The Supply Chain Threat
Hackers, whether they are criminal organisations or state sponsored groups, will seek out the path of least resistance when attacking their selected target. A trusted organisation in the supply chain with direct or indirect connectivity is often the weakest link, enabling access.
In the last decade there has been a significant rise in the number of criminal organisations and other malicious actors seeking out and exploiting security flaws at minimal risk to themselves. Information technology is inherently vulnerable due to complexity, errors in programming logic, insufficient input validation, improper memory management, insecure configuration settings, outdated (and unpatched) software and, of course, the human factor. Organisations have different security risk appetites that will influence how much effort they make to protect their systems and the products and services they provide to their customers.
The SolarWinds Attack
The 2020 SolarWinds cyberattack is widely regarded as the most sophisticated and damaging cyberattack in history. The attack compromised SolarWinds Orion software, which was used by at least 18,000 US government organisations and private multinational companies.
The attackers inserted what became known as Sunburst or Solorigate malware into Orion’s legitimate software updates after gaining access to SolarWinds systems. The Solarwinds customers using the Orion software installed the ‘Trojanised’ Orion updates without question. This granted the attackers access and control of SolarWinds customer networks that allowed them to spy on their business activities.
The attack took many months, beginning with small test payloads which saw hackers make minute changes in SolarWinds code after they gained access to the Orion development process to ensure their changes did not attract attention.
However, the success of the SolarWinds attack didn’t rely entirely on exploiting technical vulnerabilities, it also relied on human error and a failure to follow procedural security controls.
Why Attack the Supply Chain?
The objective of a supply chain cyberattack is to get inside the usually capable defences of the intended target, such as a government agency, or a high value company. These types of organisations are usually well defended and are usually too difficult to attack directly. Cyber attackers will therefore direct their efforts at less weak and often less secure supplier networks, which are often directly or indirectly connected to and trusted by the intended target.
What can Organisations do to Secure their Supply Chain?
Understand the Supply Chain and Identify Security Risks
Organisations must understand their supply chain as not all suppliers are equal. Some may for example have direct access to an organisation’s systems and data. Others may process HR and Payroll information and others like SolarWinds provide enterprise level software that when compromised could be used against the company. Only when the supply chain is understood can the security risks be assessed.
Once the risks have been identified the organisation can decide on the appropriate levels of protection an organisation will expect suppliers across the supply chain to implement and maintain. At this stage, it is important to develop an understanding of what good security looks like.
A minimum set of security requirements, based on best practice, should be communicated to suppliers which are justified, proportionate and achievable. These requirements should reflect the assessment of security risks, but also take account of the maturity of your suppliers’ security arrangements and their ability to deliver the requirements the organisation has defined.
These security control requirements will usually be included in supplier contractual agreements.
Establish Control of the Supply Chain
Ensure that suppliers understand their responsibility to protect and secure the products and services they are providing to the organisation and the implications of failing to do so. SolarWinds may have been aware of their responsibility but failed to implement or possibly maintain appropriate security controls (technical, procedural, physical or procedural) that would have protected the service and products they were providing to their customers. Although it is difficult to achieve, organisations must aim to proactively ensure suppliers comply with their security responsibilities, contractual or otherwise.
Consideration should also be given to setting different protection and security requirements for different types of suppliers, based on the risk associated with them. This will prevent situations where an organisation forces all suppliers to deliver the same set of security requirements when it may not be proportionate or justified to do so.
Check the Arrangements and Compliance
The organisation must build in assurance activities into the supply chain management process. These activities may include, for key suppliers, reporting of security performance, which could include:
- Informing in good time about significant changes that may impact on security
- Reporting security incidents
- Reporting the loss or failure to maintain security certification.
Other assurance activities may include a contractual ‘right to audit’, noting that this is not always possible or desirable; a requirement to achieve independent certification, e.g., Cyber Essentials Plus or ISO27001 certification of the suppliers Information Security Management System (ISMS); and independent testing by a suitably qualified and experienced security test team.
Organisation should encourage the continuous improvement of security within the supply chain by maintaining an open dialogue and providing support, acknowledging that the supplier might do things differently but achieve the same outcomes. Suppliers should also be listened to as they may raise concerns or issues that need to be acted on.
Essentially an organisation is looking to build trust with its supplier so that issues can be shared, that the suppliers knows that their input is valued and they can develop a mutually beneficial relationship that protects both parties.