How to Prevent Supply Chain Attacks

How confident are you in not only your network security but also the integrity and reliability of your supply chain?

In a seemingly continuous stream of recent data breaches and ransomware attacks, every organization has to ask that question. Many businesses might get high marks for fortifying their own network security. But malicious actors are taking an indirect but effective means of breaching those defenses by attacking third parties in a company’s supply chain.

In April, this growing and global problem led the Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) to issue guidance on defending against software supply chain attacks. The guidance followed on the heels of the SolarWinds software breach, a headline-grabbing supply chain attack that affected public and private organizations around the world.

Supply chain insecurity isn’t just an issue for the traditional software or IT industry, and any organization can become a target.

More recently, the world’s largest meat supplier, JBS, fell victim to a ransomware attack that disrupted the meat supply chain in multiple countries. The attack temporarily shut down operations at meat plants in the U.S., Canada, and Australia, drove up wholesale meat prices, and forced food distributors including grocery stores and restaurants to search for new suppliers.

John Linkous, founder and principal adviser at Phalanx Security, a consulting firm providing enterprise security strategy and services, says:

“Just because somebody is a vendor that has a really well-known name in security, or IT or software technology, or physical assets like ATMs, doesn’t necessarily mean their systems are fully secure.”

Supply chain attacks can take many specific forms – too many to address within the scope of this article.

“Bad actors can combine multiple types of attacks into a complex chain of incidents, which means your best form of protection is to take a comprehensive approach across your entire supply chain.” – John Linkous

(For more information about types of supply chain attacks, Linkous highlights many of them as well as these preventive steps in a free on-demand webinar as part of the #Curio Virtual Tech Summit presented by Sayers.)

9 Steps to Prevent Supply Chain Attacks – Have you Covered Them All?

Avoid being the next victim of a supply chain attack by following these nine steps to protect your organization:

1. Develop a trusted ecosystem. From the companies who develop the software and hardware technology you use to the value-added resellers and system integrators who customize, deploy, and manage unified IT solutions, develop relationships with companies you trust to keep your business running.

2. Trust but verify. “Wherever possible in your contracts with suppliers, enforce right-to-audit contract clauses,” says Linkous. At a minimum, require self-audits or third-party audits such as SOC 2 or ISO27000 certification.

Additional ways to assess your vendors’ level of security include automated tools such as BitSight and SecurityScorecard. Take advantage of free, downloadable questionnaires for your third-party vendors from organizations including:

• Center for Internet Security
• Cloud Security Alliance
• National Institute of Standards and Technology
• Shared Assessments Group

3. Pay attention to your tech stack. Your technology stack is part of your supply chain security. Take a basic block-and-tackle approach by monitoring and patching all elements including your operating system, middleware, libraries such as jQuery, and other third-party applications.

“Monitor your trust boundaries with things like whitelisting and default-deny policies, implementing behavioral analysis at the asset or user level, and having some sort of continuous monitoring and alerting capability,” Linkous says.

4. Physically secure publicly accessible assets. Some high-value assets can become targets and require continuous physical surveillance. An example of this in the power and energy industry is a supervisory control and data acquisition (SCADA) systems used to generate and distribute an uninterrupted power supply.

5. Secure your DevOps. If you develop internal applications, keep your third-party libraries and OSS stacks updated. On top of that, use Software Compositional Analysis tools such as Contrast Security and Black Duck software to analyze and manage open-source components. They’ll look for open-source software and let you know if you’re using an out-of-date or otherwise vulnerable version of libraries you need to update.

6. Identify unmanaged code within your environment. Unmanaged code that runs outside of the Common Language Runtime (CLR) can expose you to risk. “This is really critical for hospital environments, for example, where you’ve got an MRI machine that may be front-ended by an old Windows 7 embedded UI using old versions of software,” Linkous says.

In that example, you would either have to rely on the MRI vendor to provide a software upgrade or patch, or mitigate the risk yourself. A growing practice in healthcare environments is network segmentation – dividing your network into multiple segments or subnets. That MRI machine or other healthcare delivery equipment would sit on separate segments than your email servers, which pose a different risk level.

7. Assess your risks. Know where your soft targets are by conducting regular penetration testing and periodically running third-party risk assessments. Regulated industries typically necessitate yearly penetration tests. However, this should be the minimum recommended consistency regardless of industry or enforced requirement.

8. Adopt a resilience mindset. In today’s environment, assume you will have a supply chain cybersecurity incident at some point. Build resiliency by including supply chain cybersecurity in your incident response and tabletop exercises, making sure those types of threats are included in your network detection and response capability. Have alternative vendors available as go-to options, either on a temporary or permanent basis.

9. Look to adopt future security options. Some promising capabilities to protect supply chains in the near future include:

• Blockchain technology. Similar to the generalized ledgers used with Bitcoin or Ethereum cryptocurrencies, blockchain can be used as an unalterable ledger of the supplier and component manifests. Blockchain would give added assurance by enforcing the chain of custody for physical and digital assets used within IT.
• Supplier webs of trust. Expect groups or confederations of B2B organizations to share normalized risk-related data about their third-party vendors. “Think of it as a GlassDoor.com for suppliers and business partners,” Linkous says, and this would generate an overall assessment of vendors considered safe for supply chain security.
• Encryption everywhere. Many organizations already use encryption for data confidentiality. Certificate-based encryption could serve to ensure supply chain integrity as well. Linkous advises encrypting data everywhere, whether that sensitive data is at rest, in transit between networks or systems within the same network, or even encryption in memory for physical assets like ATMs.

Ready to Approach Your Suppliers About Risk Assessments? Here’s How.

The conversation with your vendors about third-party assessments doesn’t have to be awkward. First, ask if they have any type of verification related to their cybersecurity controls and the integrity of their supply chain. If they’re a manufacturing company, for example, they might already be ISO 9000 certified, which requires organizations to maintain some degree of supplier integrity.

If they don’t have those controls in place yet, make the process as collaborative as possible. Help them understand why you’re asking questions about their environment. “If they’re handling your financial transactions in some way,” Linkous advises, “make sure they understand you’re asking that question because, if that data is compromised in any way or there are issues with its custody or data integrity, you’re on the hook as much as they are.”

Your customers are going to look to you to be accountable, regardless of whether it was one of your downstream vendors who had the data breach. Instead of dealing with the repercussions of guilt by association after an attack, take proactive steps now to secure your entire supply chain.

Questions? Contact us at Sayers today about your security and compliance questions for your organization as well as your supply chain.

Additional Resources:

Maintaining Supply Chain Cybersecurity in a Global Economy. Free 30-minute on-demand webinar by security expert John Linkous, with real-world examples of technology supply chain threats and impact.