By: Dick Bussiere, Technical Director for APAC at Tenable
Following the high profile SolarWinds attack last year, many Australian organisations have become concerned with the security of their OT (operational technology) and supply chain operations, many of which are largely unsecured. This attack serves as a stark reminder of how interconnected the supply chain truly is. In this case, the seemingly unconnected breach of a trusted third-party supplier has had the ability to introduce malicious code directly into unrelated, separate infrastructures and wreak havoc across the supply chain ecosystem.
In an increasingly digitised world, the reliance on third-party relationships is vital, but this new exposure to cyber threats must be taken into consideration from the get-go. Here, I delve into what practices business leaders can implement to secure and manage supply chain infrastructure, looking beyond their own.
Maintain visibility across the board
With interconnected networks and software systems and subsystems being supplied by third parties, an organisation’s infrastructure becomes intimately intertwined with that of its suppliers. This means that having an understanding of how an attack against a partner or supplier could impact your organisation is critical. In the case of SolarWinds, hackers inserted malicious code into the organisation’s Orion system which subsequently penetrated thousands of businesses globally.
The solution to gaining this understanding is to have continuous monitoring and threat intelligence relating to the full supply chain, as well as risk-based vulnerability management. It’s vital for businesses to have the ability to identify and monitor all assets within their own environment but it’s also about taking it one step further – actively monitoring beyond what is their own.
Prioritise inventory management
Research has shown that some Australian organisations have supply chains consisting of thousands of firms, with the Toyota chain famously consisting of over 2,100 suppliers. Knowing whether vendors maintain optimal cyber hygiene plays a vital role in identifying the threat landscape but given the huge number of suppliers, starting early on in a relationship is key.
Before partnering with a new supplier, and throughout the relationship, business leaders should ask themselves some key questions.
- Have the vendors suffered any security breaches that could have introduced malware into their software or into the code or services that they are supplying?
- Do vendors employ strict role-based access control models with segregated duties for their environment and technology stack?
- Have vendors in the supply-chain deployed automation to monitor and enforce role-based access control settings?
- Do supply-chain vendors employ two-factor authentication?
- Are vendors constantly reviewing token and credential usage?
- Is the vendor taking measures to ensure that the third-party code that they are using is free from malicious content?
- And most importantly, when was the last time the vendor completed a third-party security review of their technical estate?
Establish zero-trust network models
The SolarWinds attack reiterates that trustworthy, vendor-issued updates are not exempt from being spoofed. The attack took place deep within the software development pipeline and the code was signed SolarWinds valid certificate trusted by customers. This means that taking a zero-trust approach to risk management is critical.
Having an environmental baseline that includes accurate asset inventory, and an understanding of business processes, traffic flows and dependency mappings is essential to establishing where trust relationships exist and where a zero-trust model should be implemented. In doing so, business leaders can use zero-trust to ensure communications within supply chains are secure and from approved and trusted users. Additionally, this helps to ensure supply chains are free from vulnerabilities and can be defended against attacks.
Limit access to important data
Once a defence has been breached, attackers are quick to move laterally and look for privileged accounts. Privileged accounts have access to sensitive information and the more privileged access roles there are, the larger the attack surface, so such accounts need to be kept to a minimum.
It’s important to identify who has access to privileged accounts and ensure the appropriate level of privilege is decided for each role within the organisation. Implementing identity access management and encrypting all internal data can make it difficult for cybercriminals to establish backdoors to infiltrate during a supply-chain attack.
While external forces are outside an organisation’s direct control, ultimately, it’s important not to ignore the risks posed. There is no doubt that a cyberattack on a third-party vendor has the potential to create operational, compliance and reputational risks across the entire supply chain. The ripple effects of these attacks are a painful example of how crucial it is for organisations to prioritise supply chain security with a renewed sense of urgency.