Securing the Supply Chain

What are the security challenges caused by the supply chain?

Supply chain security challenges are numerous and multifaceted and no one case fits all, particularly when considering the global nature of interconnected and interdependent modern supply chains.  Some examples include:

• Cybersecurity  – Cyberattacks that target companies’ IT systems or suppliers, leading to data breaches, intellectual property theft, or disruption of critical infrastructure.
• Counterfeit – Fake products can infiltrate the supply chain, posing risks to consumers and undermining the reputation of legitimate businesses.
• Theft and tampering – Physical goods can be stolen or tampered with during transportation, storage, or distribution, potentially causing safety hazards and financial losses. Examples of backdoor chips being embedded on circuit boards by foreign agencies is an example of this.
• Insider threats – Employees or other insiders with access to sensitive information or resources can exploit their positions for personal gain, sabotage operations, or facilitate theft. Remember that most breaches are a result of abuse or compromise of legitimate credentials and access rights.
• Geopolitical – Political instability, trade disputes, or sanctions can disrupt the supply chain and pose challenges for businesses operating in certain regions.
• Supplier risk – Where suppliers are unable to meet quality, safety, or regulatory standards, leading to product recalls, liability, and reputational damage. IoT (Internet of Things) is a prime example of this in industrial control systems and healthcare particularly.
• Natural disasters – Events such as hurricanes, earthquakes, floods, and pandemics can disrupt and  lead to shortages, delays, and increased costs.
• Lack of visibility and transparency / (honesty!) – This relates to suppliers’ operations that can make it difficult to identify and address risks, such as labour abuses or environmental violations.
• Compliance – An ever increasing complex web of regulations and standards across different jurisdictions, which can be particularly challenging when dealing with suppliers in multiple countries.
• Complexity – This is increasing, with technologies like Cloud Computing that  involve multiple vendors, suppliers, and partners, making it difficult to track and manage security risks, magnifying the challenge.
• Software – The software production cycle, either by compromising the software build environment or by exploiting vulnerabilities in open source software libraries, to distribute malware or gain access to developer environments.
• Standardization – A lack  of standardization makes it difficult to implement consistent security controls across all vendors and suppliers.

These require organizations to implement a range of security controls and best practices to mitigate potential risks and vulnerabilities introducing costly complexity, the age old Cyber Security risk.

Examples of supply chain security incidents: How they happen, who perpetrates them and why.

One thing that we are not short of are examples of  supply chain security incidents. Some headline cases include:

SolarWinds (2020) –  In this cyber-attack, hackers inserted malicious code into the software updates of SolarWinds’ Orion platform, which was then distributed to thousands of customers. This allowed the attackers to gain access to the networks of numerous organizations, including government agencies and private companies.

It is widely believed that the Russian state-sponsored hacking group APT29, also known as Cozy Bear, was responsible for this attack. Their motivation is believed to have been cyber espionage, with the aim of gaining access to sensitive information from targeted organizations.

NotPetya (2017) –  This was a ransomware attack which started with the compromise of a widely-used Ukrainian accounting software called M.E.Doc. The attackers inserted malicious code into a software update, which then spread rapidly to organizations across the globe.

The attack was attributed to the Russian military hacking group known as Sandworm. The motivations behind the attack were likely geopolitical, targeting Ukraine and its global partners.

An interesting artefact of this attack was that while initially appearing as a ransomware attack, NotPetya was later recognized as a wiper malware, designed to cause widespread disruption and damage. Illustrating the collateral considerations when responding and recovering from such incidents.

Fukushima (2011) – An example of an indirect natural disaster challenge where an earthquake and tsunami in Japan caused significant damage to the Fukushima Daiichi nuclear power plant, leading to a nuclear disaster. The event disrupted global supply chains, particularly in the automotive and electronics sectors, due to Japan’s significant role in these industries. In this case, the cause was a natural disaster, and

Target (2013) –  A large US-based retailer saw attackers compromise the credentials of an HVAC supplier and used them to gain access to Target’s network, where they were able to steal the credit card information of millions of customers. The attack was carried out by a group of cybercriminals, and the motivation behind the attack was financial gain.

ASUS (2018) – An example of a software supply chain attack. The attackers compromised the ASUS software update mechanism and distributed a backdoor to ASUS customers. The attack was attributed to a state-sponsored group, believed to be from China, and the motivation behind the attack was likely espionage.

CCleaner (2017) – Another software product based attack that included a subsidiary Piriform, which developed the popular CCleaner software. The attackers compromised the software build environment and distributed a backdoor to CCleaner customers. The attack was attributed to a group of cybercriminals, and the motivation behind the attack was likely financial gain.

The imagination and creativity of threat actors today is unbounded as supply chain complexity grows. With motivations behind these attacks as wide and varied as the attacks themselves, and often not just a single rationale as illustrated above.

What have organisations learned from supply chain incidents so far, particularly SolarWinds?

The SolarWinds supply chain attack was a significant incident that highlighted the vulnerabilities in global supply chains. Organizations have learned several valuable lessons from this attack, including:

• The importance of supply chain visibility and risk management – Highlighting the need for organisations to conduct regular audits of their supply chain partners to ensure that they are following security best practices and are not exposing their customers to unnecessary risks.
• The need for multi-layered security –   This includes implementing robust security controls, such as firewalls, intrusion detection systems, and advanced threat protection solutions and adopting robust control frameworks to align compliance and ease auditing.
• The value of threat intelligence – The under stated resource that can help detect and respond to attacks more quickly. Leveraging pertinent threat intelligence is a growing essential component in monitoring systems that are evolving into dynamic real time risk scoring of identities and access control hygiene.
• The importance of incident response planning – Detailed enough that outlines the steps to take in the event of a supply chain attack. This includes identifying the affected systems and networks, isolating them, and notifying stakeholders, customers and regulators.
• The importance of collaboration and information sharing –  The SolarWinds attack highlighted the importance of this between organizations. Companies need to work closely with their supply chain partners and industry peers to share threat intelligence and best practices to help prevent similar incidents from occurring in the future.

Overall, the SolarWinds incident has raised awareness of the risks associated with this nature of supply chain attacks.

How have they improved their security as a result? Please provide specific examples if possible?

From an external visibility perspective, SolarWinds is understood to have taken number of steps to improve in response to the hack, including:

• Enhancing its product security –  Through a Secure by Design approach to product development, which includes threat modelling, code reviews, and security testing. The company has also increased its investment in security resources and tools, such as automated vulnerability scanning and security incident and event management (SIEM) systems.
• Strengthening its supplier risk management – Applying a more rigorous supplier risk management process, which includes increased due diligence and risk assessments of its supply chain partners. They have established a Supplier Security and Privacy Assurance Program to ensure that its suppliers are following best practices in security and privacy.
• Implementing a Zero Trust security model –  Working on the assumption that all systems are potentially compromised and requires continuous authentication, authorization, and verification. The company has implemented multi-factor authentication (MFA) for all employees and contractors, as well as enhanced access controls and monitoring.
• Increasing transparency and communication – With customers, partners, and industry stakeholders. The company has established a Trust Center website to provide up-to-date information on its security posture and response to security incidents. As well as joining several industry groups, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), to share best practices and collaborate on security initiatives.
• Engaging third-party security experts – To provide independent assessments of its security posture and identify any vulnerabilities or weaknesses in its supply chain. The company has also established a Customer Advisory Board to gather feedback and input from its customers on security-related matters.

The old adage of, never waste the impetus of a security incident has seen, SolarWinds taken significant steps to improve its supply chain security in response to the hack.

What still needs to be done to ensure supply chain security?

Despite the evidence and the actions taken by the likes of Solarwinds, there are still many areas where further action is needed to ensure the security and resilience of supply chains. These include:

• Enhanced security controls and monitoring – Implement robust security controls and monitoring to detect and respond to supply chain attacks specific to your organisations  treat profile. This includes deploying advanced threat detection and response solutions, implementing access controls and monitoring, and establishing incident response plans and processes.
• Adoption of security standards and best practices – Adopt security standards and best practices, such as CSA (Cloud Security Alliance, CIS (Centre for Internet security and or the NIST Cybersecurity Framework, to capitalise on industry-accepted guidelines to securing their supply chains. This includes implementing a Secure by Design approach to product development (throughout the development lifecycle) and adhering to best practices in vulnerability management, network segmentation, and access control.
• Regular training and awareness programs – Provide regular training and awareness programs to  employees and supply chain partners to educate them on the latest security threats and best practices for mitigating them. This includes phishing awareness training, secure coding practices, and incident response training.

There is no quick fix, supply chain security requires a multifaceted approach, but none of these are without significant bodies of experience behind them, so there are no excuses.

How will the supply chain Cyber security threat evolve?

The supply chain is one guaranteed area of continuous and creative threat evolution and as we have seen in the earlier examples with growing sophisticated as attackers adapt their tactics and techniques to overcome existing defences. Some potential trends to consider include:

• Increased focus on small and mid-sized suppliers – A targeting of small and mid-sized suppliers as the weakest link to gaining access to larger organizations. These suppliers are often an easier target for attackers.
• Greater use of automation and machine learning – We are seeing greater use of automation and machine learning technologies to conduct more sophisticated attacks at scale, making it harder for organizations to detect and respond to attacks.
• Greater use of social engineering – An increasingly use social engineering techniques, such as phishing and pretexting, not to forget the emergence of ChatGPT and other ‘AI’ based systems.
• Increased use of supply chain attacks in nation-state cyber warfare – This is a well-trodden path as a way to target key infrastructure or government agencies, reference the Stuxnet Siemens maintenance process that led to the compromise of the Iranian nuclear centrifuge systems. These attacks may be more sophisticated and well-resourced, making them harder to detect and respond to.
• Greater focus on software supply chain attacks – This is the easiest way for threat actors to gain access to a wide range of organizations and is a recognised challenge for   open source software as well as the targeting software development companies (often SME’s), tools and repositories.

The call to arms is to remain vigilant and proactive to protect against these potential risks and vulnerabilities.

What Steps can organisations take to secure the supply chain and be prepared for future threats?

Amongst the many steps to secure their supply chain and be prepared for future threats. Some headline actions include:

• Conduct a thorough risk assessment – Know what your risk exposure looks like. Conduct a comprehensive supply chain risk assessment to identify potential vulnerabilities and risks. This should include an analysis of supplier relationships, third-party service providers, and other key partners.
• Establish clear security policies and procedures – Develop clear security policies and procedures for partners to follow. This should include guidelines for minimum security standards, access control, data protection, incident response, and other key security areas.
• Implement supply chain security controls – Implement specific supply chain security controls. These controls should be regularly monitored and updated.
• Regularly review and audit the supply chain – Ensure that security policies and procedures are being followed and identify any potential vulnerabilities or risks proactively.
• Strengthen supplier relationships – By building trust and transparency. This includes regular communication and collaboration, sharing best practices and threat intelligence, and establishing clear expectations for security.
• Stay informed about emerging threats – Threat maturity to those that could impact your supply chain. This includes regularly monitoring threat intelligence feeds, participating in industry forums and events, and working with trusted security partners to stay up-to-date on the latest threats and best practices.

It’s clear organizations can better secure their supply chain and prepare for future threats. However, supply chain security is an ongoing process, and organizations must remain vigilant and proactive in their efforts to protect against potential risks and vulnerabilities.