6 Signs Your Supply Chain Risk Just Shot Up
Risk levels are not steady states. Here are six indications that the danger posed by your supply chain is headed in the wrong direction.
August 26, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb28b1640c5b58ec8/64f0d3dfb532f6219ad1f283/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Supply chains, many stretching around the globe and some made up of tens of thousands of links, are critical to modern business. Strong supply chains allow for the economical development of products ranging from stuffed toys to enterprise applications. Unfortunately, the same supply chains that make business possible can also make it a far riskier proposition.
Third-party risk, of which supply chain risk is one component, is increasingly understood as critical in gaining a complete picture of the threats an organization faces. But how can an organization decide when to take a harder look at the supply chain? What are the signs or events that indicate special concern should govern supply chain relationships?
Before we look for those answers, we have to acknowledge that "supply chain" is a phrase with more than one definition. It can refer to the components and services that are brought together to create an organization's products. If can also refer to the software components, apps, and cloud services that developers use as part of enterprise applications (or applications licensed to customers). And it can refer to critical services like electrical power, water, and other energy sources required for both basic administration and manufacturing processes. The companies providing any of these can be both critical partner and tremendous threat through inadvertent criminal cyber activity.
Dark Reading talked to a number of cybersecurity professionals looking for best practices governing these third-party relationships. Out of those conversations came a half-dozen signs and indicators that your supply chain risk factors have shot up -- and your attention is needed.
(Image: Natalya Lys VIA Adobe Stock)
It's never a good sign when a supplier is hit by an attack. When that attack is ransomware, the bad-sign quotient goes up dramatically because attackers are using the initial attacks to exfiltrate data and spread laterally -- and sometimes spread beyond the victim's walled garden.
"Threat actors targeting the supply chain want to steal intellectual property and disrupt operations," says Hank Schless, senior manager, security solutions at Lookout. "IP theft is principally executed by gaining access to the corporate infrastructure through mobile phishing and exfiltrating the data to a remote server outside your organization."
The exfiltration is increasingly tied to ransomware attacks as part of an effort to compel payment, even if encrypted data can be successfully decrypted.
"With access to research data, orders, manufacturing plans, and delivery routes, a threat actor could find many ways to disrupt operational efficiency," Schless says. And if the data exfiltrated from a supplier includes critical information on your company and its business, those disruptions could be severe, indeed.
With each passing quarter, the world, in general, and the enterprise, in particular, have been on a path to conduct more business on mobile devices. High-profile incidents, such as the recent Twitter account takeover attack, show that attackers are moving to mobile, too. The combination makes understanding what your supply chain knows about mobile device security all the more critical.
"Mobile devices are used across the entire supply chain, from research to delivery, to increase efficiency and convenience for employees," Schless says. "Every time an employee walks into your facility or logs into your network, their mobile device has just as much access as any other endpoint." .
He points out that incorporating a device health-check into mobile-device management (MDM) implementations is an important step for supply chain vendors that might be coming into your network perimeter. And even vendors that don't have direct access to your network should be able to demonstrate that they understand the state of their mobile devices.
"In order to prevent disruption and IP theft, you need visibility into every device that accesses the various steps of the supply chain," Schless says. "Wide use of smartphones and tablets both in facilities and in the field means that mobile devices are a key part of the infrastructure."
"If you have nothing to hide..." can be the beginning of a facile and overly simplistic statement about visibility. At the same time, if a supplier is unwilling or unable to provide transparency into their risks, it's a clear sign that your risk from that third party has risen by many degrees.
According to Alex Santos, CEO and co-founder of Fortress Information Security, the question for many in the supply chain is not only how transparent they're willing to be, but how transparent they're able to be.
"It's getting down to that level of detail, the bill of materials, the suppliers of the suppliers, if you will, that is underlying and important to the supply chain," he says. "That [understanding is] one of the next frontiers."
The issues are similar for both software and physical components that make up the supply chain, Santos says.
"Where is each piece of hardware constructed, and where do those components come from? Has the security of open source code have been verified? Where was it developed? Was it a community based in China or around the globe?" he asks. "The same thing goes for the hardware. Was a hardware producer in China? Are there sufficient controls in place to make sure that that hardware is free of backdoors and other malicious constructs?"
Each organization, and each industry, will have different requirements for how far down the supply chain these questions must be answered. Direct suppliers, especially, must be willing and able to assist in the drive to transparency, or they'll become a primary indicator that supply chain corruption is possible.
2020 has seen unprecedented changes in operating processes and procedures for businesses around the globe. Those departures from the norm have left space for attackers to exploit; they've also shown that dramatic change by itself can be an indicator of vulnerabilities in the supply chain.
"Supply chain risks that affect business processes, information, and technical infrastructure will need to be managed," says Steve Durbin, managing director of the Information Security Forum (ISF).
Dramatic changes in operating processes, whether caused by external forces or internal shifts due to factors such as mergers or unplanned manufacturing outages, can introduce vulnerabilities from temporary relaxation of controls, inheriting new infrastructure vulnerabilities, or working in environments with a different risk profile, Durbin adds. And whenever these major operating procedures and processes change, organizations have to be nimble in order to minimize the threats introduced.
"Determining operating procedures that no longer meet contractual expectations and implementing alternatives that avoid increase in risk, and agreeing new assurance activities and reporting, including audits, security assessments, and business continuity exercises, are critical steps for companies to take," Durbin says.
"Disasters can happen at any moment and in unpredictable patterns," says Fausto Oliveira, principal security architect at Acceptto. "In the initial months of the coronavirus crisis, the weakness of the supply chain was highlighted with multiple instances of companies being unable to maintain operations."
Major disasters and events, whether natural or man-made, can have a direct impact on the supply chain, in addition to distracting staff from their primary responsibilities, ISF's Durbin adds. The consequences of the global crisis will affect supply chains upstream -- e.g., loss of suppliers, disrupted supply, change of suppliers, and suppliers unable to operate at adequate levels -- and downstream -- e.g., loss of customers, drop in demand, and inability to meet customer demand, he says. Both factors will affect internal operations.
Dealing with these changes and the threats they bring requires a number of steps, Durbin says, including "... communicating regularly with key suppliers and customers to identify and address new and emerging risks, identifying new threat vectors as a result of new working arrangements and operating procedures, and reviewing potential exposure to current and new threats."
According to Oliveira, a useful resource already exists to help companies understand how to deal with disasters in their supply chain: "The CISA Supply Chain Risk Management Essentials is a very easy-to-read and follow brochure. I encourage security, procurement, and financial professionals to read it and ask themselves the question, 'Am I following the pattern described in this brochure?'"
If not, he says, it's time to begin a strategic initiative in supply chain risk management.
Most of the indicators of supply chain vulnerability are larger, systemic things, but some indicators are small events that could be swept aside as "glitches," Fortress Information Security's Santos says. "I've heard stories about meetings popping up on clients' computers from a vendor that doesn't exist. But it really was an indication of a cyberattack."
Other indicators include a sudden surge in spam from particular partner email domains or mentions of the supplier showing up in unusual places.
"This could be discovered in any number of ways. It could be discovered looking at open source intelligence. It could be discovered by simple phone call from the vendor to the client. It could be discovered on the Dark Web," Santos says, pointing out additional ways companies might discover small-scale indicators of potential large-scale supply chain risks.
Individual employee homes are among the locations companies should now scan for potential supply chain vulnerabilities, ISF's Durbin adds.
"Few devices exist in isolation, and it is the Internet component of the IoT that reflects that dependency," he says. "For a home or commercial office to be truly 'smart,' multiple devices need to work in cooperation. For a factory to be 'smart,' multiple devices need to operate and function as an intelligent whole." However, all of this interconnectivity presents several security challenges, particularly in the overlap of consumer and operational/industrial technology, Durbin notes. For example, a voice assistant suddenly responding to an unspoken command or smart lightbulbs that present impromptu light shows are no longer just amusing incidents of technology gone wild -- they're indicators that a major supply chain could be in danger from the bottom up.
Most of the indicators of supply chain vulnerability are larger, systemic things, but some indicators are small events that could be swept aside as "glitches," Fortress Information Security's Santos says. "I've heard stories about meetings popping up on clients' computers from a vendor that doesn't exist. But it really was an indication of a cyberattack."
Other indicators include a sudden surge in spam from particular partner email domains or mentions of the supplier showing up in unusual places.
"This could be discovered in any number of ways. It could be discovered looking at open source intelligence. It could be discovered by simple phone call from the vendor to the client. It could be discovered on the Dark Web," Santos says, pointing out additional ways companies might discover small-scale indicators of potential large-scale supply chain risks.
Individual employee homes are among the locations companies should now scan for potential supply chain vulnerabilities, ISF's Durbin adds.
"Few devices exist in isolation, and it is the Internet component of the IoT that reflects that dependency," he says. "For a home or commercial office to be truly 'smart,' multiple devices need to work in cooperation. For a factory to be 'smart,' multiple devices need to operate and function as an intelligent whole." However, all of this interconnectivity presents several security challenges, particularly in the overlap of consumer and operational/industrial technology, Durbin notes. For example, a voice assistant suddenly responding to an unspoken command or smart lightbulbs that present impromptu light shows are no longer just amusing incidents of technology gone wild -- they're indicators that a major supply chain could be in danger from the bottom up.
Supply chains, many stretching around the globe and some made up of tens of thousands of links, are critical to modern business. Strong supply chains allow for the economical development of products ranging from stuffed toys to enterprise applications. Unfortunately, the same supply chains that make business possible can also make it a far riskier proposition.
Third-party risk, of which supply chain risk is one component, is increasingly understood as critical in gaining a complete picture of the threats an organization faces. But how can an organization decide when to take a harder look at the supply chain? What are the signs or events that indicate special concern should govern supply chain relationships?
Before we look for those answers, we have to acknowledge that "supply chain" is a phrase with more than one definition. It can refer to the components and services that are brought together to create an organization's products. If can also refer to the software components, apps, and cloud services that developers use as part of enterprise applications (or applications licensed to customers). And it can refer to critical services like electrical power, water, and other energy sources required for both basic administration and manufacturing processes. The companies providing any of these can be both critical partner and tremendous threat through inadvertent criminal cyber activity.
Dark Reading talked to a number of cybersecurity professionals looking for best practices governing these third-party relationships. Out of those conversations came a half-dozen signs and indicators that your supply chain risk factors have shot up -- and your attention is needed.
(Image: Natalya Lys VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024