8 Supply Chain Security Requirements
Complex supply chains have complex security requirements, but secure them you must. Here's where to start.
May 13, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt65efa78ffbfa07be/655218b6ce81e8040a03b768/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Look Both Ways
It's common to think of a supply chain as something that ends in an organization, but that can be a limiting and dangerous assumption. "When you're considering how to secure your supply chain, it's important to consider both upstream and downstream. We often think of the vendors that supply us as the target of supply chain security, but the vendors that we supply are also in scope," says Tim Erlin, vice president of product management and strategy at Tripwire.
When it comes to both sides of the supply chain, the first step is knowing which organizations make up the links. "A simple, practical step is to start making a list of all the organizations you deal with, either as suppliers, clients, or customers," Erlin says. "Ideally, you should be able to identify and categorize the data to which any of the organizations that you deal with have access."
Much has been made of API security, but most of the attention has been given to the APIs companies or their suppliers have in service. Equal attention must be paid to the APIs and services customers require a company to use to stay a major step ahead in protecting the total supply chain.
(Image: Delphotostock VIA Adobe Stock)
Read (and Write) the Fine Print
When something happens at any link in the supply chain, the effects and responsibilities can ripple far up and down the chain. "If a third party suffers a data breach or attack, the contract between both parties should identify data breaches and the procedures initiated to support the event for both sides," says James McQuiggan, security awareness advocate at KnowBe4. The reason is simple: "Failure of this can result in a higher risk for an organization, or loss of revenue," he says.
While contracts and agreements tend to account for known threats and occurrences, they can define processes and procedures that allow for rapid, meaningful response to new threats. Some business segments have regulatory or legal definitions of responsibility that must be included in their contracts. For example, the US Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) framework with mandatory a flow-down clause into all future DoD contracts. DoD prime and subcontractors now must either meet the stated CMMC maturity levels within all DoD contracts or be disqualified from competing directly or as a team member for a defense business.
The ability to respond quickly -- and with confidence that the proper party is responsible for the response -- is especially important in critical industries. "Healthcare service providers, from covered entities to business associates, continue to be targeted to gain access to their systems through bioengineering, clinical systems, and electronic medical records systems, explains Jeff Roth, regional director at NCC Group. "This is a very challenging environment where rapid provisioning of data needed to patient care will readily overshadow how suppliers and vendors ensure the security over these delivered services."
(Image: Feng Yu VIA Adobe Stock)
Know What Flows
Securing data up and down the supply chain is rarely simple, but it becomes nearly impossible without knowing which data is being shared. And that knowledge can be more difficult to obtain when machines are talking to each other, leaving humans out of the process.
"IoT devices are often part of a wider implementation that is key to the overall functionality. Few devices exist in isolation, and it is the Internet component of the Internet of Things that reflects that dependency," says Steve Durbin, managing director of the Information Security Forum. He points out that the "intelligence" of a facility or process requires multiple devices working in cooperation, often with input from systems far beyond the walls of the building.
Modern automated processes may require the participation of IT, OT, and even consumer devices, each of which has been created with a different expectation of security. Understanding the data flowing between the systems is part of securing them. It sounds basic, but as Alex Guirakhoo, strategy and research analyst at Digital Shadows, says, "Keep track of the information you give access to each supplier and maintain an inventory of your critical assets."
(Image: Tierney VIA Adobe Stock)
Remember Process
It is easy, and perhaps natural, to focus security concerns on the technology and infrastructure of the supply chain, but it's important to remember that processes can have security implications, too. "Quite often risks have more to do with operational process, such as storing in an exposed database in the cloud, than it does with a flaw or vulnerability in code," Vectra's Morales says.
One of the difficult parts of securing a process is that it's unlikely there would be a CVE or public equivalent to mark the issue. The nature of process security challenges means that a personal contact with professionals at a partner organization may be the most effective way to discover and address issues, Morales says.
It's also important to have a realistic picture of the threat landscape presented by third parties, NCC Group's Roth says -- and their processes are part of that picture.
(Image: vinnstock VIA Adobe Stock)
Use Audits Wisely
No matter how much trust an organization has in its supply chain, it's critical to have proof of the measures each link has taken to secure data as it is processed and moved. KnowBe4's McQuiggan explains the concept as it applies to software. "The organization needs to review and conduct annual checks of all third-party organizations that have remote access or provide any electronic product to the organization," he says. "The 'trust but verify' concept includes a review of the third party's cybersecurity policies regarding the secure development life cycle for the product and is an excellent start to help understand the vulnerabilities of the product before incorporating it into the organization."
Among other benefits, regular audits or assessments can point out issues with a partner's infrastructure before it is aware a problem exists. "The most dangerous thing in the attack on a supply chain is that attackers can remain unnoticed for a very long time, and the attacks themselves have a high chance of success," says Evgeny Gnedin, head of information security analytics at Positive Technologies.
Gnedin points to multiple examples of these successful supply chain attacks, ranging from the Rowhammer assault on ASUS computers to tactics used with NotPetya and Magecart campaigns. "Switching to attacks through the supply chain allowed criminals to significantly increase the number of victims," he explains.
(Image: photon_photo VIA Adobe Stock)
Support the Small
In some regards, securing large organizations in the supply chain are easy. While they may be cumbersome to deal with, large companies tend to have the resources to apply to securing their businesses, from creating responsible policies, to implementation, to auditing. Small companies frequently lack the expertise and resources to handle security in the same way. "Organizations need to more carefully communicate and, if required, support supply chain risk management processes for these small and midsize suppliers and vendors," NCC Group's Roth says.
Roth has some very specific suggestions for what that support can look like:
• A focus on the real-world risk and respective controls that are relevant to each of the specific critical vendors and suppliers. This enables the small vendors to stay on top of what risks they pose to an organization without breaking the bank or exceeding the capabilities that these small suppliers and vendors can sustain.
• Secure file exchange and other infrastructure that will enable service providers to reduce the attack surfaces.
• Focused cybersecurity education for high- and moderate-risk smaller suppliers.
• Regular monitoring and constructive performance feedback (with follow-up) to further assist critical small suppliers/vendors in corrective actions and maintenance of regulatory, contractual, and cybersecurity control requirements.
(Image: putilov_denis VIA Adobe Stock)
Provide Buckets for Senior Management
Securing the supply chain requires commitment from the executive board because an investment is required. Making the argument simple, according to NCC Group's Roth, starts with putting the risk into buckets:
• Business risk
• Operational risk
• Market risk
• Personnel risk
• Regulatory/contractual risk
The risks a supply chain poses to an organization can be strategic as well as tactical. "Many organizations face the challenge of ensuring their suppliers are not exposing their systems or data," Digital Shadows's Guirakhoo says. "This can be even more difficult when organizations rely on large numbers of third parties, significantly increasing their potential attack surface."
The risks posed can be an issue for strategic relationships and partnerships, adding reasons for senior management to be made aware of the issues and brought into the decision-making process for response and remediation.
(Image: Ilya Titov VIA Adobe Stock)
Keep an Eye on the Cloud
Few parts of enterprise computing haven't been touched by a cloud, and supply chain data security is no exception. "So much of our critical data is now held in the cloud, opening an opportunity for cybercriminals and nation-states to sabotage the cloud, aiming to disrupt economies and take down critical infrastructure through physical attacks and operating vulnerabilities across the supply chain," Information Security Forum's Durbin says.
The cloud problem is exacerbated because software and services tend to be built from existing software, services, and modules, making the stack of "dependencies," or nested code products, 10, 20, or more layers deep. "Much of the cloud infrastructure and SaaS applications consist of assembled components and frequently includes open source products," says Sachin Aggarwal, co-founder and CEO of Accurics explains. "For example, Amazon Web Services uses Linux, Java, Kubernetes, Xen, and KVM as components in their cloud. These provide cost benefits but can introduce security risks, which organizations need to mitigate."
This cloudy risk doesn't end with software and services, Aggarwal points out. "There are unique risks introduced when cloud SaaS applications use third-party APIs as components," he says. "Modern cloud applications integrate with several third-party APIs for purposes such as notification, monitoring, data aggregation, and security analytics."
Determining and auditing the security of each component in the software supply chain, along with all the physical and service supply chain [components] that exists outside of the cloud, can be daunting, but it's the minimum requirement for keeping an organization's supply chain secure in 2020.
(Image: natali_mis VIA Adobe Stock)
It seems impossible to overstate the importance of the supply chain, especially in times like these. Millions of consumers, too, learned distressing lessons when stories of crops rotting in fields and images of empty grocery shelves collided.
One glaring realization: Many supply chains are not just complex, they're brittle – hardened against certain risks, but vulnerable to shocks from other sources. That statement is true for the physical components of a supply chain as well as the supply chain data that IT security professionals are charged with protecting.
Dark Reading turned to a number of security professionals about what it takes to secure a supply chain. Their answers ran the gamut from the obvious to the subtle, the strategic to the operational. But all recognized one critical fact: "Supply chain risks are complex," says Chris Morales, head of security analytics at Vectra. And managing those risks is no simpler.
The points we present here are intended to help you protect your supply chain from multiple risks – not just the most obvious. And they tend to look at data that flows through an organization's supply chain from many directions, not simply upstream.
How has your supply chain fared in 2020? Have your plans for supply chain resilience panned out, or have there been lessons learned from a shock to the system? Leave a comment, below, to share your lessons or triumphs from these extraordinary times.
(Image: momius VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024