Companies Must to Look Beyond Their Own Company to Also Consider the Security Measures Their Immediate Suppliers Have in Place
The number of cyberattacks on industrial sites of all sizes is increasing significantly, with risk spreading across supply chains. An ESG survey of 150 cybersecurity and IT professionals in mid-market and enterprise manufacturing organizations, found 53% say their operational technology (OT) infrastructure is vulnerable to some type of cyberattack, while the same number state that they have already suffered a cyberattack or other security incident in the last 12-24 months that impacted their OT infrastructure. Manufacturers are part of trading partner networks that are intertwined, and when they are compromised, the effects ripple across all parties in the supply chain. The impact of an attack on a first-tier supplier can be just as devastating as if the attack initially penetrated your own OT network. Production lines can be shut down, creating significant costs, negatively impacting revenue, and causing reputational damage.
For years, threat actors have taken advantage of weak links in the supply chain as stepping-stones to infiltrate other organizations. We all remember the Target security breach nearly a decade ago, in which attackers used stolen credentials from an HVAC systems vendor to access Target’s network and move laterally until finally stealing bank card and personal information of millions of customers. A few years later, the NotPetya ransomware was another high-profile supply chain attack that initially poisoned software from a Ukrainian accounting firm and went on to affect multinational corporations and cause an estimated $10 billion in damages. More recently, the SolarWinds Orion software compromise and SUNBURST backdoor has allowed a threat actor to gain access to numerous organizations around the world. The scope and impact of this attack is still being understood.
Industry action
Supply chain cybersecurity is now top of mind for executives and security leaders across industries, and government agencies, industry groups, and regulators are taking action in an effort to mitigate risk. As a vaccine for COVID-19 came closer to reality, IBM issued a warning of unknown threat actors targeting the COVID-19 vaccine supply chain, highlighting the need to reduce exposure of OT environments, the increased capabilities of attackers, and the urgency and severity of supply chain risk. Within the power industry, Protect Our Power has proposed (PDF) an end-to-end model framework for cyber supply chain risk management as a baseline for use by regulators. New automotive industry cybersecurity regulations (PDF) will be mandatory for all new vehicles produced in the European Union from July 2024, with Japan and Korea implementing something similar. While new cybersecurity standards to establish “cybersecurity by design” throughout the entire lifecycle of a vehicle are under development.
What security leaders can do
Supply chain cyber risk is complicated and spans the entire lifecycle of a product—across design, manufacturing, distribution, storage, and maintenance. The more protracted and complex the lifecycle, the more opportunities for threat actors to exploit the product by targeting less secure elements in the chain. And because supply chains are often global and span multiple tiers of suppliers, the responsibility of security doesn’t rest with a single organization. Each member has a role to play, which makes supply chain cyber risk particularly challenging to mitigate.
That’s why, when creating business continuity plans, executives need to look beyond their own company to also consider the security measures their immediate suppliers have in place and how they, in turn, manage and mitigate risk with their extended network of suppliers. These five steps can help:
1. Communication and assessment: Managing this critical risk starts with determining internal responsibility for procurement and verifying a partner’s process security. This requires legal teams to be involved, in addition to technology and line-of-business leaders across business units and geographies. Decision makers need threat intelligence related to supply chain attacks to make informed decisions about risks to the business. Secure procurement and data protection must be wrapped in effective communication with partners and internal stakeholders.
2. Detailed operational visibility: Consider a dedicated industrial cybersecurity solution capable of overcoming OT-specific challenges, which include a lack of standardized technology, the use of proprietary protocols, and a low tolerance for disruptions to critical processes. A platform that continuously monitors and detects threats across the OT network, connects to your organization’s existing security network, and also connects to all access points with your supply chain partners extends this visibility across all key parties.
3. Consistent cybersecurity standards: Keep up to date with emerging regulations and standards and new alerts. Adhere to the industry-specific recommendations detailed in the July 23 CISA alert, which can help mitigate increased cyber risk driven by growing connectivity of OT assets to the Internet across all 16 U.S. critical-infrastructure sectors.
4. Strengthened cybersecurity coalitions: Given the critical urgency of the current moment, many executives and board members have become attuned to operational concerns and more aware of why having the right cyber defense technology and processes in place is essential for ensuring availability, reliability, and safety. As a security leader, seize the moment to garner cross-functional buy-in for supporting present and future industrial cybersecurity initiatives.
5. Collaborative approach: Your supply chain is an integral part of your business ecosystem. As such, it needs to be an integrated part of your security ecosystem and protected with the same level of defenses. Cloud-based solutions simplify secure connectivity with key supply chain partners. They can also be more secure, updated more easily, and have new features added more quickly. But even if the transition to the cloud isn’t yet feasible within your industry due to regulatory requirements, you can still set benchmarks and share reports and insights into vulnerabilities and hygiene risk with your supply chain partners.
So, back to the question: “Is your suppliers’ security your business?” The answer is a resounding YES. Not only is it your business, but the very future of your business could be at stake. Fortunately, there are steps you can take to mitigate risk and the timing is right to move fast.
Learn More at SecurityWeek’s Supply Chain Security Summit March 10, 2020