critical assets through stealthy lateral movement of the web. Therefore, companies need maximum transparency to analyze access rights and the associated vulnerabilities. Furthermore, the IT security teams must check that the hardware used does not contain any fraudulent components or malware and is not counterfeit, so that data could be stored by third parties, for example. Software vulnerabilities in supply chain management or in suppliers’ systems could also act as a gateway for criminals.
Increasing demands on supply chains
So what sets supply chain attacks apart from other targeted cyberattacks is that they require risk management that needs to be applied across organizational boundaries. The legal cyber security requirements for the supply chain must not be neglected either. NIST sees the identification, assessment and mitigation of cyber risks in the supply chain as a crucial factor in achieving an adequate level of IT security and calls attention to the fact that globalization, outsourcing and digitization are leading to increasing dependency within complex supply chains.
Last but not least, SolarWinds and Kaseya have disclosed the high risk potential of cyber attacks. Due to the increasing outsourcing of attacks on supply chains, IT security measures that focus exclusively on one’s own company are no longer sufficient. This makes it clear that legal requirements for cyber security in the supply chain are becoming increasingly important. However, since legal regulations and technical measures cannot adequately reflect the required level of security, companies must rely on contractual regulations in order to contain risks as far as possible. At the end of the day, the companies that have the best security practices will be the most successful.
Supply Chain Best Practices
Cyber risks extend across procurement, supplier management, supply chain continuity and quality, and transport security. It is therefore important to ask the right questions to the suppliers. Among other things, it is important to know whether the vendor’s software and hardware development process is documented and whether mitigation of known vulnerabilities has been taken into account in the product design. What controls are there for managing and monitoring the production processes? How is the configuration management carried out and to what extent are checks carried out for malware? What access controls are there? How is customer data protected and stored? How long will this data be kept and will it be destroyed if the partnership is dissolved? And how does the provider ensure security throughout the product life cycle?
To mitigate the risks, companies can do the following:
- Security requirements should be included in all tenders and contracts.
- If a provider is integrated into the supply chain, the security team is required to work closely together to eliminate possible vulnerabilities and security gaps.
- A “one strike and you’re out” policy applies to any supplier product that fails to meet specifications.
- The purchase of components must be strictly controlled. Source code must be obtained for purchased software. Secure boot processes look for authentication codes, so the system will not boot if the codes are not recognized.
- Automating manufacturing and testing processes reduces the risk of human intervention.
- The best form of proactive risk management is tools that provide continuous endpoint visibility and give those responsible the control to respond quickly when it matters most. A centrally managed endpoint management solution enables organizations to issue questions to managed endpoints, analyze the responses, and distribute actions to the endpoints based on the responses.
- Furthermore, the actual state of the security and operating environment can be visualized so that appropriate measures can be taken based on the collected data. By continuously monitoring endpoints for suspicious activity, whether they are online or offline, real-time alerts can be used to notify security teams as soon as anomalies occur, so network protection measures can be implemented immediately.
Supply chain attacks have proven to be extremely lucrative targets for cybercriminals over the past year, and security experts predict that the number of attacks in this area will continue to rise in 2022. Companies that rely on platforms and services at various levels of a supply chain need to review their existing strategies and realize that security doesn’t stop at their own network perimeter.