Supply Chain Cybersecurity – Everything You Need to Know
When most organizations think about cybersecurity, they most often think about network and data protection. They think of firewalls, intrusion detection, secure and trained workforce, social engineering, secure network design, and other cyber defenses.
The weak link in your company’s cybersecurity might lie with manufacturers, suppliers, partners, and service providers. As organizations share data and assets at scale, the potential cybersecurity attack surface increases. It only takes one supplier to have a security flaw to compromise thousands of businesses with a single update, as has been seen in a litany of recent supply chain attacks and data breaches.
The unfortunate fact is that most companies are woefully unprepared to detect and prevent threats in their supply chain. To this point, the Cybersecurity Executive Order includes a section highlighting supply chain cybersecurity as an area for urgent attention. It’s becoming more important for supply chains to have the most up-to-date cybersecurity measures and systems in place.
How Does a Supply Chain Attack Occur?
Supply chain attacks take advantage of legitimate processes to gain access to a business’s ecosystem. The attackers infiltrate the usually myopic vendor security defenses because it’s much simpler than attacking a victim directly. Once a malicious code infiltrates the vendor’s system, it embeds itself into a digitally signed process. This can be difficult to detect since it’s typically masked by the authenticity of software and the proper functioning of the device.
The code is then free to ride the software update traffic between the vendor and all networked clients. This allows threat actors to target more victims with a lot less effort. The recent exploitation of security vulnerabilities in IT software offered by Kaseya and SolarWinds occurred this way.
The SolarWinds Hack Explained
In the spring of 2020, Texas-based SolarWinds was the subject of a supply chain breach that spread to its clients and went undetected for months. SolarWinds is a major information technology firm, which provides system management tools for infrastructure and network monitoring. The company was a lucrative and attractive target because of its privileged access to hundreds of thousands of IT systems.
The SolarWinds hack involved the company’s Orion system, which is used by more than 30,000 public and private organizations to manage their IT resources. Suspected nation-state hackers secretly broke into the Orion system and slipped a malicious code into software updates, which were ultimately installed by customers. Once installed, the malware distributed backdoors that gave hackers remote access to confidential documents, emails, and other sensitive information.
The hackers had gained access to the system in October of 2019 and neither SolarWinds nor its customers knew of the breach until December of 2020. The backdoor retrieved and executed commands that included the ability to profile the system, transfer files, execute files, disable system services, modify system scheduled tasks, and reboot the machine without leaving traces on the disk. More than 18,000 SolarWinds customers downloaded the malicious code.
The SolarWinds software supply chain attack allowed threat actors to access the network of the cybersecurity company FireEye, the top five US accounting firms, the top ten US telecommunications companies, the State Department, the Pentagon, all branches of the US Military, as well as hundreds of colleges and universities. To SolarWinds and its customers, the hacked updates appeared to be just another routine software modification.
The Kaseya Hack
Just before the 4th of July weekend 2021, the Russian hacker organization REvil launched a ransomware attack on the US-based IT solutions provider, Kaseya. Making the hack particularly grave is the fact that Kaseya is a Managed Service Provider (MSP).
That means the company is contracted by small and medium-sized businesses unwilling to or unable to manage their own IT departments. To handle their customers’ IT tasks, MSPs use software like Virtual Systems Administrator (VSA), which allows them to update, add, or remove programs. The company also provides compliance systems and a professional services automation platform.
Kaseya ensures the security of its systems by regularly pushing out updates to its customers. But on July 2, hackers pushed ransomware via an automated and malicious update. Zero-day vulnerabilities were exploited by the hackers to trigger an authentication bypass in the VSA web interface.
The malicious code behind the Kaseya supply chain attack used Russian or related languages to avoid detection. Threat actors gained access to Kaseya’s customers’ data, encrypted servers and shared folders, and demanded payment of $70 million from Kaseya. The hack affected between 800 and 15,000 businesses worldwide.
Looking Beyond Your Own Perimeter
If you make interconnections between IT systems or allow vendors and suppliers access to your IT system, you need to have a supply chain cybersecurity plan in place. Keep in mind that no matter how secure your company’s network is, you cannot keep cybercriminals at bay if you continue to rely on supply chain vendors and suppliers that apply inadequate security controls to their devices and networks. The strength of your cyber security plan is as strong as its weakest link.
Here are a few steps organizations should take to ensure supply chain cybersecurity:
Ensure Basic Controls are in Place
At the very least, organizations should consider defining reasonable levels of security and controls, such as NIST, CIS, and ISO 27001, and requiring critical supply chain partners to meet those terms. They should conduct vendor risk assessments and perform due diligence with third-party relationships. Organizations should also understand what data vendors will need access to and what controls suppliers have in place to protect data against incoming and outgoing cyber threats. All third parties must be able to demonstrate their compliance with the agreed cybersecurity requirements
Secure Information Transfer Between Suppliers
How do organizations transfer data between suppliers and what is acceptable use of that data? Here, data classification agreements and tools are critical to ensure data is appropriately stored, treated, and disposed of during its lifetime. Using metadata application and visual labeling to documents and emails can protect organizations from the risk of sensitive information being exposed to unauthorized people through the supply chain. Properly encrypting data in transit will also reduce risks.
Maintain Incident Response Plans
Parties in a supply chain should have a plan to notify the other if their systems, network, or data have been compromised or a breach is suspected. An incident response plan should be shared and regularly reviewed to guide the affected parties in the event of a breach. All employees and vendors should be included in the supply chain cybersecurity framework. Clear roles for all personnel and third parties in prevention, detection, and response measures are essential.
Work with Trusted Vendors
Partnering with third-party suppliers and vendors who will have access to your IT systems and sensitive customer data isn’t the time to go for the cheapest or most convenient option. Do your due diligence to find third-party partners committed to meeting or exceeding cyber compliance requirements in the supply chain.
Contact SCA to Learn More About Supply Chain Cybersecurity
Bringing on a skilled cybersecurity team to constantly test software and protection systems is another great way of keeping your organization ahead of possible cyberattacks. At SCA, our knowledgeable and experienced cybersecurity specialists provide first-class vulnerability assessments, penetration testing, risk assessments, application security assessments, controls reviews, and ESO services. Our goal is to help organizations identify, reduce and manage cybersecurity risks effectively.
Contact us today at (727) 571-1141 to learn more about the importance of supply chain cybersecurity and to schedule a risk assessment for your supply chain today.