Understanding, recognising and minimising supply chain cyber risk

Supply chain attacks are genuinely a growing threat, making them a legitimate concern for many businesses. A chain reaction, potentially triggered by a successful attack on a single supplier, can jeopardise an entire network of suppliers, and with it the value chain – and your company too. In this article, we are taking a closer look at supply chain attacks, highlighting cyber risk factors and providing tips on how to minimise them.

For digital components like software, virtual platforms and services and data, supply chain risks have significantly increased in recent years, as increasingly sophisticated cyber-attackers are targeting weak points in these digital assets. This is particularly true of OT (Operational Technology) environments like control and monitoring systems, because modern assets are networked, digitised and remotely controlled. According to IBM’s X-Force Threat Intelligence Index 2022, the industrial sector will even be the hardest hit by cyber-attacks in the near future.

Supply chain attacks under the magnifying glass

A supply chain is basically a means of bringing together an ecosystem of all the resources needed for developing, manufacturing and distributing a product. In cyber security, supply chains primarily include hardware and software, cloud and local storage solutions and IT-based mechanisms for production and distribution.

Initially, supply chain attacks usually target one or more suppliers, with the ultimate target, which is usually customer data or customer assets, only being targeted in a subsequent attack. Therefore, , it can take several months for an attack to be successful. Despite this lengthy time frame, it is common for attackers to remain undetected for very long periods of time. In a similar way to advanced persistence threats (APT attacks), supply chain attacks are usually target-specific, complex and planned well in advance. These factors demonstrate how sophisticated and persistent attackers can be.

The NIST C-SCRM for identifying the current threat situation

As a result, in supply chains the threat landscape is also undergoing constant evolution. That’s why both the second line of defence (2LoD; policy makers) and the first line of defence (1LoD; practitioners) need to have access to accurate, up-to-date information about their own IT and OT environment well as the threat landscape. However, as is so often true, there is the issue of which sources can or should be relied upon with regard to the threat landscape. For example, on 5 May 2022, the National Institute of Standards and Technology (NIST) published guide recommendations for managing cyber security risks in the supply chain entitled «Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations» (C-SCRM). It states that supply chain risk for digital components, in particular, has developed and expanded as a result of complexity, digitalisation, globalisation and virtualisation. All digital components are vulnerable (firmware, software, virtual platforms, services and data), and they can be exposed to supply chain risks originating from a range of different threats, vulnerabilities and impacts.

IT and OT – a risky convergence in cyber risk terms

IT-Increasingly, IT and OT systems are automated, networked, digitised and remotely controlled, for example in smart cities, energy management, logistics, value chains etc. However, the ongoing convergence of IT and OT also increases dependence on digital supply chains, which is why they demand special attention as part of cyber security. This is why all the digital elements in the supply chain should be taken into consideration in order to make a comprehensive assessment:

• Firmware for a device’s basic control and specific hardware (these days, permanent software no longer exists). All components with memory, integrated circuits or programmable controllers operate using firmware.
• Software, i.e., applications that are run on systems which perform functions and process data.
• Virtual platforms and services, i.e., cloud-based platforms online or on-premises running applications.
• Data or information from inputs and outputs of processes and functions.

However, it is no longer enough to put strong security measures in place if attackers have already shifted their attention to suppliers. This is also the conclusion drawn by the European Union Agency for Cybersecurity (ENISA) in a report published this year.

Ten measures for minimising cyber risks in the supply chain

There are, of course, tried and tested measures for minimising the risk of supply chain cyber-attacks. The most important recommendations are summarised below:

1. Identify and document all suppliers and service providers.
2. Identify – and understand! – the components and services that relate to security.
3. Prior to procuring components and services, conduct a review of suppliers and service providers, along with a risk rating.
4. Do not work with suppliers and service providers who are classified as being high risk.
5. Define risk criteria for different types of suppliers and services, such as dependencies between suppliers and customers, critical software dependencies or single points of failure (SPoF).
6. Actively monitor risks and threats in your supply chain.
7. Manage suppliers through the entire life cycle of a product or service, including procedures for handling products or components at the end of their lifecycle.
8. Categorise assets and information that are shared with or accessible to suppliers. Also, put in place appropriate procedures for accessing and handling them.
9. Ensure compliance with cybersecurity best practice in procuring and developing products and services.
10. Prioritise components and services according to the principle of “secure by design”, a strong track record of transparency and maintenance of security in their own systems and digital supply chains.

It is also recommended for suppliers to adopt best practices for vulnerability and patch management. Key recommendations include:

• Ensuring that the infrastructure used for design, development, manufacture and supply of products, components and services complies with cyber-security best practice.
• Implementing a good practice product development, maintenance and support process.
• Monitoring internally and externally reported security vulnerabilities.
• Maintaining a record of assets that contains information relating to the patch.
• Aligning the software bill of materials (SBOM) with the list of vulnerabilities and the threat landscape.

Focusing on identity-centric security

The introduction of new technical components and architectures, and integrating them, leads to constant changes in architectures – and therefore in risks. Overall, a move towards identity-centric security is taking place. (You can find more about the practical implementation of identity-centred security in this article.

Modern products and services are dependent on their supply chains, which link together a global network of manufacturers, software developers and other managed service providers (MSPs) or service providers. When considering security risks with MSPs, the focus is on service providers who have access to facilities, systems or data. Again, there are some basic rules and practices that should be followed to minimise cyber risks. These include keeping a record of managed services and periodic security assessments of cloud services and who provides them.

The obligation to protect data is no different when using a managed service or a cloud service than when using an internal service. Therefore, contractual agreements between providers and customers should address the way in which security risks are managed. However, it may also be the case that managed or cloud services are or have to be used before all security requirements have been implemented by a provider. Here, the contractual agreements should include suitable deadlines for implementing security requirements and exit clauses, should these not be met.

Other points it is advisable to include in a contract:

• The provider must deliver a suitable level of protection for the data or services confided to them.
• The documentation of the security requirements with regard to confidentiality, integrity and availability of the data entrusted to the provider.
• The right to check compliance with security requirements (which you should of course do too).
• Documenting the type of data and its ownership.
• The regions or zones of availability where the data is processed, stored and transmitted.
• Access to all protocols relating to an organisation’s data and services.
• How data is stored in a portable form, backups, information on migrating services and the potential decommissioning of services without losing data.
• A minimum one-month period for notifying the suspension of services from a provider.

Cyber risks in the supply chain are on the rise – get prepared!

There will be an increase in the remote operation of interconnected IT/OT systems. Both companies and manufacturers that supply digital components for factories have been working intensively for several years to interconnect the systems, and thereby operate them remotely. This is accompanied by a growing security risk. To make matters worse, the supply chain risk for digital components is constantly evolving and growing due to increasing globalisation and complexity, digitalisation and virtualisation.

All this makes my plea to you is even stronger – you must build resilience into the extended supply chain, deal proactively with cyber threats, ensure compliance and secure procurement. This is because, as I explained at the start, a successful attack within the supply chain – even if it is “only” on an indirect partner – is enough to put your company at risk too.

Do you need assistance with assessing and optimising your cyber security with respect to supply chains?

You can find an overview of our services on the topic of Cyber Supply Chain Risk Management. Or contact us! I and my colleagues will be happy to advise you on all aspects.