As organisations have increased their own cyber security over the past five to 10 years, there has been an increase in indirect attacks via the supply chain. At the same time, there has also been an increase in ransomware, and the emergence of targeted ransomware linked with data theft and extortion.
This is, to some extent, because small to medium-sized enterprises (SMEs) in the supply chain are seen as an easier way into the enterprise than a direct attack. However, sophisticated supply chain attacks through larger companies have also been seen.
The increase in ransomware is a real threat, particularly where there is a single-source supplier. Ransomware has become more sophisticated, sometimes infecting backups as well as operational technology (OT), so companies may be unable to produce and deliver their products for three months or more after an attack.
It is essential, therefore, that we can have confidence in the security of the companies in our supply chains to detect and respond to an attack and recover quickly afterwards.
As we move more to digital contracts and integration with suppliers, so the opportunity to mount an attack through the supply chain grows, first by compromising the supplier and then by entering the customer’s organisation through a purchasing portal or other shared service. We also need to be aware of compromised hardware or software that may be intended for our own internal systems, or integration into products or solutions for our own customers.
An example from some years ago was an attack on a company that created a website development tool used by several other companies to develop websites for their customers. As a result, the attack on the tool developer impacted many website developers and placed backdoors in even more of their customers’ websites.
The risk from the supply chain will vary from organisation to organisation and supplier to supplier, so the first step is a risk assessment of the supply chain and the impact that may have. There are three main areas to consider: intrusion from a supplier or service provider into your systems; an attack placing malware in a supplier’s product; or a ransomware attack on a single-source supplier making that product unavailable. This means ensuring suppliers are protecting themselves and that your systems are protected from your suppliers.
When ensuring that suppliers are properly addressing their own cyber security, it is important not to be prescriptive or provide advice about the measures they should take, because if they follow your advice and, subsequently, you suffer a supply chain attack through that supplier, they could not be held responsible.
The approach, therefore, should be to require that their systems are certified to standards such as ISO 27001 or Cyber Essentials Plus. Suppliers should also be regularly audited and, ideally, they should carry out regular security testing of their systems. There is a lot of good guidance available on this, in particular from the National Cyber Security Centre (NCSC).
Suppliers may also have access to their customers’ systems. This may be limited to technical requirements through purchasing systems and direct submission of bids, or they may be providing maintenance services for production equipment, or security monitoring services. In any case, they will have access to equipment operating within their customers’ IT and/or OT systems. Here, the important considerations are to:
In the case of hardware and software that is to be used in your own IT systems, or integrated into the products and services you provide, some additional requirements need to be considered for suppliers, and possibly for testing of products received from them. The main areas are around the security of the development and final software build environment.
The first step is the use of a software code configuration tool, configured to limit who can check-in code and create builds. However, the most vulnerable point in the process is the build of the final application, because malicious changes here cannot easily be detected.
A separate build environment with limited access to build personnel, and ideally isolated from direct internet access, should therefore be used. All code should be signed during the build process and the signatures checked on execution. While this must be the case with Windows, it is not always the case with embedded and some other applications. All software updates and patches should also be signed to prevent substitution in transit.
When integrating software, or software updates received from a supplier, into a system, it would typically be verified on a systems testbed before being loaded onto the operational system. On particularly critical systems, one could consider the use of different signatures for untested software and the final operational software, effectively reapplying the signature using a different “quality assurance” signing certificate after system test. This would ensure that untested software could not be used on the operational system.
All in all, this is not a simple process, particularly for large organisations with deep and broad supply chains, but it is a risk that needs addressing. Measures need to be systematic and assessed so as to minimise the complexity and cost to the business. Nor will it always be technical. Mitigating a ransomware attack on a single-source supplier may be done by holding several months’ stock of their product, or diversifying the supply chain to include a second source. It is, however, something that all organisations must consider and take control of.
A bipartisan cryptocurrency regulation bill gives the digital assets market much-needed definitions that will enable a regulatory...
The role of the CIO in 2022 is being shaped by a constellation of new technologies and the business's burning need to use them ...
Discover how a focus on three areas -- cybersecurity, employee experience and proactive management -- can help CIOs plan for and ...
Although it poses an ongoing risk to enterprise security as a post-exploitation tool, authorities strongly advise against ...
The origin of APT ToddyCat is unknown. However, Kaspersky said the actor carries similarities with a number of Chinese-speaking ...
Security and IT teams face challenges in managing and securing a growing number of endpoints, which is driving organizations to ...
Traditional network operations teams are struggling with several aspects of network management. Experts weigh in on why, and what...
IT professionals were excited to see cloud-based Meraki management for Catalyst switches but were less enthusiastic over the new ...
VMware SASE Platform provides many strong networking and security capabilities, but it comes in an offering that feels like many ...
Lenovo is more than just a PC company. In its recent analyst summit, the company revealed its goals with AI, edge, cloud services...
VMware users are taking a wait-and-see stance on the Broadcom acquisition, keeping their fingers crossed that Broadcom remains ...
Quantinuum has added parallel processing capabilities to its H1-1 quantum system making it more suitable for solving complex ...
The open source LakeFS technology gets a fully managed cloud service to help organization better iterate and version cloud data ...
The master data management vendor adds new capabilities to its cloud service to enable organizations to more easily integrate ...
Startup emerges to launch a new developer-focused cloud database as a service based on open source PostgreSQL, with capabilities ...
All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info