printer friendly version

Supply chains, a new vulnerability for cyber-attacks

The security threat landscape is in a constant state of flux as cybercriminals work hard to develop tactics to overcome organisations’ defences. One popular route into a secured network is via the supply chain and history is not short of examples of successful cyberattacks that were achieved by this method.

Rudie Opperman.

Software company SolarWinds fell victim to a supply chain attack, which compromised various US government agencies as well as big corporate enterprises, such as Intel, Cisco, Deloitte and Microsoft. Many South African firms also recently suffered a supply chain attack that affected over 1000 companies (www.securitysa.com/*scm1). Threat actors typically target companies within the supply chain, as these tend to have less sophisticated and robust defences.

How can organisations be sure that they aren’t inadvertently leaving themselves open to attackers who may gain access via the wider ecosystem? To build trust in these relationships, they need to know that their system supplier continuously assesses and counters these risks, not only within their own systems, but also those of their sub-suppliers. It’s critical to know how solution manufacturers control and maintain their entire supply chain and ensure all products have a safe journey from individual components to completed product.

Evaluating and choosing the right partner

Supply chain security begins with choosing partners through a rigorous evaluation process. This should include an analysis of critical areas, such as each company’s information security policies and quality and sustainability management processes. As a minimum, a company should be certified by a third party, according to ISO 9001 or IATF 16949 and ISO 27001 A.15 or NIST SP-800 161.

This is only the beginning. Sub-suppliers’ processes should also be assessed for risk management, as well as their production facilities and processes. Site visits should be made and followed up with on-site audits to check if the company meets the security requirements and standards set for approved vendor qualification. As part of the evaluation of a potential new partner, suppliers should conduct an in-depth analysis of the organisation’s financial position and ownership structure.

It may be useful to choose certain companies to be appointed as strategic sub-suppliers, especially for critical components. Investing time in building these relationships will improve trust and ensure that all parties are committed to achieving long-term goals, particularly when it comes to upholding security processes.

Regular supplier audits provide reassurance and add value

The best way for your supplier to ensure sub-supplier compliance to the specified requirements is to conduct regular on-site audits, annually or bi-annually. These can be supplemented by quarterly business reviews, to follow up on performance against expectations and collaboratively discuss any changes that need to be made. The audit process should be thorough and conducted on every site within the supply chain, from the component supplier to the distribution centre.

Individuals with malicious intent can physically introduce threats into a network or directly to the products; therefore, the audit process should also include assessments of the physical facilities, particularly the quality assurance procedures and associated machinery. This will ensure that products are not tampered with and that unauthorised individuals are not allowed access to restricted areas. For example, entries and exits must be continuously guarded and access controls and visitor registration must be logged and stored. Some areas may require continuous surveillance, even using guards to secure the facility and surroundings.

Protecting data transfer within the supply chain

Data transfer in the supply chain network must be protected by security protocols, utilising encryption methods and authentication. Sub-suppliers and partners need to maintain a high level of information security, to mitigate risks of any gaps in the supply chain. Having a systematic approach to identify and manage sensitive company information is critical. This system should include people, processes, IT systems and physical locations and should comply with ISO 27001 and the PoPI Act. This will improve awareness and enable effective risk management.

From a personnel perspective, employees can often represent a significant cybersecurity risk and are often on the front line of attacks. This risk can be mitigated by empowering and educating employees to ensure they have a high level of information security awareness. Implementing a training programme that frequently updates employees on threats and tactics is invaluable to helping protect an organisation from attacks and should be present at every company within the supply chain.

Maintaining integrity at the product level

As expected, surveillance products must function as designed and intended, with consistent integrity. This can be achieved if the product’s hardware and firmware are successfully protected from unauthorised change or manipulation during the product’s journey through the supply chain. Starting with component materials, traceability – which includes the material handling process – always ensures the status, revealing any deviations that could compromise quality and signal tampering.

Suppliers and manufacturing partners are required to maintain a traceability system for produced batches, from incoming material to the finished component. During production, the physical component will undergo multiple tests, verifying conformance and highlighting any deviations.

It isn’t just the security of devices themselves that needs to be assessed. A secure software development lifecycle (SDLC) must be demonstrated to show that software is being developed with cybersecurity in mind. This helps to minimise the end customer’s exposure to vulnerabilities; and if these do occur, a clear process of how vulnerabilities in components are identified, communicated and patched must be established.

Robust security at every stage

As new cybersecurity threats emerge, it’s worth investing time to evaluate and understand every step in the production process where vulnerabilities could occur. Introducing more transparency within the supply chain will help alleviate worries, build trust and also create a dialogue between organisations and their entire supplier network. This will ensure that processes are robust and repeatable, thereby holding every party to the same cybersecurity standard and ensuring consistency. A regular assessment and auditing process will pay dividends in maintaining high-quality products and protecting sensitive data from falling into the wrong hands. Businesses should also ensure that they have a credible security partner who can offer them the expertise and support to stay ahead of evolving cybersecurity threats, especially those without the in-house resources to do so themselves.

Share this article:

Further reading: