Modern supply chains are a complex and fragile web of interconnected processes ferrying goods and services around the world. It’s no exaggeration to say they fuel our economy and underpin our very way of life, ensuring we have food, power, effective healthcare and money in the bank. But there’s a problem: cyber-criminals and state-sponsored hackers have discovered that the supply chain is full of weaknesses ripe for exploitation. While your organisation might have a strong security posture, can you say the same about your many contractors and partners?
That’s why the National Cyber Security Centre (NCSC) recently highlighted supply chain compromises as one of the biggest threats facing UK organisations. So if, as it warned, “attackers will target the most vulnerable part of a supply chain to reach their intended victim,” how do you mitigate risk? The answer comes down to ensuring employees are trained and empowered throughout the supply chain.
A digital world
As our world becomes increasingly digitised, it is exposed to ever greater risk from those able to remotely probe and attack at will under the anonymising cover of the Internet. Cyber-attacks on UK business reached record levels in 2017, according to the NCSC, with global cybercrime generating an estimated $1.5tr in illicit profits. In manufacturing, where supply chains play a vital role, nearly half of UK firms have experienced a serious cyber-attack, according to the latest figures.
>See also: Security lockdown: cloud and physical worlds
Supply chain attacks can take many forms. It could be a phishing attack on a partner organisation’s employees designed to compromise your corporate log-ins. That’s what happened to US retailer Target, and the Office of Personnel Management (OPM) in two of the most damaging data breaches of recent years. Or it could involve the seeding of malware into legitimate software, which is how the infamous NotPetya ransomware campaign began, when popular Ukrainian accounting software M.E.Doc was compromised. Ironically, that attack then had an unplanned further impact on global supply chains as it spread around the world and disrupted key IT systems for global shipping and logistics companies like Maersk and TNT. It highlighted just how precarious our supply chain dependencies can be.
The latest intelligence from the NCSC and US agencies claims that Russian hackers are still focusing their efforts on parts of the supply chain. According to the most recent alert, this is being done by compromising network infrastructure devices worldwide to steal IP and maintain persistence inside critical infrastructure targets.
Millions of problems
The impact of supply chain attacks of course varies from sector to sector. As in the cases above, it could result in damaging intellectual property (IP) loss, escalating national security risks and geopolitical tension. In the commercial world it can lead to lost competitive advantage and serious financial and reputational liabilities. The estimated average cost of a data breach today stands at $3.6m, but some attacks can incur far higher sums – especially for organisations that deliver tangible products and services.
Equifax is thought to have haemorrhaged £439m as a result of a breach last year, while Maersk and TNT both publicly reported material losses of around $300m related to NotPetya. Despite these large reported figures, it’s likely that ongoing internal losses attributed to incident response and recovery efforts continued far after these initial reports; not to mention, such reports omit cascading effects on others surely impacted by the downstream disruptions and loss of services when these companies cannot serve their customers and partners.
>See also: Banking on security
The NCSC sums up neatly the problem with supply chain attacks:
“When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect. Network monitoring can detect unusual or suspicious behaviour, but it is still difficult to ascertain whether a security flaw has been deliberately introduced (possibly as a backdoor) or results from a careless error on the part of developers or manufacturers — or indeed to prove that any potential access has been exploited.”
So, what’s to be done?
Technology and security frameworks have an important part to play, in providing the means to spot and block attacks and helping organisations establish a common language of risk across supply chains. The ISO/IEC 27000 series of standards can be a good place to start and build upon for foundational information security practices. Other industry-driven and internationally recognized standards and practices can similarly be helpful, such as IEC 62443 and the NIST 800-82 guideline, both of which focus on industrial control systems. Also, the more broadly scoped NIST Cybersecurity Framework (CSF) details a voluntary, risk-based approach to help companies assess and mitigate security risks to their converged IT and cyber physical OT systems.
However, safeguarding our fragile supply chains will never be solved by these means alone. Even as the new era of the Internet of Things ushers in an automated, machine-to-machine world, people remain the key to securing critical operations and processes within supply chains.
For one thing, the smartest security tools in the world won’t be of use if your employees or those in supply chain partners are still falling victim to phishing attacks. The latest Data Breach Investigations Report from Verizon revealed that phishing was present last year in a staggering 93% of breaches. It found that the insider threat in general, dominated by careless employees, led to 28% of breaches.
With awareness, education and training, employees can have a dramatically positive effect on your security posture and that of your supply chain partners. Reach out to your networks and agree to put in place complementary training programmes to bolster every link in the supply chain. People may at present be seen as a major security risk, but with the right approach they can be a strong first line of defence, helping to build and test response plans, spot threats before they become major incidents and accelerate recovery if an attack does slip through.
Trained employees are empowered employees. With security-educated people capable of making the right decisions when called upon, you can protect your organisation and those up- and downstream in a virtual chain of security and strength. That’s an ROI few tools in isolation can achieve.
Sourced by Doug Wylie, Director Industrials and Infrastructure Practice, SANS Institute.