Tag: supplychain

Partnerships Over Questionnaires: The Path to Robust Supply Chain Security

Håkon OlsenLeave a comment

We need close partnerships with key suppliers and customers to maintain a strong cybersecurity posture for our business processes. Most supply-chain cybersecurity practices are far from being real partnerships.

Most business processes are digitally connected today. How do we manage warehouse inventory?

Organizations understand that the supply chain affects cyber risk. Supply chains are often integrated through software today, and some of your attack surface may be invisible to you, but visible to and managed by one or more suppliers. At the same time, your customers depend on your ability to manage your cybersecurity posture to protect their business processes. Yet, our approach to supply-chain security is often immature. Many organizations have no organized activity to manage supply chain cyber risk. Some have a vendor qualification scheme, often based on security questionnaires. A vendor qualification process is useful to avoid purchasing services and products from companies with very poor security performance, but it is not enough to ensure a robust defense against supply-chain attacks.

Why is a vendor qualification not enough?

Cyber threats are constantly evolving, and relying solely on vendor qualification can leave your supply chain vulnerable. Qualification processes often focus on static criteria that may not adapt quickly enough to new and emerging threats. This reactive approach can result in security gaps that malicious actors can exploit.

Vendors may meet initial qualification criteria, but their performance can vary over time. Factors such as changes in management, updates to technology, or shifts in market conditions can impact a vendor’s ability to maintain security standards. Without ongoing collaboration, these variations can go unnoticed, posing significant risks to the supply chain.

Effective cybersecurity requires timely and accurate information sharing. However, vendor qualification processes often lack mechanisms for continuous information exchange. This siloed approach can hinder the ability to detect and respond to threats promptly, leaving the entire supply chain at risk.

In the event of a security incident, a coordinated response is crucial. Vendor qualification alone does not foster the trust and communication needed for effective incident response. Without a collaborative framework, responding to incidents can be chaotic and inefficient, prolonging downtime and increasing the impact of breaches.

The solution: security partnerships with important supply-chain partners

To address these challenges, organizations must shift from a vendor qualification mindset to a collaborative partnership approach. This involves establishing strong relationships with key suppliers and customers, built on trust, information sharing, and shared situational awareness.

By fostering open communication channels, organizations can share threat intelligence, best practices, and lessons learned. This collaborative exchange of information enables all parties to stay ahead of emerging threats and respond more effectively to incidents.

Building trust through transparency is essential for successful collaboration. Partners should be open about their security practices, vulnerabilities, and incident response plans. This transparency fosters a culture of mutual support and accountability, strengthening the overall security posture of the supply chain.

Shared situational awareness enables partners to have a collective understanding of the security landscape. This involves regular updates on threats, vulnerabilities, and incidents affecting the supply chain. By maintaining a shared view, organizations can better anticipate and mitigate risks, enhancing the resilience of the supply chain.

Collaborative partnerships allow organizations to align on best practices and standards. By working together, partners can develop and implement robust security measures that are consistent across the supply chain. This alignment helps to minimize vulnerabilities and ensures that all parties are committed to maintaining high security standards.

A business-continuity focused approach to security partnerships

Not all suppliers are equally important, and not all customers are critical to your business. There are also differences in how digitally integrated the supplier-buyer relationship is. Imagine that you are security responsible for a company leasing coffee machines to businesses and supplying them with coffee beans. The company has a lean operation and is highly dependent on digital systems for managing their business processes. They have conducted a business impact assessment of their key processes, and marked the “bean procurement”, “bean distribution” and “machine maintenance and support” as the most critical processes that also have the most digital dependencies. You want to make sure you have a good approach to cybersecuriyt for these processes, starting with bean procurement. To get started on the assessment, you and your colleagues perform a business process mapping and dependency exercise.

SuppliersInputsProcessOutputsCustomers
Wholesale coffee sellersPre-packed coffee beans (normal, premium, premium plus)1. Source pre-packed coffee beans from wholesale sellers in three qualities.Packaged coffee beans (by quality)Offices leasing coffee machines
Logistics providersTransportation services2. Arrange transportation from wholesaler to warehouse.Delivery confirmationsInternal stakeholders
Quality control labsQuality test results3. Conduct quality control tests for each quality type.Inventory reports (by quality)
4. Store pre-packed coffee beans in a warehouse.
5. Distribute coffee beans to offices based on quality requirements.
6. Monitor inventory levels by quality and reorder as needed.

After discussing with some of the suppliers, the procurement division and going through the systems used with both end-users and IT, you have landed on a relatively involved data flow diagram for the procurement of coffee beans (including storage and readiness for distribution, based on the SIPOC):

We are now focusing on the wholesale sellers. There may be multiple interfaces between these companes, but for now let’s consider how a partnership would differ from a pure qualification approach to vendor security here.

Default approach: qualify the vendor, no direct follow-up unless there is an incident.

  • Provide a list of technical security requirements
  • Provide a questionnaire in Excel about policies, security controls and capabilities

This will help select a vendor that has a baseline security level at the point in time when the contract is signed. It will not make the companies ready to respond together if there is a cyber attack affecting both, or requiring support from the other. It will not provide proactive steps to improved cyber defense, such as sharing informaiton about threats, vulnerabilities and best practices. But the biggest weakness is: good cybersecurity posture over time depends on evolving practices, innovation and shared situational awareness. A point-in-time qualification does not help with that.

Partnership approach: a partnership will help evolve cybersecurity and can “patch the weaknesses” of the qualification-only approach to supplier security management. Here are 3 key practices to consider for building a strong cybersecurity partnership:

  1. Establish clear expectations and responsibilities for the partnership, and include these in the contract. Make sure the cybersecurity practices included in the contract are mutually beneficial.
  2. Establish a way to share information and build joint situational awareness. This can be achieved through a range of activities, from having quarterly information-sharing video calls to fully integrated threat intellgence and response exchange systems.
  3. Be intentional about making security people from both organizations meet and build relationships. There are many ways to do this, from joining community organizations and conferences, to having regular status meetings and workshops together. Even meeting socially can help build those releationships. People who trust each other work much better together during a crisis, such as cyber incident response.

It is worth noting that regulatory requirements to supply chain security is increasing in many sectors. In Europe, key cyberscurity regulations such as DORA (for financial institutions), NIS2 (critical infrastructure), CRA (for suppliers of digital products) and even the AI Act all have requirements for supply-chain cybersecurity. The views in this blog post don’t post a complete list of activities a good supply chain program must have, it is more in addition to established practices. For an overview of traditional practices that should go into your supply-chain cybersecurity management, this guideline from ENISA is a good starting point: Guideline for supply-chian security (ENISA).

Handling suppliers with low security awareness

Håkon OlsenLeave a comment

Supply chain risk – in cyberspace

Cyber supply chain risk is a difficult area to manage. According to NIST 80% of all breaches originate in the supply chain, meaning it should be a definite priority of any security conscious organization to try and manage that risk. That number was given in a presentation by Jon Boyens at the 2016 RSA conference. A lot of big companies have been breached due to suppliers with poor information security practices, for example Target and Home Depot.

supplychainexpansion
Your real attack surface includes the people you do business with – and those that they do business with again. And this is not all within your span of control!

Most companies do not have any form of cybersecurity screening of their suppliers. Considering the facts above, this seems like a very bad idea. Why is this so?

A lot of people think cybersecurity is difficult. The threat landscape itself is difficult to assess unless you have the tools and knowledge to do so. Most companies don’t have that sort of competence in-house, and they are often unaware that they are lacking know-how in a critical risk governance area.

Why are suppliers important when it comes to cybersecurity? The most important factor is that you trust your suppliers, and you may already have shared authentication secrets with them. Consider the following scenarios;

  1. Your HVAC service provider has VPN access to you network in order to troubleshoot the HVAC system in your office. What if hackers gain control over your HVAC vendor’s computer? Then they also have access to your network.
  2. A supplier that you frequently communicate with has been hacked. You receive an email from one of your contacts in this firm, asking if you can verify your customer information by logging into their web based self-service solution. What is the chance you would do that, provided the web page looks professional? You would at least click the link.
  3. You are discussing a contract proposal with a supplier. After emailing back and forth about the details for a couple of weeks he sends you a download link to proposed contract documents from his legal department. Do you click?

All of these are real use cases. All of them were successful for the cybercriminals wanting access to a bigger corporation’s network. The technical set-up was not exploited; in the HVAC case the login credentials of the supplier was stolen and abused (this was the Target attack resulting in leak of 70 million customer credit cards). In the other two cases an existing trust relationship was used to increase the credibility of a spear-phishing attack.

To counter social engineering, most companies offer “cybersecurity awareness training”. That can be helpful, and it can reduce how easy it is to trick employees into performing dangerous actions. When the criminals leverage an existing trust relationship, this kind of training is unlikely to have any effect. Further, your awareness training is probably only including your own organization. Through established buyer-supplier relationships the initial attack surface is not only your own organization; it is expanded to include all the organizations you do business with. And their attack surface again, includes of the people they do business with. This quickly expands to a very large network. You can obviously not manage the whole network – but what you can do is to evaluate the risk of using a particular supplier, and use that to determine which security controls to apply to the relationship with that supplier.

Screening the contextual risk of supplier organizations

What then determines the supplier risk level? Obviously internal affairs within the supplier’s organization is important but at least in the early screening of potential suppliers this information is not available. The supplier may also be reluctant to reveal too much information about his or her company. This means you can only evaluate the external context of the supplier. As it turns out, there are several indicators you can use to gauge the likelihood of a supplier breach. Main factors include:

  • Main locations of the supplier’s operations, including corporate functions
  • The size of the company
  • The sector the company operates in

In addition to these factors, which can help determine how likely the organization is to be breached, you should consider what kind of information about your company the supplier would possess. Obviously, somebody with VPN login credentials to your network would be of more concern than a restaurant where you order overtime food for you employees. Of special concern should be suppliers or partners with access to critical business secrets, with login credentials, or with access to critical application programming interfaces.

Going back to the external context of the supplier; why is the location of the supplier’s operations important? It turns out that the amount of malware campaigns a company is exposed to is strongly correlated with the political risk in the countries where the firm operates. Firms operating in countries with a high crime rate, significant corruption and dubious attitudes to democracy and freedom of speech, also tend to be attacked more from the outside. They are also more likely to have unlicensed software, e.g. pirated versions of Windows – leaving them more vulnerable to those attacks.

The size of the company is also an interesting indicator. Smaller companies, i.e. less than 250 employees, have a lower fraction of their incoming communication being malicious. At the same time, the defense of these companies is often weak; many of them lack processes for managing information security, and a lot of companies in this group do not have internal cybersecurity expertise.

The medium sized companies (250-500 employees) receive more malicious communications. These companies often lack formal cybersecurity programs too, and competence may also be missing here, especially on the process side of the equation. For example, few companies in this category have established an information security management system.

Larger companies still receive large amounts of malicious communications but they tend to have better defense systems, including management processes. The small and medium sized business therefore pose a higher threat for value chain exploitation than larger more established companies do.

Also, the sector the supplier operates is a determining factor for the external context risk.  Sectors that are particularly exposed to cyberattacks include:

  • Retail
  • Public sector and governmental agencies
  • Business services (consulting companies, lawyers, accountants, etc.)

Here the topic of “what information do I share” comes in. You are probably not very likely to share internal company data with a retailer unless you are part of the retailers supply chain. If you are, then you should be thinking about some controls, especially if the retailer is a small or medium sized business.

For many companies the “business services” category is of key interest. These are service providers that you would often share critical information with. Consulting companies gain access to strategic information, to your IT network, gets to know a lot of key stakeholders in your company. Lawyers would obviously have access to confidential information. Accountants would be trusted, have access to information and perhaps also to your ERP systems. Business service providers often get high levels of access, and they are often targeted by cybercriminals and other hackers; this is good reason to be vigilant with managing security in the buyer-supplier relationship.

Realistic assessments require up to date threat intelligence

There are more factors that come into play when selecting a supplier for your firm than security. Say you have an evaluation scheme that takes into account:

  • Financials
  • Capacity
  • Service level
  • And now… cybersecurity

If the risk is considered unreasonably high for using a supplier, you may end up selecting a supplier that is more expensive, or where the level of service is lower, than for the “best” supplier but with a high perceived risk. Therefore it becomes important that the contextual coarse risk assessment is performed based on up-to-date threat models, even for the macro indicators discussed above.

Looking at historical data shows that the threat impact of company size remains relatively stable over time. Big companies tend to have better governance than small ones. On the positive side for smaller companies is that they tend to be more interested in cooperating on risk governance than bigger players are. This, however, is usually not problematic when it comes to understanding the threat context.

Political risk is more volatile. Political changes in countries can happen quickly, and the effects of political change can be subtle but important for cybersecurity context. This factor depends on up to date threat intelligence, primarily available from open sources. This means that when you establish a contextual threat model, you should take care to keep it up to date with political risk factors that do change at least on a quarterly basis, and can even change abruptly in the case of revolutions, terror attacks or other major events causing social unrest. A slower stream would be legislative processes that affect not only how businesses deal with cyber threats but also on the governmental level. Key uncertainties in this field today include the access of intelligence organizations to communications data, and the evolvement of privacy laws.

Also the sector influence on cyber threat levels do change dynamically. Here threat intelligence is not that easy to access but some open sources do exist. Open intel sources that can be taken into account to adjust the assessment of business sector risk are:

  • General business news and financial market trends
  • Threat intelligence reports from cybersecurity firms
  • Company annual reports
  • Regulations affecting the sector, as also mentioned under political risk
  • Vulnerability reports for business critical software important to each sectoor

In addition to this, less open sources of interest would be:

  • Contacts working within the sectors with access to trend data on cyber threats (e.g. sysadmins in key companies’ IT deparments)
  • Sensors in key networks (often operated by government security organizations), sharing of information typically occurs in CERT organizations

Obviously, staying on top of the threat landscape is a challenging undertaking but failing to do so can lead to weak risk assessments that would influence business decisions the wrong way. Understanding the threat landscape is thus a business investment where the expected returns are long-term and hard to measure.

How to take action

How should you, as a purchaser, use this information about supplier threats? Considering now the situation where you have access to a sound contextual threat model, and you are able to sort supplier companies into broad risk categories, e.g. low, medium, high risk categories. How can you use that information to improve your own risk governance and reduce the exposure to supply chain cyber threats?

First, you should establish a due diligence practice for cybersecurity. You should require more scrutiny for high-risk situations than low-risk ones. Here is one way to categorize the governance practices for supply chain cyber risks – but this is only a suggested structure. The actual activities should be adapted to your company’s needs and capabilities.

Practice Low risk supplier Medium risk supplier High risk supplier
Require review of supplier’s policy for information security No Yes Yes
State minimum supplier security requirements (antivirus, firewalls, updated software, training) Yes Yes Yes
Require right to audit supplier for cybersecurity compliance No To be considered Yes
Establish cooperation for incident handling No To be considered Yes
Require external penetration test including social engineering prior to and during business relationship No No To be considered
Agree on communication channels for security incidents related to buyer-supper relationship Yes Yes Yes
Require ISO 27001 or similar certification No No To be considered

If you found this post interesting, please share it with your contacts – and let me know what you think in the comments!

Norwegian cyber command warning against supply chain exploitation for F35 project

Håkon Olsen2 Comments

The Norwegian general Inge Kampenes (chief of the Norwegian CYFOR, the cyber branch of the Norwegian armed forces) gave a speech on the evening of Monday 20.02.2017 to Oslo militære samfund, where he warned against supply chain threats to large investments in the military. He brought the F35 program forward, and stressed that threat actors may choose to target civillian and military organizations further back in the supply chain in order to threaten the integrity and confidentiality of the project. The military must therefore keep the entire value chain in mind as it is assessing the cyber threats related to procurement.

 

Aerial refueling of F-35 Lightning II Joint Strike Fighters at Eglin AFB, Fla.
F35 figher jets require a large number of systems on the ground, ranging from military equipment in the field to administrative IT systems. Breaches in the supply chains to these supporting systems may degrade the performance of the organizations and system supporting F35 operations. Photo by Mstr. Sgt. Donald R. Allen, US Air Force (public domain).

 

This follows several recent media accounts of poor sourcing decisions leading to significantly reduced security for important functions in Norway. One was the Statoil case from 2014 where Indian consultants had access to the production IT systems of a refinery and managed to shut down the production of the refinery by an error. Another story that recently broke in media was that the administration of the Norwegian emergency communications network for emergency response units (police, fire departments, ambulances and the authorities) had been contracted to another Indian IT operator – with no form of background checks or security clearance checks – in breach of Norwegian security laws.

The general is obviously right to be worried about supply chain risks. The suppliers are outside of your direct management control, and this is in particular true for large and complex value chains; the deeper you go in the web of suppliers and subsuppliers, the less influence and control you have over their practices. This has to be handled through contract requirements, auditing and a common understanding of priorities. Understanding the risk context is key to prioritizing the right controls – and this is at the core of supply chain threat management.

Key points the general should preach to his colleagues:

  • The project needs a procurement policy covering all purchases, and also how suppliers again shall handle their own suppliers, and this policy should be made mandatory for the entire project organization: the project owner must be the one calling the shots.
  • The project needs a competence management plan for information security – that covers both internal and external interfaces
  • The project needs a risk and vulnerability study that covers supply chain effects: the suppliers may be targeted due to activity in other risk contexts, thereby damaging the project’s security by collateral damage
  • The project should plan for coordinated security monitoring in the operations phase where applicable, and plan response accordingly. Patch management should be part of the delivery plan.