Supply Chains Need Better Cyber Risk Management

Supply Chain Cybersecurity Concerns

The complex digital environment can create many cybersecurity risks in the supply chain.

Modern supply chains no longer merely involve physical goods; they generally encompass various digital products, including hardware, software, and services. As such, a solid security posture in both cyber and physical security is a must.

As supply chains become more complex and global, it becomes more challenging to track and secure all the different components and points of vulnerability; many of which can introduce risk to business and government operations.

As more critical systems depend on information and communication technologies (ICT) and operational technologies (OT), disruptions or attacks on those systems can have far-reaching consequences. These factors can complicate the digital environment and create new opportunities for adversaries to introduce risk into both federal government and commercial systems.

Fortunately, there are steps that your organization can take to protect your supply chains from cybersecurity threats. This article will cover various ways your organization can stay on top of the latest cybersecurity threats and vulnerabilities to protect your supply chain. 

Why Cybersecurity in the Supply Chain is Important

The interconnectedness of the modern world has made it easier for hackers to gain access to sensitive data, and they often use supply chains to exploit companies. This can be due to either intentional flaws introduced into products, or poorly designed systems. 

Additionally, regulators are increasingly focusing on cybersecurity, and companies that do not have a robust cyber risk management strategy may face penalties and liabilities should incidents occur.

According to Bob Kolasky, Exiger’s SVP for Critical Infrastructure and former assistant director at the Cybersecurity and Infrastructure Security Agency (CISA), “There is an imperative both from a policy landscape, a regulatory landscape, and also from a business landscape to do a better job at understanding risks and managing those risks.”

Through policy actions, such as the 2021 Cybersecurity Executive Order (EO 14028) the Biden administration has established a clear framework for how the government and private sector should work together to improve cybersecurity in government systems.  Meanwhile, policymakers across the globe continue to do work on critical infrastructure and set up information-sharing systems that help organizations protect themselves from cyber threats while ensuring privacy rights are protected.

One year after the signing of the EO 14028 Kolasky is “pleased with the degree to which this executive order has driven and continues to drive activity. Not all executive orders do that.” 

He adds, “This was the president in his role as CEO of the largest enterprise in the country, the US government, saying, ‘I want my CISO team, my risk team, to take cybersecurity more seriously.’ It has impacted the broader cybersecurity across the US, including state and local governments and critical infrastructure.”

Notable Supply Chain Attacks

Digital vulnerabilities in the supply chain can compromise the integrity of data and systems, which can impact the reliability of systems and the trust that users have in them. They can be used to gain access to sensitive information, intellectual property, and data. 

Here are examples of supply chain vulnerabilities and attacks  that can be potentially exploited through  ransomware that may be amplified when supply chains are not properly secured, and a process designed to minimize risks:

• Microsoft Zero-Day Vulnerabilities: in September 2022, the IT Security community and Microsoft confirmed the investigation of Microsoft Exchange Server zero-day vulnerabilities, impacting thousands of enterprises directly and potentially millions indirectly.  
• Log4Shell: A zero-day vulnerability in Log4j, a widely-used Java logging framework, was discovered in November 2021. Dubbed Log4Shell, the vulnerability affected an estimated 93% of enterprise cloud environments.  
• SolarWinds Attack: In December 2020, it was discovered that SolarWinds, a major supplier of enterprise software, had been compromised by a sophisticated cyber-attack. The attackers could insert malicious code into SolarWinds’ software updates, which were then pushed out to SolarWinds’ customers. The attackers used this access to gain information about SolarWinds’ customers, including many government agencies. 
• Section 889 devices from China: In August 2019, the US government issued an order banning the use of Section 889 devices from China. Section 889 devices are devices manufactured by “communications equipment manufactured or provided by certain Chinese entities” or vendors such as Huawei and Hikvision. This regulation was put in place because of the risk that these devices could be used to spy on or disrupt US communications networks. These devices are still exposed, potentially leading to risk and intrusion into various organizations. 
• WannaCry: In May 2017, a ransomware attack known as WannaCry spread across the globe, affecting more than 230,000 computers in 150 countries. The attack took advantage of a vulnerability in Microsoft’s Windows operating system. The WannaCry attack highlighted the importance of patch management and staying up-to-date on software updates.
• Accellion: In December 2020, it was discovered that a cyber attack compromised Accellion’s file-sharing software. The attackers were able to access customer data, including sensitive information.

The Vulnerabilities that Adversaries Target in Supply Chains

Adversaries are constantly lurking—seeking vulnerabilities in your supply chain that could be exploited to gain access to networks, data, or weaknesses that could lead to disruptions in service or the failure of critical systems. They may also seek to identify and exploit relationships with key suppliers to access sensitive data or systems. 

By understanding the types of risks that adversaries are targeting, organizations can better protect their supply chains and ensure that their systems are not compromised.

Exploitable Vulnerabilities in the Attack Surface

One of the main ways that adversaries can gain access to networks and information is by exploiting vulnerabilities in the attack surface. 

The Computer Security Resource Center (CSRC) defines an “attack surface” as “the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from.”

Keeping the attack surface as minimal as possible is crucial to protecting your organization from cyber supply chain attacks. By understanding the attack surface, organizations can work to patch up any vulnerabilities that an attacker could exploit which present an undue risk to the system. This is important in preventing supply chain attacks, making it more difficult for adversaries to find a way in.

Attack Vector Ransomware

Kolasky previously served as an Assistant Director at the Cybersecurity and Infrastructure Security Agency where his work found that “in each of the six phases of the ICT supply chain software life cycle, the software is at risk of malicious or inadvertent introduction of vulnerability.”

While ransomware attacks are often conducted by criminal gangs for financial gain, there is a concerning trend of ransomware attacks being led by criminal gangs that are sponsored or backed by adversarial governments, to infiltrate software at key points of vulnerability.

These groups have access to more sophisticated and destructive malware tools and often target national governments and critical infrastructure. In addition to causing financial damage, these ransomware attacks can also disrupt critical operations and cause serious harm to government services and American citizens.  

In 2021, President Biden declared that “cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation. The degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.”

The administration’s policy recognizes the cybersecurity threats to industrial control systems and other related operational technology. When cyber attacks start to have physical and real-world impacts through control systems and operational technology, they harm the American people.

Maintaining and understanding risks introduced into your supply chain through industrial control systems in suppliers and service providers is crucial in achieving enhanced cybersecurity. 

Need supply chain transparency? Exiger’s supply chain risk management software can help surface all risks that might be hiding deep within your supply chain.

Steps You Can Take to Strengthen Cybersecurity

As adversaries are continually looking for ways to interfere in the supply chains of critical infrastructure, it is important to be several steps ahead by making an effort to give them no room to work into your supply chain.

Close Vulnerable Gaps with Tools Available Today

Closing vulnerable gaps requires tools that go deep into multiple tiers of suppliers—not just to the third party but also to the fourth, fifth, and further to the end tier—to gauge cybersecurity risks exposed in vendors and service providers. This insight, coupled with security controls, incident responses, and security practices will help you to identify and mitigate any issues before they cause too much damage.

Today’s security tools, such as Exiger in partnership with SecurityScorecard, help close vulnerable gaps by empowering businesses to take proactive steps in their information security measures and protect their networks from potential data breaches. They provide interactive platforms that leverage unique data sets encompassing billions of data points. SecurityScorecard collects tens of millions of data points within their ecosystem daily. Exiger has billions of records that overlay artificial intelligence and natural language processing to further contextualize that analysis. 

[On-demand with Exiger and SecurityScorecard: Managing Cyber Complexities in Supply Chain Risk Management]

For instance, Exiger uses unique data sets from open-source professional information to understand organizations’ digital landscape. By using machines and bot networks to extract information, Exiger can overlay risks that can be interrogated across entire portfolios and networks. This can help to prevent organizations from doing business with sanctioned individuals and entities.

Exiger provides solutions and interactive tools that leverage unique data sets within the data collection processes. The platform then uses data through business intelligence tools that visualize the risks in interactive platforms. This also allows organizations to actively monitor any breaches that may have come to light since the last time they checked on a network.

Exiger’s DDIQ Cyber Analysis creates a real-time view of threats and vulnerabilities to the customer to allow for risk-based mitigation, stopping the threat where it matters most. 

Continuously monitor your third-party vendors.

In addition to analyzing, exploring, and mitigating risks, continuous monitoring is necessary. However, checking hundreds of thousands of companies on your own would be impossible. This is where automated risk assessment, audits, and supply chain risk management tools like Exiger’s Supply Chain Explorer can help.

Supply Chain Explorer monitors entire ecosystems for risks down the software supply chain, flagging any issues that may arise. It generates alerts to let you know when there is a risk so that you can investigate and mitigate it. This allows businesses to minimize and mitigate any potential threats before they cause damage proactively.

With Supply Chain Explorer, Exiger clients can instantaneously identify and assess the criticality of threats in their environment, allowing them to focus on their core business operations rather than worrying about potential security threats which won’t have a significant impact.

Protect your supply chains from lurking risks with the world’s first real-time Supply Chain Explorer.

Manage Risks in Your Supply Chain with Exiger

The global supply chain is becoming increasingly complex as it expands into the digital world. This complexity can lead to various risks, including cybersecurity threats from hostile governments. Organizations are held accountable for managing the risks that arise within all levels of the supply chain, but it proves to be difficult to monitor those risks manually.

The solution to protecting the supply chain from these threats is a technology like Exiger’s Supply Chain Explorer. The system pulls millions of data points from open-source intelligence discovered by DDIQ—all compiled in an easy-to-use interface—allowing you to make informed decisions for your organization.

Don’t wait to improve your security strategy—Exiger is now offering limited registrations for early-access trial licenses of the Supply Chain Explorer. Learn more to instantly identify and assess the criticality of threats in your environment.