Supply Chain Security for Insecure Times

If you are asked to think of an image that represents cybersecurity, you might picture a shielded fortress, a padlocked entry system, or another impenetrable barrier to protect against attack. We are hardwired towards this external vigilance and to defend against intrusion.

This natural drive to protect against intruders however, must sit alongside the sometimes conflicting need to transact outside the secured perimeter of the organisation. The compromise is supply chain security, which focuses on ensuring that the products you introduce into your system are as safe as possible. Risks are present throughout all supply chains, with products vulnerable to corruption at source, in transit, or further down the chain.

The challenge is to work out where the weak links exist and to reduce the risk to organisations by insisting on standards of security at each section of the chain. However, as much as these risk checks are vital, it's important to recognise that they cannot guarantee supply chain integrity.

The Threat Within

The safest assumption is that at some point, your supply chain will contain a product with a compromised element which you will unknowingly introduce into your system, so entirely bypassing any perimeter defences.

We don’t need to look very far to see evidence of this. The recent Microsoft Exchange hack along with last year’s SolarWinds hack, both affected tens of thousands of organisations including several US government agencies and large multi-national organisations - many of whom had robust supply chain requirements.

Against this backdrop, it is reasonable to question if any supplier is really safe. We might once have thought of reputable and large vendors as the safe choice but in the case of a supply chain attack, any hardware, operating system, or software could in theory be compromised.

Some commentators on the SolarWinds hack have since drawn attention to past danger signs, such as the expansion of operations into Eastern Europe within easy reach of Russian operatives. But with the US Pentagon as well as the US Department of Homeland Security among other very high-profile supply chain consumers, it’s fair to say that supply chain risks cannot always be predicted – even by extremely competent and risk-averse organisations.

If we learn one important lesson from SolarWinds and Microsoft, it’s that it is not enough to rely on reputable suppliers to remove weak links in a supply chain. This will reduce the risks - but it won’t eliminate them.

Trust

So, what can you do to protect yourself from a supply chain attack? The honest answer is there is no guarantee that you can. It makes sense to have an end-to-end view of your supply chain and to ensure that the suppliers involved match your cyber security standards and risk appetite - but apart from launching a wholescale investigation into the source code for every piece of software you use, you are taking some things on trust.

Trust, is where the issue lies. In fact, what we are really talking about is continuing to use products provided by supply chains but to simultaneously operate a zero-trust model. We have to work on the premise that any product is a potentially unreliable guest that has been corrupted at some point in the supply chain, with the potential to unlock your network from the inside. Once the door is open, your level of vulnerability will depend almost entirely on the defences within your internal system.

Take a Deep Look Inside

Preventing a situation from getting out of control once a piece of compromised software is installed on your system involves paying as much close attention to internal security as to your perimeter security. This means a great deal of focus should be on how we detect and contain internal threats.

Active monitoring for anomalies is essential to detect unusual or unexpected activity across your IT infrastructure and can potentially detect a supply chain attack before it becomes critical. Additional internal layers of defence are also required to restrict threats from travelling throughout your infrastructure.

Prepare for the Worst

Supply chain security is gaining attention at government level. In the UK, the National Cyber Security Centre (NCSC) has 12 principles of supply chain security which are incorporated in the Cyber Essentials scheme. Meanwhile, the US government Cybersecurity & Infrastructure Security Agency (CISA) has declared April to be National Supply Chain Integrity Month.

The use of supply chain attacks is likely to become more widespread as the stakes continue to rise, so it’s vital that all organisations recognise these as potential existential threats rather than solely an IT issue.

“Recent global cyber incidents involving SolarWinds and Microsoft Exchange have shown the range of cyber threats we currently face. As our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online. It shows us what more we all have to do. Cyber security is still not taken as seriously as it should be, and simply is not embedded into the UK’s boardroom thinking.” Lindy Cameron, CEO of the NCSC

We can help

Although risks inherent in supply chains are impossible to completely eliminate, we can do much to reduce the risk - thorough preparation can provide protection against threats and their potentially drastic consequences. ITGL helps organisations within the UK healthcare and education sectors with this preparation, so they can continue to safeguard the security of their assets and the welfare of the people they serve.

If you have questions about supply chain safety and zero-trust or would like advice on monitoring the behaviour inside your network, then talk to us at security@itgl.com.

ITGL Cybersecurity Practice