Supply chain logistics have been the backbone of global trade for hundreds of years. Extending the same concept, with the added digital components gives birth to supply chain cyber security risks. Supply chain cyber security is a topic that has come into the limelight for the last couple of years. Due to supply chains being spread over multiple regions, countries or continents, it can be difficult to maintain supply chain cyber security, which includes identifying and documenting suppliers and services providers; defining risk criteria for different suppliers and services such as managing suppliers & customers dependencies, critical software dependencies, single points of failure; Monitoring of supply chain risks and threats and many other responsibilities.
In this blog post, we will discuss supply chain cyber security risks and how to mitigate them strategically and tactically. We’ll also go into supply chain risk management techniques and how they work with supply chain cyber security risks.
What is a cyber supply chain?
A supply chain is a method of moving goods in a particular direction. It is a system that starts with raw materials and ends at the customer’s door. A cyber supply chain begins when data enters, flows through digital functions, and ends with physical products manufactured or delivered to targeted customers.
What is a cyber supply chain risk?
Cyber supply chain risk means any risk of financial loss, disruption or reputational damage to an organisation due to cyber risks associated with its digital supply chain. We are covering supply chain risk management practices that would help organisations identify, quantify and mitigate the risks involved in supply chains.
What is Supply Chain Cyber Security?
Supply Chain Cyber Security is the process of identifying supply chain cybersecurity risks, understanding them, developing controls to minimise or eliminate them and developing strategies in case of any cyber attack.
The supply chains are getting larger in size, more complex, interconnected and globalised than ever before, making supply chains vulnerable to cyber attacks since they can affect multiple companies simultaneously. Read a dedicated article on the supply chain attacks here:
Cyber supply chain security principles
Cybersecurity problem in the supply chain should not be viewed as an IT issue. It hasn’t got much to do with IT assets. Just like your financial, legal or other regulatory risk regimes, supply chain cyber risk is very much the central concern that require a coordinated effort to cyber supply chain risk management. The following three principles define the cyber security best practices in this domain:
- ‘Mitigate’ not ‘prevent’ – Developing your defence strategy around the assumption that your organisation will be breached would help you shape cyber supply chain security strategy in a layered approach. It is not about how to prevent threat actors from accessing your systems, but also how to limit the impact, increase the difficulty and quick recovery in case a system is compromised.
- More than a technology issue – Cyber supply chain risks are collectively a people, process and technology issue. As we have always said, cyber security stands effective with combination of people, process and technological controls.
- Physical and cyber security are equally important – Do not allow any gaps between physical and cybersecurity. A threat actor could exploit gaps in physical security controls to leverage cybersecurity issues.
Common supply chain cyber security risks
The key supply chain cyber risks are also the areas that should be explored with your suppliers/vendors to ensure they have these areas covered. These key supply chain IT security risks are:
Employees with malicious intent could introduce malware into the company’s system or may involve in any other supply chain attack, which could be dangerous for organisations. These range from all sorts of external to insiders from third-party service providers or vendors with physical or virtual access to code, systems, networks, etc.
Insecure cyber security practices by suppliers add risk to the entire supply chain. The employees who work in a supply network must follow safe cyber security practices when using technology within their jobs. If they do not follow these measures, then this adds to the risk of supply chain attacks.
Insufficient separation of business-critical functions
This is often a weakness in the mid-tier organisations where growth is through the roof however, technology and cyber security haven’t matured along with the growth. It includes segregation of environments to networks, applications, users based on the criticality to the business.
Compromised or outdated software and hardware
Compromised hardware or software purchased from third party suppliers that are unknown to buyer or seller.
Counterfeit hardware or software with already baked malware could lead to long term risks.
By running systems that have an outdated core (core operating system, components) or dependencies such as software, libraries offer larger attack surface and are more likely to be attacked. Patching processes can be tricky to ensure coverage from risks, especially when zero-days or wild exploitations are on the rise.
Authentication is important for making sure that only authorised people can access the system in a company’s network. If companies do not use strong measures of authentication, then such security weaknesses can cause a potential threat of people misusing the company’s credentials.
Insecure data sharing & storage
If the information shared in a company’s network is not secure, then there is a risk of threat actors gathering sensitive customer data from within the system.
By not following secure information storage practices, data storage or aggregators could add to the security threats for the host organisation and linked suppliers in the chain.
If the data sent in a company’s network is not encrypted or using misconfigured encryption measures, then threat actors can intercept confidential information by compromising one or more of the information security principles.
Insufficient logging & monitoring
It is not whether you log everything, it is about logging the relevant events without flooding storage, helping the analysts who are monitoring the log data. If the company’s supply networks are not monitored, then there is a risk that threat actors can exploit vulnerabilities in their systems without being detected.
Cyber supply chain risk management
Cyber supply chain risk management is the process of identifying and managing risks involved with computerised supply networks.
Cyber supply chain risk management best practices
Supply chains have a large number of components that could be targeted by hackers. These include point-of-sale (POS) terminals, payment cards and card readers, inventory management systems, production control software, supply management software and human behaviour, among many more. Identifying supply chain cybersecurity risks and implementing best practices is the key to supply chain cyber security.
- The supply chain risk management process must be undertaken by the security/risk teams, failing that by a company’s IT department.
- Global businesses must have a proper suppliers network cybersecurity policy for ensuring supply chains follow minimum cyber hygiene standards.
- Once a supplier is included in the supply chain, the central security team must work with the supplier’s team to address vulnerabilities and coordinate continuous improvement plans.
- Supply chain risk management should be enhanced by integrating an organisation’s IT systems with supply chains in a way that enables better visibility into supply networks and counter protective measures for cybersecurity threats.
- The company should perform an extensive analysis of its supply chain to identify all possible points of vulnerabilities. Continuous vulnerability assessments and yearly penetration tests including assessments following major changes should be included in the supplier security plans.
- Secure software development life cycle (secure SDLC) practices should be followed by all software agencies including external developers before release. Source code assurance should be sought where business-critical components or sensitive data processing is involved.
- Legacy systems support plan with minimum cyber hygiene standards should be defined.
- A supply chain cybersecurity policy should be implemented, and a business continuity plan (BCP) must be in place.
- The company must define the roles of employees in their networks along with specifying which tasks can be performed by each employee. This includes important principles such as segregation of duties, use of the least privilege principle and defence in depth mechanisms.
- Restricted authentication and authorisation is important for making sure that only authorised people can access the systems in a company’s network.
- Carry out network vulnerability assessment and penetration testing to identify supply chain risks.
Endpoint vulnerabilities that are often exploited in the supply chain
Following endpoint vulnerabilities are often exploited in the supply chain:
- Lack of supply network cyber security policy.
- Insufficient supply network cyber security controls.
- Lack of supply chain risk management.
- Lack of supply chain cyber risks management controls.
- Insufficient cyber security monitoring tools and capabilities.
- Using weak authentication for access to critical systems in the supply networks.
How can Cybersecurity Professionals Help?
Cybersecurity experts or cyber security firms are assigned supply chain cyber security responsibilities. These cyber service providers can assist organisations in keeping their supply chains safe from cyber-related risks by adhering to best practices in supply chain risk management as they have all the necessary skills, training, and experience in identifying vulnerabilities, performing risk assessments, and using a variety of risk management approaches.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.