Supply chain as an attack chain

The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.

This blog summarizes Chapter 29: Supply chain as an attack chain, by Booz Allen Hamilton – Bill Stewart, Executive Vice President; Tony Gaidhane, Senior Associate; and Laura Eise, Lead Associate. Please refer to the original article for any direct quotations.

Hackers often take advantage of existing supply chain vulnerabilities to exploit their targets. These attacks can either be executed with the supplier organization as the direct target, or by using the supply chain as a means to target one of the organization’s customers.  The latter is how the massive Target breach was executed.

Today’s attackers are often well funded and extremely organized, and have the resources, skills, and patience to conduct sophisticated attacks on your supply chain.

As companies inherit vulnerabilities from their suppliers and have to account for their customers’ risks, it is essential for organizations to be aware that their supply chain can become a significant security liability.

Ever-evolving threats in supply chains

Poor sourcing decisions expose companies to suppliers’ vulnerabilities – and all of their successive networks of suppliers. The presence of a multitude of organisations that may remain invisible to the organisation can compound the number of vulnerabilities, especially in environments subject to significant change: as each change is made, new vulnerabilities are introduced, and new threats emerge, combine, and evolve. This ever-evolving cybersecurity threat in the supply chain presents a number of challenges when managing cybersecurity.

Companies and governments around the world are realizing that the supply chain is an ideal way for attackers to quietly infiltrate their networks and infect a system without being noticed.

Insurance companies will soon become an even larger driver for increasing supply chain standards. Companies with weak cybersecurity policies and procedures for their supply chains could find their insurers raising their premiums or excluding claims in case of a breach.

Cybersecurity challenges in the supply chain

  1. Lack of visibility – Limited visibility across the supply chain regarding exposure and controls.
  2. Dynamic threat – The evolving capabilities of well-resourced and determined adversaries means that ‘point in time’ solutions are insufficient.
  3. External dependencies – Companies cannot ensure part integrity on their own—they will need participation from suppliers and other business partners.
  4. Cross-functional challenge – Requires change and collaboration from various internal business functions to collectively manage cyber risk throughout the supply chain.
  5. Decision making – Increased information requires new strategic and tactical decision-making processes.

How to create both a secure and compliant capability

 The authors of this chapter recommend that organizations evaluate their cybersecurity program with a maturity lens. Using a maturity model allows you to respond to the questions that simple compliance does not answer while aligning your supply chain to your business strategy. It allows you to focus on increasing your overall security and to stay ahead of the curve.

Using a maturity model entails understanding the various degrees of risk you face. By unpacking the risks, you can then focus on your current maturity in those areas and develop a strategy for increasing it.

Developing a robust supply chain cybersecurity program is complex, but that doesn’t mean your approach has to be.

Where to start?

  • Conduct a cybersecurity maturity assessment and build a roadmap

Assessing the maturity of supply chain cybersecurity programs consists of simply running a gap analysis between how well your program operates today and how it should operate in the ideal state. This means you should identify the key controls that apply to supply chain risk management. Next, you should identify key objectives for each control you plan to evaluate. Finally, you should conduct a baseline assessment of your current state. The outcome of your maturity assessment will be a robust roadmap designed to transform your supply chain cybersecurity program.

  • Identify key risks throughout your supply chain lifecycle

Breaking down your supply chain lifecycle into distinct phases can help you identify key risks for each phase. Each phase presents its own vulnerabilities and risks.

  • Decompose your key product lines

To assess the visibility, control, and risks in your supply chain, select a few key product lines and break them down into their cyber sensitive components

Using supply chain cybersecurity as a differentiator

Companies large and small have to begin looking at supply chain security as part of their overall supply chain risk management process.

Understanding how to identify risk and then effectively manage those risks will give you greater control of your supply chain. Creating the right balance between security and resilience in your supply chain will allow you to build a fundamentally stronger supply chain cybersecurity program.

Five early wins

Below are five ways you can gain early traction with your supply chain cybersecurity program:

  1. Integrate/enhance component tracking
  2. Include cyber in your supply chain risk management framework
  3. Enhance acceptance testing
  4. Conduct supply chain vulnerability penetration testing
  5. Enhance monitoring of supplier network access points

Best-practice cybersecurity 

ISO/IEC 27001 (also known as ISO 27001) is the international standard that describes best practice for an information security management system (ISMS), a systematic approach to managing confidential or sensitive corporate information so that it remains secure.

Certification to the Standard demonstrates to clients, investors, stakeholders, customers, and staff that information security best practice is being followed.

You can find more free information about ISO 27001 here >>