What is a Supply Chain Cyber Attack?
You don’t need to look very far in today’s headlines without seeing a report on the latest cyber attack or data breach. These attacks are almost accepted as a risk of running a business. What you might not be aware of is that many of these attacks share a common route of entry, the supply chain.
Any organisation or individual who supplies your business with goods or services is part of your supply chain. If any part of this chain accesses your business, for example to provide remote support to your equipment, they can be a potential entry point to your infrastructure. Whilst you may have deployed a number of security defences to protect your network – can you say the same about your suppliers?
Supply chain attacks are not new, in fact they have been around for a number of years. One of the largest data breaches in retail history actually dates back to 2013. Approximately 40 million of US retailer Target’s customers had their credit and debit card information stolen after malware was found on the company’s point of sale systems. It is believed that the original infiltration of Target’s network actually came via their HVAC supplier, whose network was compromised and, in turn, the attackers were then able to use the “trusted” connection to gain access to Target’s infrastructure.
It isn’t just retail organisations who are under attack. Healthcare, defence, aerospace, government, Managed Service Providers and IT industries, amongst many other sectors, have all been targeted by threat actors acting on behalf of foreign governments. Their likely goal is that of intellectual property theft.
Whatever your organisation, the simple fact is that you are at risk from your supply chain.
Common Weaknesses in Supply Chain Management
- Lack of Resource
Companies should ensure that the links in their supply chain dedicate sufficient resources to managing their security. In practice, many suppliers do not identify security as a core business need, either unaware or indifferent to the potential impact it will have upstream. In these instances, it becomes imperative to impose your minimum expected security standards downstream, where possible requiring their commitment to these standards as a cost of doing business with you. This should be reviewed on a regular basis with each supplier to ensure that they maintain this capability. If not, a risk assessment should be carried out to determine if the value to your business exceeds the potential damage a supply-chain attack could cause. In the worst-case scenario it might be necessary to find a new supplier.
Companies must ensure that they comprehend the reasons behind certain assets needing to be protected. Understanding this allows the appropriate control measures to be put in place to verify, on an ongoing basis, that the services offered meet the security requirements. For example, checking that a delivery has exactly the right components, and has not been tampered with, even if it is from a reputable supplier.
When it comes to suppliers, one size does not fit all, supply chains come in varying sizes and the longer your chain the more attention you need to give it. A flexible management approach should be adopted, dependant on the risk associated with each supplier. For example, the risk posed by your 3rd party network management provider will likely be greater than the risks posed by the supplier of commodity software licences and will have a different risk profile to the outsource provider of payroll services. As an upstream company you must ensure there is suitable flow down and manage how your direct suppliers flow their security controls down.
- Communication Between Business & Supplier
There can be a lack of communication along the chain to and from suppliers concerning updated security measures or reporting of incidents. If the suppliers aren’t aware of expected changes to the security of the chain or understand the steps to take in the event of a breach, cyber attacks are likely to be successful and give criminals access to the core business. Building security requirements into the contracting process helps alleviate these issues as all parties involved will have written confirmation of security expectations.
It is good practice in this area to have regular supplier service reviews.
Examples of Recent Cyber Attacks
Eurofins, a private forensics firm that undertakes DNA analysis, toxicology, ballistics and computer forensics work for UK police forces, was recently hit by a ransomware attack. As a result, not only the police but any other forensics firms working in tandem with them had to suspend all work. This caused a lack of resources for forensic testing across the UK and cases had to be prioritised or backlogged to ensure high profile crimes were solved quickly.
It is important to ensure that your company has contingency plans already in place for the event of a supplier breach. In this scenario, did the police have sufficient business contingency plans for the failure of a key supplier? In order to create a contingency plan, you much research the potential effect losing a supplier to a cyber attack will have and determine alternative suppliers that can be used. As the police work with more than one forensic company this mitigated the risk Eurofins posed and allowed them to continue forensic testing, albeit at a slower pace.
This is a failure of the software development processes to establish supply chain management processes and ensure that critical software updates from the supplier were identified and applied in a suitable time.
In 2017 there were a series of Petya malware attacks across the Ukraine caused by the software supply chain being compromised. The software, MeDoc, was a Ukrainian tax accounting package used widely among tax accountants and other Ukrainian businesses. Threat actors took advantage of this commonality and gained access to MeDoc’s system. From there they pushed the software’s automatic update system forcing users of the software to download and run malware rather than updates for the software.
Thus, using the supply chain’s update process the attacker was able to infiltrate companies subscribing to the service. The key here is to know where your updates are coming from, and establishing how you verify they are genuine. For updates that could pose high risk if they are compromised it would be best practice to implement a test zone internally or use a security company to manage updates. Once they are deemed safe, they can be pushed down to the rest of the company network (in this specific case, verification of safety would have been challenging).
Best Practice to Prevent Attacks
You should implement best practice across your entire supply chain to ensure a basic level of security which can then be built upon. Below are the top 5 practices to prevent attacks:
- Appropriate Controls
Understand the risk your supplier may pose to you and ensure that your supply chain has appropriate security controls in place. These will vary and flex dependent upon the type of data or influence they have on your business. One starting point would be to ensure all suppliers attain Cyber Essentials, which is becoming the UK’s minimum standard of security. However, this might be insufficient for higher risk suppliers.
- Regular Audits
Audit critical suppliers to ensure they are safeguarding your data in the ways they claim. The assessment will need to flex depending upon the risk, from a simple questionnaire to a full scale onsite 2nd or 3rd party audit.
- Understanding the Impact
Ensure that your supplier understands the procedures in place to contact you in the event of a breach. Complete a risk analysis of your suppliers to understand the knock-on effects on your company should their systems be compromised and create a contingency plan around this. This should be set up ready to go at the push of a button if needed, mitigating the damage that can be done to your business.
- Establishing How You Mitigate the Risks
As a company, you must decide which controls you can insist the supplier enhances to continue to do business with you. If they don’t comply, can you put mitigating procedures in place? If you can’t mitigate, you must then consider the impact of an attack on your business, and whether you can accept the risk.
Ensure that your suppliers understand their role in protecting your company’s information and the implications of failing to do so, write these in during the contracting process to ensure all parties understand their responsibilities. This can be as simple as checking what training your suppliers have provided staff and that in the event of a successful breach they know how to react.
- Segmentation and Segregation
Network segmentation is the partitioning of a singular network into multiple smaller networks, controlling communications between specific hosts and services through the development and enforcement of a ruleset. This mitigates the damage caused by customers with shared service providers, or the providers themselves being compromised. Guidance on how to implement this in your business can be found here.
How Nexor Can Help
The Defence industry has long recognised the danger of insufficiently securing their supply chain and, with support from the UK Government, formed the Defence Cyber Protection Partnership to address supply chain related cyber threats. This resulted in the creation of DEFSTAN 05-138, which sets the minimum requirements for working on government defence contracts.
Nexor can help you to achieve Cyber Essentials or Cyber Essentials Plus, which is a key requirement of DEFSTAN 05-138. We are already compliant with DEFSTAN 05-138 and have proven experience in the process compliance entails. This includes managing our own supply chain and maintaining our Cyber Essentials Plus accreditation.
We can undertake risk assessments for not only your company but your entire supply chain. From this assessment, we can put in place supply chain security management processes to ensure that there are no weak links within the chain. This includes managing flow downs – ensuring that your suppliers are also compliant, preventing cyber criminals from accessing your supply chain.
Following this, we can design risk mitigations for your business to implement, as well as helping you to implement a supplier register, to effectively manage current and new suppliers and ensure that they comply with the required standards.
We are on hand to answer any customer questions about your supply chain, to find out more about how Nexor can help, please get in touch.
Author Bio – Sarah Knowles
Sarah Knowles is Nexor’s Senior Security Consultant. Her formal credentials include being an ISC2 Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and a Member of the British Computer Society. She has a technical background primarily in Microsoft technologies and has provided security governance, compliance and risk management to both HMG and private sector clients.
Be the first to know about developments in secure information exchange