Chains have symbolic and historical significance. Over time, they have been symbols of strength and have been used to secure important things, but they have also been symbols of oppression. Ironically, those historical caricatures are all too modern and accurate in our digital age.
More specifically, “supply chain” has reentered our vocabulary. A century ago, the term may have been used more frequently to describe the management of parts availability to enable the mechanization of assembly lines. Today, it also has a different meaning and increasingly, a disturbing connotation: that your cybersecurity can be undermined if your "upstream" providers are not as secure as you expect them to be.
Often, the insecurity is accidental. A supplier of parts or subcomponents may unknowingly leave security gaps in the product they provide to you, which you incorporate into your systems. Later, malicious people can find and exploit them.
Increasingly, an organization’s chief information security officer, or CISO, is responsible for managing what they have limited control over: specifically, the dynamic and ever-changing activity of an organization’s supply chain.
What is a supply chain?
A supply chain is the chain of vendors a company depends upon to underpin its operations. It also includes the vendors those vendors partner with, and so on.
Can you imagine if preventing your house from being infested with bedbugs hinged on your ability to ensure that your mail carrier's roommate’s barber’s dog groomer never shopped for shirts at a thrift store?
Like a physical chain, a supply chain is only as strong as its weakest link. If you don't manage it holistically, the cybersecurity of every organization within the chain could be at risk because of one member.
Even the shortest of supply chains — those with two to four linked vendors — represent a complex and evolving system that is paradoxically both embedded in and separate from an organization.
Who does this affect?
Examples exist in almost any industry. Laptop manufacturers get parts from thousands of small operations with varying degrees of security in place. Big-box retail stores have everything from inventory management to HVAC system suppliers that operate online. That's a potentially complicated system of suppliers for large chains to manage.
There is often no easy way to tell where an attack in your supply chain is going to occur. But the reality is that smaller vendors often can't afford to scrutinize like larger organizations, and large organizations have their own complexity challenges.
And for cybercriminals, discovering who your vendors are is often as simple as conducting a Google search or seeing a service vehicle parked outside. From there, the information they need to empower subsequent attacks is often publicly available through social media and the internet.
What should you do about it?
The more complex and volatile networks become, the more important it is to have a strong foundation. Obviously, a CISO can't control the actions of vendors five degrees removed, yet they're still accountable for the resulting security of the components they get from those vendors. This is why every CISO should closely examine their supply chain and the policies and protocols that govern it.
The first step is creating a supply chain risk management plan, which establishes policies and procedures for dependencies and risks. It documents the risks throughout the system development life cycle, including design, manufacturing, production, distribution, acquisition, installation, operations, maintenance and decommissioning. And since “supply chain” has many potential meanings, some potential definitions and components to examine include:
• Robust availability of parts
• Preventing use of grey-market parts
• Ensuring IT infrastructure is sourced from domestically-owned companies
• Sustaining the integrity of code
• Characterizing the shared operational risk caused by rich interconnectivity
• Preventing and detecting the implantation of bugs or vulnerabilities during shipment
• Avoiding or detecting deliberate, deep placement of flaws during manufacturing
• Preventing theft of intellectual property or analysis by foreign intelligence services during assembly or manufacturing
• Not allowing foreign intelligence services to operate network service "front companies"
• Not using third-party libraries that contain vulnerabilities
Next, you need to conduct consistent and agile risk assessment. How you define a reasonable scope is unique to your company. You cannot look at everything, everywhere, all the time, so you need to decide where to look deeply or more broadly and where to accept some risk. I find it's important to define risk as a combination of consequence, vulnerability and threat so that you can be more precise when you describe why something is risky and pick the right solution to mitigate it.
An architectural solution is next. Rather than relying on one security wall around everything, I believe it's critical to protect information congruent to its value by segmenting assets to minimize the damage of a breach. This is a foundational strategy for supply-chain risk management since it can restrict the scope or spread of supply-chain-compromised systems. By segmenting assets, you can create separate but aligned micro-segments throughout a network by walling off critical data (such as customer or financial information) from other sensitive data.
And lastly, you should provide transparent dialog and education to employees, vendors, and stakeholders about supply chain risks and security best practices. This often-overlooked step can proactively prevent activity that increases the risk of a breach. Some of the same basic cybersecurity practices we already know still apply, such as properly disposing of unused papers that contain sensitive information or never disclosing private information about yourself or your company without ensuring it is for authorized and legitimate purposes.
By working to ensure the strength of these fundamental points, organizations across functions can help mitigate the seemingly intractable risks of supply chains — while also strengthening the security of their entire networks and taking proactive steps to minimize damage from lack of stakeholder understanding.
I believe protecting against supply chain attacks through supply chain risk management is an imperative that cannot be ignored. Would you bet $100 million that an entry-level employee at a small business three degrees removed from your organization has an uncrackable email password? Unfortunately, you may already have — but it's not too late to implement a risk-management strategy.
