Do you know what cyber-nasties are lurking in your supply chain?
What do we really know about the businesses and partners in our supply chains? Looking at the Economist Intelligence Unit’s Cyber Incident Response Survey, I would say, very little. Only 17% of executives felt fully prepared for a cybersecurity incident and a third admitted that they had been alerted to cybersecurity incidents in their own businesses by supply chain partners or customers. It would appear that business resilience is being impeded by faulty logic, a lack of due diligence and a failure to fully grasp the scope and importance of information assets in our business eco-systems. These are all issues that are causing vulnerabilities in every organisational supply chain and can mean a threat not only to our businesses but also to Critical National Infrastructure (CNI). What many security professionals have been discussing for a long time is now regularly laid bare in research and surveys into our cyber resilience and posture. But is it all bad news – and what light at the end of which tunnels give us hope that the frequently predicted cybergeddon may well be avoidable?
One of the first and most important things that needs to be addressed around supply chain cyber resilience is that “it is an IT problem”. It isn’t. The Target mega breach was caused by access via an air-conditioning contractor/supplier. If you have a networked system then it is vulnerable, and if it is accessible by contractors and suppliers or partners then it is even more vulnerable – and so are they. You see, the vulnerability may go up- or downstream in the supply chain. There is a common misconception that the systems we need to protect are our corporate networks – and, yes, of course we do. These networks have had the benefit of many years of risk treatment and their management is in most cases, one of the most evolved or mature aspects of many organisational Information Security strategies; IT Security. However, many systems also sit in a networked environment now and as they are managed outside of IT and/or the IT security team – or indeed any form of Information Asset Management – they are not benefitting from the years of experience in securing and regularly upgrading, patching and protecting that the corporate networks continue to enjoy. These represent a tempting soft underbelly for would-be attackers – and from here we can move onto the next misconception.
Many businesses mistakenly think they are not big enough to be a viable target for attackers. It may that because they are small or possibly not in a technology industry (or some of the other traditionally targeted industries), they feel attackers would not be interested in them. According to the research paper from The Economist, attacks are increasingly wide-ranging in terms of the targeted industry: for instance marketing and media are now considered to be a ‘softer’ or more easily infiltrated target than risk-mature industries such as oil and gas. Of course, if members of our supply chain do not consider themselves to be at risk, then their security posture may, in fact, be risky.
Add in one other area of potential vulnerability from the world of outsourcing and our understanding of threat and risk from our business ecosystem should widen dramatically. Are you aware of what elements of your supply chain have been outsourced? Could you effectively audit any part of your business partner environment and know where all component elements sit – and did you do the appropriate due diligence on them? In truth there may well be portions of your supply chain that could directly impact you from outsourced services about which you have no idea. If the supply chain partner that outsourced that element doesn’t see themselves as a target, then they are unlikely to consider whoever they have outsourced that element to as one either.
So straightaway there are two touch points for your data, either corporate or operational, that could offer an inroad for an attacker or a portal for a piece of malware to pass through, potentially without challenge. In the report from The Economist Intelligence Unit, 45% of respondents were not confident their supply chain partners would notify them immediately of a breach that could impact them. So a security breach could occur in the supply chain, be unnoticed and move to another partner without anyone flagging it. This is where it gets the chance to spread and proliferate across the connected organisations, potentially moving through to our CNI and attacking power plants, communication systems or other key elements of our infrastructure.
Attacks on a wide range of networks and systems, including non-corporate networks, are happening every day and whilst we may not always know the path the infection or attackers have taken, there are some global examples that show why we need to be vigilant and understand how we can play an important part of protecting it: South Korea has experienced attacks on nuclear power plants through operational systems; in Germany there was an as-yet-unsourced attack on a steel mill that meant it couldn’t shut down blast furnaces; Israel had an attack on a camera system operating on a large-scale arterial traffic route which disabled an entire city for days. The ripple effect of an attack on a small supplier means that a well-planned attack only needs to be lucky once, unlike each partner in the supply chain that needs to be lucky all the time.
The perception of security professionals as “people who basically just say no” is an issue. Many organisations have not yet grasped a risk-based approach to their security; they are not yet seeing it as an enabler for secure business growth or understanding the commercial advantages to comprehensive security strategy; they operate in an entirely risk-averse manner. This actually creates more risk as people find ways around policy or safeguards to try and complete projects under the radar. If the security professionals don’t know about it then they can’t mitigate the risk once they have gained agreement that it is within a predetermined risk tolerance and appetite and someone therefore is taking accountability for it…
This is why taking a risk-based approach to our supply chain and business ecosystem is vital. It will be different for each business or organisation of course, but the blinkers really need to come off. All systems need to be considered and protected; this is within an organisation’s control – they are after all their systems. So whether this is a stock control system, a logistics management system or even an environmental control system like air conditioning, it should be purchased, installed and maintained with security in mind. Even security systems like CCTV are not built securely; the responsibility for running them securely lies entirely with the end user and if the end user does not firewall them or protect them with regular software updates and anti-malware, then they could easily be breached if they are sitting on a network – and, let’s face it, the days of cameras just connected through a coaxial cable are long gone. If they sit outside the regimen of regular maintenance and updates done by IT security teams then they may well be vulnerable. So this is a good place to start and you may find that your own business is a threat to those downstream of you without you even realising it.
Resilience in our supply chain has so many considerations; from security to business continuity all the way up to threatening our Critical National Infrastructure. Understanding what our information assets are and what information assets we handle, regardless of their origin, is vital if we are going to truly do interconnected business securely. Finding the vulnerable points in your own organisational ecosystem is a challenge and it will be a constant, movable challenge: Threat never sits still and attackers tend to be fleet of foot when it comes to finding and exploiting vulnerabilities in all kinds of networks and systems, often non-corporate as we have seen with Target. We have to get our arms round this collectively because we have never been more reliant on our supply chain partners for our organisational security.
About the Author
Mike Gillespie is Managing Director of Advent IM Ltd, and an information security practitioner and CLAS consultant of many years’ standing. He is well versed in the threat to organisational information assets. An active member of the Security Institute since 2008, Mike was voted onto the Board of Directors in 2013 and given special responsibility for Cyber Research and Strategy. Additionally he is part of the Institute’s mentoring scheme and a member of the CSCSS Global Cyber Security Select Committee. As a subject matter expert Mike is called upon regularly to speak at events and contribute editorial, most recently for the BBC and The Sunday Times as well as regular industry media.