Cyber supply chain risk management involves identifying what cyber risks exist within a supply chain and managing those risks.
What is Cyber Supply Chain Risk Management (C-SCRM)?
Cyber supply chain risk management involves identifying what cyber risks exist within a supply chain and managing those risks.
A supply chain refers to the people, processes, and technologies associated with delivering goods or services from one group to another. The term ‘supply chain’ is ubiquitous within today’s society, with many tending to conceptually relegate the definition to the manufacturing, transportation, or food distribution industries, forgetting that the internet itself has become a critical connection within the digital supply chain, providing services or access to goods necessary for day-to-day business operations.
Thus, when the cyber supply chain gets disrupted by something like a cyberattack, the problems can be significant—from slowdowns or complete stoppages in business activities to upstream or downstream cyberattacks on vendors, customers, or other businesses that are connected to the organization that was originally attacked. Associated risks include data loss, operational shutdowns, financial loss, reputation damage, product or safety compromise, and even loss of life.
Why Cyber SCRM is Important
In a digital world, organizations no longer have control or visibility into all the digital supply systems they’re connected to. When a cyberattack happens, the downstream effects are far more impactful than they were only a few years ago. Furthermore, traditional perimeter security cannot protect a digital infrastructure that is electronically connected in so many ways, necessitating a more comprehensive approach to cybersecurity processes, tools, technologies, and architectures inclusive of those third parties that can impact the security of those environments.
Supply chain attacks can be broadly broken into a few categories with various end goals and means of achieving those goals.
Cyber Supply Chain Attacks
The term ‘cyber supply chain attack’ can refer to several different cyberattack types. In general, a cyber supply chain attack usually means a cyberattack on one business that affects operations at other entities connected to the business. Sometimes supply chain attacks are intentional, with a threat actor focusing on a specific supply chain business to infiltrate the other businesses connected to the initial target. Many times, however, threat actors attack a business simply because it is a convenient target. The organizations connected to the target’s supply chain then become unintended victims of the attack.
Supply chain attacks can be broadly broken into a few categories with various end goals and means of achieving those goals.
Network Supply Chain Attack— A network supply chain attack involves a cyber assault on a support and operations company that filters down and affects the networks of connected companies. Networks are often compromised through traditional attack methods such as phishing, stolen credentials, or malware. Often the attacker will establish a persistent presence within the network. Once a foothold in the vendor’s network is attained, the attackers then can connect to client systems, if they so wish.
Software Supply Chain Attack— A software supply chain attack is the type most often seen in recent news headlines. In this type of attack, a vendor’s network is infiltrated by an attacker who then compromises the vendor’s software with malicious code or backdoors to be exploited. When the vendor pushes out software updates or the customers deploy the compromised software on their systems, the attacker can gain access to the customer’s environment, giving them the ability to steal information, engage in ransomware attacks, or establish a persistent presence for future attacks. This was the blueprint for the SolarWinds and Kaseya attacks from earlier this year, collectively affecting almost 20,000 customers. Similar to a network supply chain attack, this type of attack masks malicious activity by leveraging trusted connections and software.
Hardware Supply Chain Attack— Another type of supply chain attack involves exploiting vulnerable hardware, such as an industrial control device or router. Similar to a software supply chain attack, a malicious actor compromises the hardware manufactured by a vendor. For example, an attacker may plant their malicious code in a critical piece of the device's firmware, making it difficult to detect the malicious code or stop it once discovered until a new firmware version is released. As compromised hardware is deployed across a customer base, the attacker can leverage the device to potentially gain access to the larger customer environment and can establish a persistent presence and secondary command and control communications.
Cyber Attack on Supply Chain Businesses— While the previous three attack types focused on abusing the digital supply chain, cyber attacks can also disrupt the physical supply chain. These attacks typically target traditional supply chain businesses, such as transportation companies or food suppliers. For example, following the recent Colonial Pipeline ransomware attack, which temporarily shut down petroleum production and affected consumer and transportation gasoline supplies along the eastern United States, many organizations are now emphasizing the importance of a ransomware readiness assessment to prevent such incidents.
Key Cyber Supply Chain Risk Management (C-SCRM) Best Practices
- Integrate cybersecurity supply chain risk management across the enterprise— Consider establishing a C-SCRM council made up of executives, IT, cybersecurity, operations, risk management, and legal to identify risks and develop and review mitigation plans.
- Create a formal C-SCRM plan and program— Establish organizational plans to facilitate the management of cyber risk, including governance, procedures, policies, tools, and processes. Define roles and responsibilities and cross-functional teams. Include things like testing procedures and establishing service-level agreements (SLAs).
- Identify all staff, contractors, vendors, and suppliers with system access— Specifically as it relates to vendors, it is imperative to understand what vendors are being used and what product, service, or function they provide to your organization. This exercise can identify the risks associated with each vendor based on impactful factors such as the type of access they have to your environment and the type of data they can access or possess.
- Include suppliers/vendors in cyber resilience, security incident response, or disaster recovery activities— Your vendors should be a key part of your recovery strategy to the degree that they can impact or influence those particular business activities or services. This should occur early in the planning stages and throughout the entire process including testing and recovery exercises. Key activities include establishing defined roles and responsibilities and ongoing communications.
- Engage in ongoing monitoring and assessment— Your organization must understand the controls being used by your supplier/vendor to protect the goods or services being delivered. A mature assessment program typically consists of providing annual or semi-annual evidence of a point-in-time assessment often performed by a third party, such as a SOC II audit; results of risk or vulnerability assessments; and ongoing monitoring to identify any new or growing risks based on a programmatic assessment of the vendor environment or publicly accessible data, such as breach notifications or disclosures.
Cyber Supply Chain Risk Management Technology
An interconnected supply chain ecosystem allows organizations to reduce the likelihood of falling victim to multifaceted cyber threats. Modern cyber threats can jeopardize an organization's operational integrity and put its entire network at risk.
The 2013 Target cybersecurity breach serves as a stark reminder that inadequate cyber supply chain risk management can lead to the compromise of customer data—41 million customers, in Target's case, were affected by hackers who performed their infiltration via a third-party vendor. This high-profile case underscores the reality that a chain is only as strong as its weakest link.
In today’s digital landscape, attackers exploit the least protected points of entry, often found within smaller partners in the supply chain that may lack robust security measures. Adopting cybersecurity supply chain risk management is crucial, not only for the detection and prevention of direct attacks but also for ensuring that indirect pathways through affiliates are not vulnerable.
Cyber Supply Chain Risk Management Next Steps
GuidePoint Security is experienced in assessing and implementing C-SCRM practices and can help organizations of any size or in any industry navigate the complexities of cyber supply chain management. To learn more visit: https://www.guidepointsecurity.com/resources/third-party-risk-management/