From the energy sector to car manufacturing, every major business is likely part of a lengthy supply chain. And, as the name suggests, if even one small part of the system fails, the entire ecosystem can weaken or collapse.
Today, no organizations are immune to the rapid increase in cyberattacks — even cybersecurity companies themselves. This is especially true since the beginning of the war in Ukraine, which has been defined not only by physical assaults, but by cyber warfare on everything from the Ukrainian government to U.S. airports.
In addition to this volatile cyber landscape, there are more opportunities for hackers to infiltrate the supply chain as collaboration and data sharing between businesses grows. Many organizations are undergoing digital transformation and unlocking the sheer amount of data they possess to enable information-based decision-making across the entire ecosystem. If their systems and data aren’t secured, they can be exploited by malicious actors.
Following pandemic-related disruptions and shortages, organizations can’t afford a devastating cyberattack. If one company is impacted, the entire supply chain can face financial damages from supplier delays, or even become a victim themselves through shared systems. In fact, a satellite network supplied by the U.S.-based Viasat was hit by malicious software, shutting down remote access to thousands of wind turbines across Europe and impacting the Ukrainian military.
To avoid a devastating cyberattack, organizations in the supply chain need to understand prominent security threats, system vulnerabilities, and interactions across the ecosystem. From there, leaders across the ecosystem need to improve visibility into supplier security standards, update their own security processes, and adopt a collaborative security architecture.
Current Security Threats and Pitfalls
Recently, digital extortion group Lapsus$ breached Okta, an identity management platform, through one of the company’s customer support third-party providers (owned by Sitel Group) via a technician’s compromised account. Questions had previously been raised regarding Sitel’s security, illustrating how the “weakest link” can be the hacker’s way into a multitude of operations across the supply chain.
These types of breaches typically originate through unsecured connections such as VPNs and stolen credentials due to phishing or spraying attacks targeting poorly managed or unmanaged accounts. This is common in remote access scenarios when a supplier or outside vendor employee has access to a company’s systems. Attackers can sell these credentials on dark web forums, and companies have to pay up in order to get them back or face the daunting task of rotating credentials on tens of thousands of assets. Once attackers are in they can spread laterally across a company’s systems and even further into the supply chain since these systems are often interconnected.
Many companies today are sticking to basic security rules and protocols. When a company procures services or equipment from a supply chain partner, they’re baking requirements into contracts where the servicer agrees to the same security policies as the client.
Even if the host company has an advanced security strategy in place, the other company likely has different practices. It either takes time for the servicer to get up to speed on what is outlined in the contract (likely months after service begins), or the upgrades simply never occur. Typical contracts don’t set strict timelines for implementation or routine check-ins to ensure the upgrades were successful. Further, if a servicer has multiple contracts in play with varying security requirements, it could be left with a piecemeal security strategy in an attempt to meet these conditions.
Suggested Changes to Standards, Processes, and Increased Cooperation
With the recent rise in attacks, new mandates from the federal government, and a variety of technologies and solutions on the market, many companies within the supply chain may not know where to start to address these issues. However, a few simple practices can be implemented to secure the supply chain.
First, all organizations enlisting the help of outside contractors or suppliers should increase visibility into if security protocols in the contract are being met. This includes setting required timelines, scheduling regular check-ins, and completing a final security review and/or test.
Additionally, these security requirements for organizations and their suppliers should be updated to not only protect them from today’s threats, but future-proof against evolving tactics. Specifically, companies within the supply chain should review and adhere to National Institute of Standards and Technology (NIST) standards. Near the end of 2021, the organization closed the comment period for “SP 800-161” — a draft of updated cybersecurity practices specifically designed for the supply chain. This document will be updated and finalized in 2022, and companies should ensure these standards are not only reflected in their practices, but in the security requirements for their suppliers.
Finally, an organization should utilize a distributed zero trust security approach for interactions with any other entity. This includes increasing control into what machines and systems are interacting with what owned assets, protection against potential vulnerabilities in those systems, as well as control over who, when and how the supplier is connecting to these systems. Additionally, the supplier should consistently and immediately communicate any potential vulnerabilities, such as when a team member leaves the organization, so the host company can delete any unused log-ins.
In order to meet these new security standards and protection requirements, organizations across the supply chain should invest in and enforce distributed zero-trust identity and access management protocols (IAM). Essentially, IAM protocols only enable select individuals, technologies or systems to access specific assets for a key reason/action, providing complete control and visibility to who, when, and how someone interacts with the system.
While the steep rise in cyberattacks on essential operations is alarming, it does provide a crucial opportunity for organizations, up and down the supply chain, to understand the evolving threat to their business and take action. From increased visibility into supplier security upgrades to new cybersecurity approaches, industries reliant on their supply chains can better protect themselves.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.