In its simplest form a supply chain is the activities required by the organisation to deliver goods or services to the consumer. A supply chain can take on the form of a product based supply chain or that of a service, where services come together to offer an overall customer service as opposed to a finished product. Practically every company has a place in the supply chain, and supply chains are evolving to be as much about the flow of information as they are about the flow of goods and services.
When companies think about security, they most often think of securing their networks, software, and digital assets against cyber attacks and data breaches. But the supply chain – whether a traditional manufacturer or service provider’s supply chain or the “data supply chain” relied on by most large companies – is also vulnerable to security risks, as has been seen in a litany of major data breaches via third parties.
Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation. Its goal is to identify, analyze and mitigate the risks inherent in working with other organizations as part of a supply chain. Supply chain security involves both physical security relating to products and cybersecurity for software and services.
Supply Chain cyber attacks
In the last week of 2020, news came in that Vietnam had been found to be the target of a sophisticated supply chain cyber attack. A group of hackers had managed to compromise many Vietnamese private companies and government departments by compromising the Vietnam Government Certification Agency (VGCA). This department is responsible for issuing digital certificates that would be used for electronically signing documents. While the malware—a Trojan called PhantomNet—that was inserted wasn’t very complex, it served as a wireframe for other more potent viruses.
Before that, in the second week of December 2020, the technology world was rocked by the news of a “supply chain” cyber attack that had managed to infiltrate the networks and systems of multiple US government departments, tech majors like Microsoft and Cisco, and hundreds of big and small companies around the world working in sensitive areas. The implications of the hack and the amount of information the hackers managed to get are still being worked out.
Though the US government officials or the technology companies did not name anyone, the finger of suspicion pointed towards a Russian group of hackers called CozyBear, acting with state support. It was a highly sophisticated indirect attack. These are termed “supply chain” cyber attacks because instead of attacking a target, the hackers rely on infecting one of its suppliers instead to gain access. CozyBear exploited a vulnerability and attached a malicious code in the software update that the well-known Texas-based IT management company SolarWinds was preparing to roll out for clients.
In 2020, apart from the SolarWinds and VGCA attacks, three other supply chain hacking cases had been detected. In two cases, China was involved. One Chinese bank apparently forced foreign companies operating in the country to install a backdoor tax software toolkit. In the second case, Chinese hackers had managed to compromise the update mechanism of a chat app used by Mongolian government agencies. The fifth case of the year was a North Korean attack that delivered malware to South Korean users. Supply chain attacks are not new and have been around for several years.
Earlier, most hackers preferred to attack their target companies directly. However, as big companies beefed up their cyber security measures, such attacks could be quickly detected and counter measures taken. Unlike direct attacks, supply chain hackers are relatively difficult to guard against. The US government cyber defense system for example could not detect the CozyBear attack because it came in via a trusted source, SolarWinds, which it had no reason to suspect of any malicious intent. The bigger danger though that is cropping up is of motive. In the past, many big hacking exploits were looking to make money. This typically meant inserting ransomware or the stealing of credit card and bank details or other data. Occasionally, hackers attacked companies because they felt these were evil and needed to be punished.
But increasingly, government to government or government-sponsored attacks on rivals are gaining currency. Instead of asking for money, hackers are instead slowly gathering critical information, compromising data and inserting more malicious and complex codes that can be used one day to paralyse entire government departments or private companies and their clients, thus spreading chaos. This is the new digital warfare that seeks to bring a country to its knees by attacking its key functions and biggest companies instead of attacking it through conventional means. Among the countries particularly known for using hacking attacks at the government level are Russia, China and North Korea, as well as a few East European countries.
Cyber threat to Defense Industrial Base (DIB)
In Oct 2020, National Security Agency warned that Chinese government hackers are taking aim at U.S. computer networks involved in national defense, characterizing the threat posed by Beijing as a critical priority in need of urgent attention. The NSA urged the Defense Department’s cyber officials and those within the defense industrial base to take action to guard against the intrusion by the Chinese. “These networks often undergo a full array of tactics and techniques used by Chinese state-sponsored cyber actors to exploit computer networks of interest that hold sensitive intellectual property, economic, political, and military information,” the Tuesday morning advisory warned. For a number of years, China’s theft of American military secrets has been a top national security issue. Concerns have continued to grow, and a recent internal audit concluded the problem was far more dire than officials had realized.
Cyber-enabled intellectual property theft from the Defense Industrial Base (DIB) and adversary penetration of DIB networks and systems pose an existential threat to U.S. national security. The DIB is the “[t]he Department of Defense, government, and private sector worldwide industrial complex with capabilities to perform research and development and design, produce, and maintain military weapon systems, subsystems, components, or parts to meet military requirements.”
The report said China’s “capture” of foreign technologies and intellectual property included the “systematic theft of US weapons systems”, argued that this had eroded the military balance between the US and China. Many manufacturers in the defence supply chain lacked the ability to defend against cyber attacks, it added. But the report also revealed that the US government was at something of a loss to dissuade domestic companies from relocating to China to take advantage of lower costs and engaging in technology transfer agreements that are required by Beijing but which the US says harms national security. “China has forced many American companies to offshore their R&D in exchange for access to the Chinese market,” it noted, highlighting one reason US companies are likely to be reluctant to reverse years of offshoring.
The threat is multifaceted. Intellectual property theft can enable adversaries to replicate cutting-edge U.S. defense technology without comparable investments in research and development. Adversary access to the DIB could inform the development of offset capabilities. It could even provide insights or access points that enable adversaries to thwart or manipulate the intended functioning of key weapons and systems designed and manufactured within the DIB.
It is a compelling example of a cross-domain challenge that lies at the intersection of cyberspace and conventional domains of warfare. This is because adversary behavior in cyberspace has broader ramifications, such as the potential to erode the United States’s conventional military advantage, undermine deterrence, and provide emerging nation-state competitors with an edge over the U.S. in military contingencies and conflicts.
VMware recently released its latest Global Incident Response Threat Report, wherein the company says more than 100 industry respondents polled reported experiencing “integrity and destructive attacks” 51% of the time, while two-thirds of respondents report these types of attacks 81% of the time.
“The game has changed,” Kellermann told Breaking Defense in a recent interview. “The adversary now doesn’t just want to break into defense contractor x and steal national secrets. The adversary wants to break into defense contractor x and then use their digital transformation to attack government agencies.”
According to VMware Head of Cybersecurity Strategy Tom Kellermann, “unprecedented level of tension” between the US and Russia is “bubbling over into cyberspace” via more aggressive campaigns by threat actors such as NOBELIUM, the threat group linked to Russia and the one suspected behind the SolarWinds attack. But Kellermann said NOBELIUM’s other operations are potentially “100 times more significant than SolarWinds in that it’s attempting to commandeer technology infrastructure and the digital transformation of the US government through partners and then using those footprints to then attack the government itself.”
Supply Chain Security
Supply chain security is every company’s responsibility. The supply chain as a whole is only truly secure when all entities throughout the supply chain carry out effective, coordinated security measures to ensure the integrity of supply chain data, the safety of goods, and the security of the global economy.
DOD defines SCRM as “a systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities and threats throughout DOD’s “supply chain” and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal)”, Supply Chain Risk Management (SCRM) is an important topic that all life cycle logistics professionals need to be cognizant of and actively engaged in.
The Risk is a Function of threat, vulnerability, and consequence, where threat depends on adversary motivation, capability and access; Vulnerability depends on how readily will a component compromise and cause; consequence measures how Serious is the impact on System/Mission?
In securing the supply chain, companies must realize the need for a holistic and proactive approach to managing cyber risks
Steps that companies can take to protect their supply chain data from cyber attacks and data breaches. The importance of a risked based approach to proactive monitoring and compliance processes for supply chain cybersecurity, says Sonal Sinha is the VP of Industry Solutions for MetricStream, a Governance, Risk and Compliance company (GRC). Be proactive and understand your geopolitical environment. This will help you to understand organizations that may be motivated to cause harm or seek access to your resources.
Companies should prioritize information security risk management based on two factors. Those that that they have the most direct control over and those that will have the greatest impact. Endpoint risks and user-centric risks (risks related to servers, laptops, mobile devices, etc, and the employees that use them) fall especially close to this juncture.
It might also mean establishing a contractual obligation with various members of a supply chain to limit risky behaviors. For example, if a shipment of hard drives is being delivered to a secure SAN facility, the driver should be on a set schedule with no deviations, should not attach unapproved devices to company equipment, and should keep a buffer between personal-use and business communication equipment. In other words, monitor the driver’s route, don’t let the driver plug a flash drive into company equipment, and don’t allow the driver to connect a personal cell phone to a company network.
“Supply chains can be secured by addressing three key areas…” Codified policies and legal agreements; defined limited access with monitoring and auditing; and robust internal IT security technology and policies, states Daniel Cohn is the president and founder of Cohn Consulting Corporation in Atlanta, GA.
To protect yourself from breaches and hacks, consider the following: create and enforce a security policy and procedures document that partners will adhere to; restrict access and authorization to the absolute minimum required (e.g., principle of least privilege); actively monitor the actions from partners, or even better, review and perform the actions on behalf of your partner, says Bill Ho is a cybersecurity expert and CEO of Biscom,
Cyber threat intelligence : Companies should consider adding vendor-identifiable information to any existing cyber threat intelligence activities to identify instances of emerging threats or active attacks. Threat actors may compromise a lesser-defended vendor network identified as having access to the principal enterprise network. Awareness of these activities would allow the parent company to initiate countermeasures before the threat actor has the opportunity to move laterally onto their network. Cybersecurity, much like life, requires collaboration.
Threat prevention is a constantly evolving industry itself with a wide range of new security, protection, and detection solutions. The challenge is to identify the set of products that can function well together across prevention, detection, and response. Threat detection service providers assist in identifying better-fit solutions for the supply chain to make sure not only internally but across their supply chain ‘members’ are following best practices in cyber security.
Detection and response solutions that enable the identification of ‘good’ vs. ‘bad’ traffic, anomaly detection, and predictive failure analyses allow the organization to potentially detect and more efficiently respond to cyber-attacks that signature-based solutions can miss.
Network Security: Supply chains are susceptible to cyber-attacks and data breaches because they sit at the edge of the organisation’s network. In order to better protect the network edge, companies should look to establish parallel networks which they can run supply chain applications over; this keeps their core network and data secure and separate from the operation, while still enabling their supply chain communication requirements. Assuming you may be a victim of a breach at some point, make sure you have redundant communications and other systems in place so there is no work interruption.
A recommended way of establishing this parallel, or air gapped network would be over 4G LTE as it can be rolled out very quickly and cost effectively – it also offers improved flexibility compare to a fixed line alternative. By using enterprise-grade hardware with enhanced cloud software layers, a highly secure network can be established to protect supply chain data communicated over the parallel network, says Kelly Bell is the head of marketing at Westbase Technology,
Implement a robust, centralized governance process for IT procurements. Limit the number of people who are authorized to purchase–or enter into contracts–for products and services that may connect to your networks. Ideally, this process should be linked to your organization’s cybersecurity team, allowing products and services to be vetted for potential risk and negative impact.
Conducting vendor risk assessments – An organization’s network and data is only as secure as the security measures in place with the third parties that access their environment. Therefore, it is important to enforce security fundamentals throughout the supply chain. Practice risk management on third-party vendors, partners and service providers.
To mitigate your vendor-related risks, organizations should conduct a thorough, annual vendor risk assessment and perform the necessary due diligence with third-party relationships. Due diligence can help you identify what the vendor might require in terms of controls and monitoring, advises Christopher Roach is the Managing Director and National IT Practice Leader at CBIZ.
Look up and down your supply chain, and ask your business partners about their data security policies and practices. The vendors, partners, contractors and service providers that constitute the supply chain. These organizations may have trusted access to critical infrastructure. When working with a supply chain vendor’s organization, assess the vendor’s cybersecurity risk for sharing data, interfacing networks/systems and establishing access to networks/systems.
Companies should consider defining reasonable levels of security and associated controls; requiring sub-contractors, vendors, and critical supply chain partners to meet or exceed those standards as terms and conditions of established business agreements. There are many other information security compliance standards that may apply to your suppliers depending on the industry and the specific area of focus. Some of the standards are PCI-DSS in retail which will ensure that at least a certain level of data security is being met, HIPAA in healthcare that ensures protection of Protected Health Information – such as medical records and ITAR – International Traffic in Arms Regulations in military.
Defining regulatory compliance requirements – Are there regulatory requirements that need to be met and maintained by both parties? Be able to monitor compliance. Companies first and foremost must ensure that any supply chain vendors have security policies and procedures that are codified, validated and certified. Validation and certification can be verified through legal certifications like HIPAA Business Associate Agreements or accredited auditor reports like a PCI Audit.
Furthermore, the validity and reliability of security measures can be verified through in-house or third-party testing of systems and procedures. Contracts between companies and their relevant vendors should be drawn up to clearly outline the access and use guidelines so as to accurately allocate liability in the case of breach. These agreements should also require supply chains to notify vendors or partners of breaches in a timely manner so as to prevent further invasion or hacking of business data.
two main factors actively involved in supply chains, cloud technology and online security in general…” The technological aspect should be solved through complex and sophisticated encryption and multi-layer protection. Client-side encryption is highly preferable here, as with it the data is encrypted locally on the user’s machine and can then “travel” securely via email or to the cloud, for example.
Therefore, all stakeholders for those systems need to be involved in setting up the appropriate mechanisms of security, access, monitoring, auditing and management. There must also be consideration made for the fact that establishing network access for vendors can’t be handled using a ‘set it and forget it’ approach. Security mechanisms should be regularly and continually reviewed to determine areas of weakness and implement necessary changes.
Defining data ownership/stewardship requirements – Who maintains ownership of data being shared and what is acceptable use of that data?
Requiring SSAE 16 SOC Reports – One of the most effective ways a service organization can communicate information about its controls is through a Service Organization Control (SOC) report. Service organizations should maintain SOC 2 Type 1 & Type 2 reports, based on applicable guiding principles (i.e., Security, Availability, Processing Integrity, Confidentiality, or Privacy).
Information and Communication – Written communication plans that address what information is distributed to whom are highly recommended. Third parties involved with your organization’s IT security should be considered part of this communication plan, and your organization should be part of theirs, as data breaches on their end could affect your data. Be careful of responding to all communications and emails, verify the communication is coming from the party identified. There is a trend now for hackers to identify themselves as company or vendor employees who you normally communicate with. The hackers are betting you won’t check email origination too closely.
Limited Access: Additionally, security can be strengthened even further by establishing a system of limited network access for relevant vendors. Access should be as restricted as much as possible and checks and balances should be put in place to maintain this restriction. Any access by supply chain vendors or partners to networks and data. should be monitored and audited to ensure the appropriate nature and extent of use. Monitoring and logging vendor access and reviewing logs on a regular basis. As relationships with different businesses and partners will vary, there is no ‘one size fits all’ solution and levels of access will differ.
Employees should be able to access only those systems and data that they absolutely need to perform their jobs. So that all activity can be traced to a particular user, each employee should have a unique access ID and should be authenticated using a strong password or passphrase, biometrics, or a token device or smart card. Strong cryptography should be used to render all passwords unreadable during storage and transmission. Physical access to systems and consumer data should also be restricted to prevent employees and building visitors from accessing or removing devices, data, systems, or hardcopies.
Internal Security: The time to compromise on confirmed breaches is Days or less, as speed is one the attacker’s strongest weapons. Preparing for cyber-attacks is a constant and evolving function. New vulnerabilities are generated daily, and a disciplined approach to managing them is needed – to remediate older known vulnerabilities and to mitigate vulnerabilities when an identified vulnerability cannot be resolved due to process constraints, patch unavailability, or defined incompatibilities.
Finally, businesses themselves must employ responsible, proactive and defensive IT strategies consistently. This includes standard IT solutions like antivirus, anti-spyware and firewall technologies but it must go further than that. Advanced IT technologies including DNS filtering, network access control and exception altering are incredible assets for secure and thorough protection.
Control activities – internal controls are essential to the effective operation of all organizations. Control activities are the policies and procedures designed by management to protect the organization’s objectives and goals from internal or external risks. Some common and important cyber risk control activities are logical security, change management, mobile devices and wireless access controls, backups, monitoring of third party providers and cloud services.
Logical security controls help make sure that one person does not have too much power or influence over your organization’s cybersecurity.
Change management controls can regulate updates and other modifications that go into production.
Mobile device and wireless access need controls to protect them from unauthorized access. Security software and encryption on all devices including smartphones used by employees with all of the software constantly updated. Avoiding issues of ransomware by daily backing up of all data with three copies in two different formats with one off site.
A social media policy that limits information that can be put online by employees that can be used for purposes of spear phishing. Create a social media section for your business handbook and outline what is permitted and isn’t, what may be legal and illegal about handling secure documents or information. Let staff know there are stiff penalties for data breach involvement. Use of anti-spear phishing software and reoccurring training of employees to recognize spear phishing emails. Computer use rules which include never clicking on links or downloading attachments until the legitimacy has been confirmed. Encryption of all data stored and communicated electronically. Dual factor authentication used for electronic payments and access to online banking.
Web filtering is also a necessary nuisance. If you examine the largest data breaches, phishing scams, and companies held hostage by ransomware of 2015, technology did not protect the vast majority of these companies. In each case, data was breached due to hackers/phishers successfully exploiting humans (i.e. employees). Utilizing standard web filtering technology to block the use of social media sites, or at least allowing viewing of social media but disallowing posting to these sites with policy-based application aware technology may seem like a slam dunk security solution, but will it hinder business? Providing safe access to dynamic content and personal information is a question that must be addressed internally. Making web filtering policies a collaborative effort between management and all employees can ensure that all needs and viewpoints are addressed.
Use of Virtual Private Networks when using laptops and other portable devices outside the office. Procedures for wire transfers that require signing off by multiple staff before a payment can be made.
Human error: According to the 2015 Ponemon State of the Endpoint Report: User-Centric study, “negligent employees are seen as the greatest source of endpoint risk.” The number of employees accessing company data, from a myriad of devices and locations, is increasing.
In our experience, human error usually creates the most vulnerability in any IT security scenario…”Through social engineering, or through being unaware of the dangers. We recommend a two-prong approach to security: use strong security technology, and make sure employees are following company policy and procedure to reduce the risk of data breaches, says Vadim Vladimirskiy is the CEO of Nerdio, a cloud based IT company outside of Chicago.
Raise awareness of how data breaches can occur, and how every employee can both cause and prevent one from occurring. Specifically, ensure employee awareness of Social engineering, Password security, Email and web browser security. Don’t overlook the basics: make sure that anti-virus/malware programs are updated regularly. As threats evolve, it’s crucial that your system’s definitions are updated along with them.
Two-prong approach to security is recommended, use strong security technology, and make sure employees are following company policy and procedure to reduce the risk of data breaches. In the real world, that means requiring encryption protocols both on data-at-rest and on data transmission. It can also mean requiring all members of the supply chain to encrypt the devices they use, from cell phones to laptops. That way, if any data is intercepted somewhere in the supply chain, it’s indecipherable.
Turn a negative into a positive. The Ponemon Institute reports that more organizations are trending towards viewing endpoints as tools to “detect and respond” to security events. Rather than viewing endpoints strictly as liability, view them as security sensors that can help you identify possible security events before they turn into breaches.
Maintaining incident response plans – It is always much harder to protect your business when an attack is in progress; it is always wiser to have a crisis plan in place, when there is more time for thoughtful preparation. Both parties need to have a plan to notify the other if their network, systems or data have been compromised or a compromise is suspected. Make sure your suppliers and vendors also have a crisis plan and prevention strategy in place. Whenever you are working with a third-party service provider, you also need to make sure your organization is knowledgeable and involved in the provider’s disaster recovery plan. Create crisis scenarios and how they will be handled and by whom.
Backup controls should also be in place to protect your data backups. Your organization needs to know what is backed up and where it is being stored, be it a data center, third-party provider or cloud provider. Backup controls to implement include real-time notification and resolution of backup failures, off-site back up and replication and periodic restores.
Finally, a robust information security/cyber liability insurance policy should be your last line of defense to protect your company in the event of a breach. A good policy will include the services of a breach coach who will work with you to coordinate the services of forensic IT professionals, PR, notification and credit monitoring services, and a legal defense team. Their experience will be invaluable in the event a breach is discovered.
Intelligent business continuity systems should be implemented to allow for an efficient and full recovery in the event of any kind of breach. Intelligent business continuity solutions include both local and cloud-based imaging back-up solutions and the ability to reinstate systems to a point prior to the breach so as to efficiently restore business functionality.
Use of anti-spear phishing software and reoccurring training of employees to recognize spear phishing emails.
Implementing proactive, extensive and validated IT security solutions and establishing clear and limited access guidelines for supply chain vendors are a company’s greatest defense against cyber attack. Ensuring these defense mechanisms are in place and continually monitored is critical to the protection of both business and vendor data and continued productivity, advises Daniel Cohn.
References and Resources also include: