In recognition of National Supply Chain Integrity Month in April, the Cybersecurity and Infrastructure Security Agency (CISA) partnered with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DoD) and other government and industry partners to promote the need for a unified effort by organizations across the country to strengthen global supply chains. The group warns that information and communications technology (ICT) systems underpin a broad range of critical infrastructure activities, such as generating electricity, operating hospitals, and supplying clean water. If vulnerabilities in these systems and their critical hardware and software are exploited, the consequences can have ripple effects across all parties in the supply chain – shutting down operations, creating significant costs, negatively impacting revenue, and causing reputational damage.
To help stem the tide of these types of attacks, the month-long educational program culminated in a report, Defending Against Software Supply Chain Attacks. The report provides an overview of software supply chain risks, along with detailed recommendations for how critical infrastructure organizations and agencies can integrate cyber-supply chain risk management into their overall security posture.
The timing for this call to action isn't surprising. For years, threat actors have taken advantage of weak links in the supply chain as stepping-stones to infiltrate other organizations. We all remember the Target security breach nearly a decade ago, in which attackers used stolen credentials from an HVAC systems vendor to access Target's network and move laterally until finally stealing bank card and personal information of millions of customers. A few years later, the NotPetya ransomware was another high-profile supply chain attack that initially poisoned software from a Ukrainian accounting firm and went on to affect multinational corporations and cause an estimated $10 billion in damages.
More recently, the SolarWinds Orion software compromise and SUNBURST backdoor has allowed a threat actor to gain access to numerous organizations around the world. The scope and impact of this attack is still being understood, but any critical infrastructure and operational technology (OT) asset owner should be on alert and be mindful that copycat attacks are likely to ensue.
What industrial cybersecurity leaders can do
Supply chain cyber risk is complicated and spans the entire lifecycle of a product—design, manufacturing, distribution, deployment, maintenance, and disposal. The more protracted and complex the life cycle, the more opportunities for threat actors to exploit the product by targeting less secure elements in the chain. And because supply chains are often global and span multiple tiers of suppliers, the responsibility of security doesn't rest with a single organization. Each member has a role to play, which makes supply chain cyber risk particularly challenging to mitigate.
That's why, when creating business continuity plans, you need to look beyond your own company to also consider the security measures your immediate suppliers have in place and how you, in turn, manage and mitigate risk with your extended network of suppliers. These five steps can help:
Communication and assessment: Managing this critical risk starts with determining internal responsibility for procurement and verifying a partner's process security. This requires legal teams to be involved, in addition to technology and line-of-business leaders across business units and geographies. Decision makers need threat intelligence related to supply chain attacks to make informed decisions about risks to the business. Secure procurement and data protection must be wrapped in effective communication with partners and internal stakeholders.
Detailed operational visibility: Consider a dedicated industrial cybersecurity solution capable of overcoming OT-specific challenges, which include a lack of standardized technology, the use of proprietary protocols, and a low tolerance for disruptions to critical processes. The Claroty Platform continuously monitors and detects threats across the OT network, connects to your organization's existing security network, and also connects to all access points with your supply chain partners to extend this visibility across all key parties.
Consistent cybersecurity standards: Keep up to date with emerging regulations and standards and new alerts. Adhere to the industry-specific recommendations detailed in the July 23 CISA alert, which can help mitigate increased cyber risk driven by growing connectivity of OT assets to the Internet across all 16 U.S. critical-infrastructure sectors. Take advantage of the new report by CISA and NIST for information on how to use key frameworks to identify, assess, and mitigate software supply chain risks.
Strengthened cybersecurity coalitions: Given the critical urgency of the current moment, many executives and board members have become attuned to operational concerns and more aware of why having the right cyber defense technology and processes in place is essential for ensuring availability, reliability, and safety. As a security leader, seize the moment to garner cross-functional buy-in for supporting present and future industrial cybersecurity initiatives.
Collaborative approach: Your supply chain is an integral part of your business ecosystem. As such, it needs to be an integrated part of your security ecosystem and protected with the same level of defenses. Cloud-based solutions simplify secure connectivity with key supply chain partners. They can also be more secure, updated more easily, and new features added more quickly. But even if the transition to the cloud isn't yet feasible within your industry due to regulatory requirements, you can still set benchmarks and share reports and insights into vulnerabilities and hygiene risk with your supply chain partners.
There's no doubt that supply chain risk is critical infrastructure risk and we need to brace for a surge in these types of attacks. Fortunately, there are steps you can take to mitigate risk and the timing is right to move fast.
To learn more about the Claroty Platform and how it can help you mitigate supply chain risk in your OT environment, request a demo.
