Securing the Keys to the Kingdom: Hardening the IoT-connected supply chain
In the IT community, it is often said that the best defense against a cyber-attack is to “think like a hacker.” This tactic may work when an attack is directed at network infrastructure, and the goal is to protect technical information from exfiltration or exploitation. But, within the realm of the supply chain, cybersecurity is a very different kind of problem.
The union of the digital world with operational technology in the “Factory of the Future” has dramatically expanded the cyber-attack surface and shifted the economics of cybercrime “by facilitating hacking at scale,” according to Lior Div, CEO and co-founder of Cybereason, in a CSOonline article. “Attackers can target one organization and, in the process, gain a foothold to compromise hundreds or thousands more.” Supply chains have, in essence, become the gift that keeps on giving for cybercriminals, he explained.
To harden the IoT-connected supply chain, cybersecurity strategies need to move beyond a single enterprise’s digital infrastructure and encompass all the players within the value chain. In other words, it’s time to stop thinking like hackers and start bringing the risk-based, end-to-end perspective of supply chain professionals to the resistance.
“To address cybersecurity comprehensively across an entire value chain, we must look at the ‘who, what, where and how’ of our connected ecosystem,” said Edna Conway, former chief security officer for Cisco’s global value chain, and newly appointed vice president, general manager global security, risk and compliance, cloud supply chain at Microsoft. “People who have not run a supply chain do not necessarily think about the full end-to-end spectrum of the ICT value chain, from design to end of life, the way supply chain practitioners do.”
For example, Conway offered that printed circuit board testing is a fundamental step in validating the quality of an ICT system. “The fidelity and security of such testing and the integrity of the test data can be impacted by a variety of factors,” she noted. She suggested that to be comprehensive we should ask: “Has the test software been designed and developed pursuant to a secure development lifecycle? Is the testing conducted in a secure facility, with trusted personnel on secure systems? Is the test data being shared via a secure method?”
The difficulty of maintaining visibility into the many tiers of the extended supply chain is certainly not new. But, the rapid proliferation of IoT-connected systems now pushes an enterprise’s digital boundaries well beyond direct and second or third-tier indirect suppliers, noted Robert Metzger, shareholder at Rogers Joseph O'Donnell law firm in Washington, D.C. and an active voice in the cybersecurity arena. An organization may, therefore, be completely unaware that their systems have become connected to, and dependent on the digital integrity of, some unknown entity.
As a result, today’s enterprises are at a distinct disadvantage in the battle against cybercrime. While a business must endeavor to protect systems with undetermined reach, attackers need only target a single weak link. “This is why applying risk-based physical, digital and cyber-physical security throughout the third-party ecosystem is paramount. No one node can independently protect itself,” said Metzger, who has worked closely with government agencies including the DoD and NSA on the issue and participated in the Defense Science Board Cyber Supply Chain Study. “Every company has a duty to act responsibly to protect the public against physical or economic harm resulting from poor cyber hygiene.” Unfortunately not all do.
“The market is not populated only with the smartest and best companies who create and follow best practices,” he said. “There are all kinds of enterprises, all over the world, who seek to exploit emerging technologies or new areas of consumer demand to try to get to market first, with little concern for security.”
Emile Monette, former cybersecurity strategist, Department of Homeland Security (DHS) Office of Cybersecurity and Communications echoed Metzger’s observation. “Too many enterprises are not paying attention to these basics. This makes it cheap and easy for bad guys to do bad things.”
Monette, currently director of value chain security for Synopsis Inc., shared a few common sense cyber hygiene practices both federal and commercial organizations should adhere to:
- Don’t buy software with known vulnerabilities
- Don’t buy hardware for sensitive applications from non-authorized resellers
- Ask suppliers for reasonable assurances about the security measures built into their practices
- Consider the security implications of trading visibility in the supply chain for fast, low-cost production
Conway added that a mistake many organizations make is thinking they can build a robust cyber defense with technology alone. “Security is an inherently human challenge,” she said. “There is so much more to it than installing antivirus software and conducting penetration testing.” She believes risk-based security capabilities and sensitivities must be embedded into the existing people, processes, and tools of both internal and external stakeholders.
“The goal isn’t to implement the most technologically sophisticated solution, but to assure the right security is deployed in the right place, at the right time. So, we don’t go to partners and say, ‘here is our architecture, and here is how we want you to do it,’” she explained. “First, we ask them how they run their business, then we determine how our architecture can be implemented within the people, process and technologies that they already use to run their business. So, it’s rigorous, but it is also flexible.”
Another key to effective cyber risk management is understanding the things you can control, and those you cannot said Metzger. One aspect of supply chain cybersecurity Metzger believes industry can, and must, do a better job of controlling is incident reporting.
“When a cyber-attack is mounted through the supply chain, we know for a certainty that this attack can proliferate and impact many other organizations,” he said. “We live in a situation where there are many more attack surfaces than ever before, and the consequences of an attack can be more severe than a bruised brand image or financial loss. In this environment, effective security must go beyond the things we do to safeguard our systems. We need to share what we have learned about an attack or vulnerability with everyone who has or could buy the same part, or operate the same software or rely on the same system.”
Though there is a general consensus that incident sharing is crucial to combatting cyber breaches – research from AlienVault found that 76 percent of respondents believe they have a moral responsibility to share threat intelligence – a report from The Council of Economic Advisers entitled “The Cost of Malicious Cyber Activity to the U.S. Economy” indicates that the number of companies that publicly report malicious cyber breaches may be as low as three percent of all those who are actually affected. The stigma attached to a cyber-attack and fear of potential liabilities is among the most commonly cited reasons for either failing to report or underreporting an event.
If this sounds familiar, it should. These are the same concerns many tech companies often cite for their reluctance to report the discovery of counterfeit components in their pipeline. As a result, billions of dollars of counterfeit components continue to flow through the global high tech supply chain. The financial loss, brand damage, and health and safety repercussions of this ongoing menace are incalculable.
So, as the industry faces another, even greater security threat, will history repeat itself? Maybe not. Consider Schneider Electric’s handling of the 2017 malware attack that targeted its Triconex safety-instrumented systems (SIS) at an undisclosed facility in the Middle East. The malware, dubbed Triton, is one of only a handful of known variants designed to breach industrial control systems (ICS), and the first to specifically target systems responsible for protecting human life, according to Robert Lee, founder of cybersecurity startup Dragos Inc.
Schneider Electric’s aggressive response and candor about the attack is said to have set the bar for incident response in the ICS sector. “They didn’t do the marketing dance,” according to cybersecurity evangelist Dale Peterson. Rather, the company analyzed the systems, found out what the problems were and have since shared their findings with the community through a variety of outlets, including industry events like the S4 Security Conference in Miami, where Schneider Electric executives offered a “deep analysis” of the incident. “This is what we need to help solve these problems and move things forward,” Peterson stated.
As concerns about the possibility of attacks on industrial systems in the era of the IIoT escalate, the global industrial process and manufacturing industry must heed the Triton attack as a warning, noted Schneider Electric’s Jay Abdallah in a blog post. “This problem isn’t limited to a single company, industry or region. It’s an international threat to public safety that can only be addressed and resolved through collaboration-collaboration that goes beyond borders and competitive interests,” he wrote. “The message has never been more clear: when it comes to cybersecurity, the industry needs to come together.”
Monette agrees. “We have a shared problem, and we need a shared solution,” he concluded.