Supply Chain Cyber Security Assurance
The business world is becoming more connected and interconnected - organisations increasingly rely on services that are supplied or run by other parties, including hardware, software and entire services / capabilities; and these may be geographically dispersed on a global scale. At the same time, supply chains are also becoming increasingly complex, both in breadth – the number of services being outsourced, and depth – elements of the outsourced services (or entire services) will in turn be sub-contracted to other parties.
Security assurance effort has traditionally focussed on the “end service” and the security of information within it, but this overlooks the fact that:
- Services and capabilities are increasingly distributed, and critical elements of an end service are often delivered by suppliers.
- Sensitive information is disseminated through the supply chain as part of component service delivery and procurement activities.
This means that the way in which risk is managed within the supply chain is poorly understood.
Organisations do not have a good understanding of how the supply chain manages the delivery of critical services and sensitive information and therefore risks associated with critical business services are not understood by risk owners and cannot be managed. Assurance efforts are likely not delivering a true risk landscape and this leads to decisions being made based on incomplete or worse, misleading information.
Furthermore, risk activities are often conducted at a point in time, but not updated to reflect changes. For example a key sub-contractor may have migrated their services to a non-UK based Cloud Service Provider, leading to sensitive information being held outside the UK. Where security controls are specified in contracts with suppliers, these are rarely monitored through life.
Goals of Supply Chain Security Assurance Activities
Organisations need to understand the risks associated with their supply chain, both in terms of the delivery of business-critical services, and security of sensitive information or information relating to critical service delivery.
To achieve this requires a good understanding of:
- How end-services are delivered and crucially which aspects are critical
- Who is responsible for critical service delivery and how is that supply chain structured
- How does the supply chain apply security controls and are these controls appropriate and well managed
- What information is linked with the end-service and how is that distributed and managed within the supply chain
- How would the end-service be impacted if a supply chain element were disrupted in some way through a cyber incident
Fundamentally, when elements of a service are outsourced, the level of risk accepted should not automatically increase. It is not possible to outsource entirely the risk associated with a service, therefore risk owners need assurance that appropriate controls are in place throughout the supply chain, and to understand the level of risk incurred in current and future supply chain engagements.
Overview of Supply Chain Threat
Supply Chain Threat Landscape
The supply chain is often overlooked when considering the threats to a service, with the focus placed on Internet threat actors or insiders. Whilst these may be the most common threats, an adversary will take the path of least resistance to achieve their goal, and therefore supply chains cannot be overlooked.
At the end of 2013 attackers stole 40 million customers credit and debit cards from US retailer Target. Whilst not confirmed, it has been reported that cyber criminals infiltrated a third party supplier to gain credentials with which to access to Target's main data network.
Symantec's Internet Security Threat Report for 2017 noted a 200% increase in supply chain attacks. Principally, these are where hackers hijack the software update process and replace it with malware. The most high-profile was NotPetya, where Russian hackers compromised a Ukrainian accounting vendor's software. Statistics only include reported incidents and so the likely numbers are much higher. Further, there is an increasing perception that suppliers are in part responsible for breaches – in the recent HMG Cyber Security Survey 4% thought weaknesses in others security was a factor that contributed to their most disruptive breach. This number is likely to be a significant under-estimate due to the lack of understanding over supply chain security.
The perception that the supply chain threat is not significant therefore ignores the fact that organisations are increasingly dependent on third parties; and that these often represent both an easier target, and a way to impact multiple organisations in a single attack.
Connected versus Isolated Systems
There is a distinct difference in the threat level from supply chain when considering systems that are isolated from external untrusted networks (i.e. the Internet) and those which are externally facing. For those isolated systems, supply chain may present the most viable cyber exposures, whether that is the provision of patches / updates, service support, or replacement hardware.
Types of Attack
Supply Chain based activity by an adversary can occur throughout the Cyber Kill Chain. In general, there are two factors which influence the level of threat associated with the supply chain.
Targeted vs Non-Targeted:
- Non-targeted attacks are those where an adversary has created an exploit and an organisation is affected by this despite not being the end target. An example of this is malware in a third party component - Stuxnet impacted a wide range of organisations in addition to the Iran Nuclear facility.
- Targeted attacks: an adversary develops an attack specific to a service.
Disruptive vs Intelligence gathering - the aim of the adversary varies depending on the stage in the Cyber Kill Chain:
- Intelligence Gathering: In early stages, the aim may be to gather information to develop or execute an attack. For example, if the adversary can identify that a supplier delivers a critical service, and that there is no resilience, this information can be used to deliver an impact. Alternatively, if the adversary can identify that a service uses certain software, it allows more targeted phishing and associated malware to be developed.
- Disruptive Attacks: In later stages the attack may be disruptive, either on the supply chain itself, or on the end capability via the supply chain.
The diagram below provides an overview of the cyber threat associated with the supply chain:
For Generic attacks, the threat associated with intelligence gathering is low as this is not the aim of the adversary. However the threat associated with disruptive attacks is high due to the reliance on third parties for provision of commonly used components. For targeted attacks, the threat is higher for isolated systems as the supply chain may be one of the only available cyber exposures.
Understanding and Assuring Supply Chain Security
A Holistic Approach to Supply Chain Assurance
A holistic and risk based approach ensures that the supply chain is fully understood so that assurance effort can be appropriate to the level of risk, and that appropriate controls can be specified in contracts.
Supply chains can provide or hold one or more of the following:
- Critical Services / Capabilities: services which, if disrupted, would have a detrimental impact. This is assessed on a scale that fits the organisation.
- Critical Identifiable Information: information which is not in itself sensitive, but which identifies that a particular supplier is providing a service that is critical. This is a binary criteria – the information either does identify a critical service, or it doesn’t.
- Sensitive Information: information which if compromised, would have a detrimental impact on the organisation. This is assessed on a scale that fits the organisation.
This approach traces Critical Services, Sensitive Information and Critical Identifiable Information through the supply chain to the point where there is nothing sensitive, to provide an understanding of how services are delivered. At each stage, the level of assurance is assessed to provide an understanding of the associated supply chain risk. This allows informed decisions about whether changes are needed to contracts, or whether controls need to be more rigorously enforced.
- Phase 1 is to complete a Mission Impact Assessment – this looks at the “mission” that the organisation fulfils, and which elements of this are deemed critical, as well as where the information stores are and which elements of information are: (1) sensitive or (2) link to critical services.
- Phase 2 is to build a supply chain delivery model. This shows how critical services are supported by suppliers in terms of services and information and traces the flow of sensitive and service critical information within the supply chain. This model is developed as deep as is required, i.e. until no critical service, critical or sensitive piece of information is further sub-contracted.
- Phase 3 is to assess a level of assurance of each element of the supply chain. The framework for this is dependent on the service provided or information held; however crucially it is proportionate, with effort focussing on areas of risk, i.e. elements of the supply chain which are critical, or which hold sensitive information.
The report provides risk owners with a set of prioritised risks, backed up by a robust body of evidence to allow fully informed decisions to be made.
A supply chain assurance process delivers a full understanding of the supply chain for an organisation or service, the risk areas in that supply chain, and where there are gaps in security or assurance. It provides evidence to support further assurance work, or required amendments to contractual arrangements, and also to support future procurement activities. Critically it allows organisations to make truly informed risk based decisions about critical services and capabilities.
As businesses become increasingly reliant on supply chain for delivery of critical services, the supply chain threat increases and cannot be ignored. It is crucial that the risks associated with supply chain are understood and that risk owners are able to make informed decisions.
A holistic approach to supply chain assurance models the way that supply chain delivers critical services, and holds critical service information and sensitive information; and provides an assessment of the level of assurance at each point. This provides an in depth understanding of how critical services and information are handled, the security controls in place, and the level of associated risk.