We’re all tired of shortages. Things we took for granted are now hard to find or cost a lot more. Maybe you opened a new online account to locate that thing you need. Ah, the feeling of relief when it finally arrived. But what if that’s when your real troubles began?
Let’s rewind. When you opened that new account, you added a new vendor to your personal supply chain. You handed over personal data, and maybe financial information too. Now ask yourself: How well do they secure it? Protect your privacy? How confident are you that the product you just received is genuine and safe? The way suppliers conduct business, as well as they products they sell, could put you and your family at risk.
In the business world, digital supply chains present very real risks too, even with well-established, trusted partners.
Should you trust a trusted supplier?
Most organizations have a long list of suppliers and partners, sharing volumes of information electronically. The internet transports that data through software update systems, shared cloud apps, SD-WAN links, or even legacy VPNs. It relies on a foundation of trust, but that trust can be exploited.
Here’s an example: Let’s say your company builds military aircraft under a defense contract. You rely on dozens of suppliers for the millions of components that go into it. For instance, you’ve subcontracted with a trusted vendor to build the fuselage and wings. They have a long, established history of design and manufacturing excellence.
Naturally they need information from you about the aircraft to complete their work, things like physical dimensions and tech specs. They’ll also generate new aircraft data themselves during their development work. Throughout this partnership, some of the data is in your systems, some is in theirs, and it’s all linked together.
One day, a major cyberattack breaches your supplier. Hackers swipe sensitive data from their systems, but they didn’t stop there. Then they exploited your trusted network connection and walked inside your organization too. With an “island hopping” attack strategy like this, hackers didn’t have to attack you directly.
That’s what’s so sneaky about cyber supply chain risks. How your suppliers operate and secure their systems can have very real impacts on you.
Analyzing your cyber supply chain
There are many ways to exploit a supply chain. We’ve seen how a ransomware attack halted a major east-coast oil pipeline, affecting airlines and drivers alike. Supply Chain Risk Management (SCRM) is a broad discipline for awareness and action, and Cybersecurity SCRM (C-SCRM) is a subset focused on cyber risks associated with information, communications, and operations technology.
C-SCRM covers a wide range of threats: Malicious code insertion, ransomware, backdoors, counterfeits, tampering, poor development practices, and a whole lot more. And risk exists at every stage, from software development to system updates to shipment and everywhere in between. For instance, Ben Nahorney highlighted the software update vector in his recent Threat Explainer. There he describes about how something as mundane as compromising a developer’s machine has major ramifications. After all, that machine accesses the build system.
Our Talos threat research team has been watching closely too. For a fun take on supply chain security, check out Beers with Talos episode 104. They’re “hopping mad” because it’s been easy for many organizations to de-prioritize this risk. And their discussion also underscores how supply chain attacks are so often misunderstood.
Steps to take right now
One thing you’ll discover about C-SCRM is that it’s a business process discipline. Technology certainly helps, but the key practices are often the ones that are the hardest to do. For example, in Key Practices in Cyber SCRM: Observations from Industry (NISTIR 8276), NIST explains the importance knowing and managing critical suppliers. Understanding your organization’s supply chain. And among key practices, they recommend explicit roles, processes, and structures to focus on supply chain security.
Therefore, your first step should be to familiarize yourself with existing best practices and advice. NIST collected key publications right here, and they’ve recently published their latest draft of Cyber Supply Chain Risk Management Practices for Systems and Organizations (NIST SP 800-161) in April.
Or take the easier road
If diving deep into a slew of deep publications isn’t your bag — or even if it is — we’ve got great news for you. We’re thrilled to invite you to our upcoming supply chain summit, Zero Trust for Trusted Relationships, which will be an engaging conversation with Chris Neal from Talos, Ben Nahorney, and me. We’ll cover everything you need to know, drawing from our very own threat research and intelligence, and passion for cyber best practices.
Register now, and get the insight you need expose and close hidden supply chain risks.