When it comes to supply chain cyber risk, size matters – but not always in the way we might think.
Across the world, the focus on supply chain cyber security is increasing. At the end of January 2023, US President Biden launched a new office of the Cybersecurity and Infrastructure Security Agency (CISA) to help government and industry partners manage supply chain risks.
Some federal agencies are still facing challenges with the basics of C-SCRM (cyber supply chain risk management), the office’s new head Shon Lyublanovits warned.
“We want to make sure that we’re collectively looking at all of this because again, it isn’t a government problem. It isn’t an industry problem. It is a nation problem,” she said.
It is a similar story elsewhere. In February, for instance, the UK’s National Cyber Security Centre issued new guidance for procurement specialists, risk managers and cyber security professionals on mapping supply chain dependencies. It’s also been a recent focus of the World Economic Forum.
A number of drivers are pushing it up the agenda. In the short term, as the WEF points out, geopolitical instability, in particular Russia’s war with Ukraine, has increased the risk. Indeed, the invasion was immediately preceded by an attack on satellite communications provider Viasat, hitting not just the Ukrainian army but tens of thousands across Europe.
But longer-term factors also contribute. An amplification factor due to widespread reliance on particular technology platforms, for instance, enables single attacks to have widespread impacts. The attack on the SolarWinds IT management platform – again blamed on Russia’s Foreign Intelligence Service – was a good example. A malicious modification allowed attackers to send commands to affected installations, leaving thousands of businesses and government agencies vulnerable worldwide.
Closely related to this has been a growing reliance on outsourcing and a rise in managed service provision and software as a service (SaaS) – accelerated by the pandemic. With businesses increasingly reliant on third parties for IT services, security has, to an extent, been taken out of their direct control. Even where services are not outsourced, increased connectivity, whether for IoT devices used in operational technology, APIs to streamline processes, or simply accommodations for remote working, has expanded the scope for vulnerabilities.
Supply chains: Cyber’s soft underbelly
These trends have not always weakened security. With the increased uptake of SaaS tools, for instance, small and medium-sized businesses with limited internal resources may improve their security. Cloud-based software like Zoom or Microsoft Teams will likely have better security than any video conferencing solution they host. Nevertheless, the increased connectivity between organisations does pose particular challenges for businesses – both large and small.
The danger, in most cases, is that attackers will use the weaker as a conduit to the stronger. Examples abound, but the data breach at a large US retailer in 2013 remains an archetype. Attackers stole user credentials from their third-party heating, ventilation, and air conditioning supplier and used these to breach the retailer’s corporate network. Installing malware on its point-of-sale devices, they were able to access 70 million customer records.
From the perspective of the larger business, its suppliers can therefore introduce vulnerabilities over which it has little visibility or control. Undermining its investments in security, they present attackers with an easier way in. It is not simply that the smaller, less-well-resourced partner may be more easily breached. They are less likely to have security event management or security operations centres with sophisticated monitoring, so a breach will likely remain undetected for longer.
But there are challenges for the suppliers, too. The partnership with the larger organisation heightens its own risk profile – making it a more attractive target for bad actors and increasing the potential impact of a successful attack.
Crucially, increasing awareness of the risks means that demands for assurances regarding cybersecurity from suppliers are growing increasingly common – and will continue to do so.
First things first
In some cases, that is driven by regulation.
Indirectly, the last decade has seen data privacy rules tightened worldwide, and fines and penalties beefed up. This has made businesses more aware of the risks of breaches generally and more demanding of those they give access to sensitive data.
More directly, attacks on critical infrastructure, from Iranian attacks on New York’s dam to China-backed attacks on Covid vaccine developer Moderna, have led governments to strengthen requirements on such businesses. Following a series of attacks on its infrastructure in 2021 and 2022, Australia amended its Security of Critical Infrastructure (SOCI) Act to require companies to map their entire supply chains – both direct suppliers and indirect. The UK, likewise, announced last year that it would bring outsourced IT service providers within the scope of its Network and Information Systems Regulations.
To protect businesses and the public better, there may be a case for governments to extend such requirements further. With high dependencies on online services and connectivity, what is considered critical for individuals and organisations may vary from regulations’ current scope.
Regardless, there is a strong case for all businesses to follow some of the regulations’ approaches. Mapping connections with suppliers and others is an obvious starting point, helping define the organisation’s “cyber footprint.” Without visibility of this, it is impossible to defend. With it, organisations can begin implementing a robust third-party risk management framework: defining the controls required for dealing with third parties, identifying critical suppliers based on their data and access, and establishing incident management plans.
This process is well advanced in some cases, particularly in heavily regulated industries such as infrastructure, finance and pharma. In many others, it is not.
Crucially, there is no simple solution or short cut to identifying the frameworks, processes and due diligence required for managing the company’s risk and that of its suppliers. While developing technology such as artificial intelligence is helping organisations mitigate and detect attacks, attackers are also employing it to mount increasingly sophisticated attacks. In any case, many would do well to focus on the basics, such as ensuring firewalls and patches are up to date, which are too often neglected. After all, there is little point in the world’s best burglar alarm when the front door is left wide open.