The supply chain is an important part of business operations with many complex dependencies on components and subcontractors that can span over several different countries, govern under different legal systems and not least have different traditions and ambitions in their security work. A subcontractor who does not consider themself to be security-critical and who therefore does not actively work on their security can give hackers many vulnerabilities to exploit. This has resulted in attacks against the supply chain now becoming more common. Because they can be both devastating and have far-reaching consequences, all businesses simply need to review the security of their supply chain.
More and more attacks on supply chain security
As IT companies increasingly rely on external software and service providers, supply chain resilience is becoming critical. The supply chain can often form complex networks of interconnected systems and products at several levels, where different system suppliers are linked to several customers and to each other. An attack on just one of these systems can have a direct ramification for a large number of companies. Considering that many companies and IT providers today are international, the effects can spread from being a local and limited incident to becoming global in an instant.
When downloading software updates, it is good security practice to use only trusted sources and verify the integrity of the updates by verifying for each downloaded software package that the checksum matches the checksum provided by the vendor.
But what if someone tampers with the package by injecting other software code, such as a backdoor, ransomware, or other malicious content into the package, either at the software vendor or at an intermediary between the vendor and the end customer? For companies that use or provide such a software package to their customers, the integrity of the software package appears to be OK and the content reliable.
Supply chain security – something very important
Supply chain security is the part of supply chain management that focuses on risk management of external suppliers, retailers, logistics and transportation. The goal is to identify, analyse, and mitigate the risks involved when working with other organisations as part of a supply chain. Supply chain security involves both physical security related to products and cybersecurity for software and services. The most common risks with a supply chain are third-party risks, digital risks, and fraud.
When you hire a third-party provider, you often expose your organisation to significant data security risks. The reason is that your third-party providers risk not taking cybersecurity as seriously as you do, unless you make such demands on them. Digital risk is the inevitable byproduct of digital transformation – the more digital solutions you add to your ecosystem, the more potential vulnerabilities cyber criminals can exploit.
How do I protect myself against supply chain attacks?
Supply chain security is something that you as an organisation need to work on continuously. Here are 7 tips!
1. Do a risk analysis
With a risk analysis, it becomes easier to explain and justify the investments in security that you want to make, because you can account for which risks you remedy or reduce. So what are the steps in a supply chain risk management process?
Step 1: Identify your risks
This step is not entirely easy as many underlying hazards in the supply chain are difficult to assess:
- Global economic instability
- Unreported financial problems with partner/supplier
- Future weather, climate change, natural disasters and, yes, pandemics
Step 2: Compile risk scores
It is important to understand your risks and the impact that risk would have on the supply chain. As a result, risk scoring is an excellent technique for gaining immediate insight into which issues that require the most attention.
Step 3: Define your mitigation strategies and response plans
Going through all the possible scenarios and listing all the “what-ifs” may seem time-consuming, but it is the most effective method of ensuring that everyone understands how to react if future risk predictions come true.
Step 4: Develop your Supply Chain Risk Management plan
Your strategy should be thorough and consider all the information you have gathered through previous steps. Each company will develop its own unique risk management plan to manage its own unique risks, but these five basic practices are needed in every plan:
- Look for other suppliers
- Discussions with key suppliers
- Increase the number of possible suppliers
- Purchase of more components
- Discussions with major suppliers
After this initial risk analysis, you can create your zoning – read more about this!
2. Choose supplier with care
To ensure that the solutions you offer your customers are secure, monitoring the environment for published vulnerabilities that may affect the security of the solution is included. If something is discovered, the incident must be managed and measures that reduce or remove the risk must be developed and implemented. To ensure that your information security solution is secure, it is therefore important that you ensure that your supplier has a way of working that means they accept the commitment to take their digital responsibility. Do they provide security updates throughout the life of the product/service? Can they provide you with assurance for the future? These are important questions that you should ask your supplier.
Read more about how to take digital responsibility and how to get your suppliers to do the same!
3. Do secure updates
Updates to Windows and Linux systems are an important part of being able to maintain the security of the digital information contained in these systems. However, the update can pose a security risk because information is imported or added to the system, and this can lead to unwanted malware being introduced into the system. To avoid that and to maintain the integrity and availability of the systems, special solutions are required.
Read more about how to do secure updates!
4. Use antivirus solutions
Transferring files between different security domains exposes the integrity and confidentiality of the receiving system to a major security risk. Importing files into a protected environment simply opens up security risks if the files have not undergone sufficient sanitation before they are imported. This is because malicious programs can enter the sensitive network where they can manage to retrieve information, change information, or use ransoms to ensure that information cannot be accessed. To avoid this, you need to use a solution with an antivirus scanning function. Advenica’s solution is called File Security Screener, a product that removes the file components that are not approved according to the system’s definitions and policies. Various techniques are used to identify malicious code, both classic signature-based detection but also so-called CDR technology (Content Disarm and Reconstruction).
5. Use network segmentation
Many businesses have an IT architecture that is based on systems that were designed a long time ago. The architecture has often been expanded over the years, while today it is common to receive up-to-date information on, for example, one’s electricity consumption, to order services via the web 24/7 or to work remotely. The result is that different kinds of systems such as SCADA systems, business systems and the web are interconnected. Therefore, it is also difficult to have an overview of how many routes there are to the information worthy of protection. Network segmentation in data networks involves dividing a data network into sub-networks, each of which is a network segment. The benefits of such splitting are mainly to improve performance and improve security. Most often, a combination of physical and logical separation is used.
Physical separation means that security zones are defined and distributed on different physical hardware. Logical separation means that different zones or network traffic are allowed to coexist on the same hardware or in the same network cable, which makes it less clear and thus leads to lower confidence in the strength of the separation mechanism than in the case of physical separation.
Learn more about using network segmentation!
6. Integrate IT with OT securely
Historically, OT systems have often been completely disconnected from the outside world. In step with the digitisation of society, the need to connect OT with the outside world has increased. IT and OT are therefore connected and often the same type of technology is used in IT and OT. The different needs within IT and OT easily lead to technical conflicts that can be challenging to manage and therefore require special solutions.
Read more about how to do this integration in a secure way!
7. Use one-way communication using data diodes
Many networks require extra protection against manipulation and data leakage because they contain classified or sensitive information. They may therefore be isolated for security reasons. However, there may be times when information needs to be sent to, or from, such networks. In these cases, a data diode can be very useful. Data diodes, with their high assurance, offer the necessary protection that means no information leaks can occur. The areas of use vary from importing software updates or virus definitions to importing, for example, OSINT information or sensor data into a covert analysis network.
Read more about Advenica’s data diodes!
If you need more help with how to protect yourself against supply chain attacks, please contact us!