Due to globalization and outsourcing, enterprise supply chains are more intricate than ever. Most products are no longer manufactured by a single entity. Materials, components, and even final products pass through multiple hands before ending up in the hands of end users. Additionally, most companies have multiple third-party business associates providing everything from office supplies to cloud storage; the largest enterprises may have thousands of these vendors. While enterprises have long been on guard against the possibility of physical product tampering or counterfeiting, many companies are still not cognizant of the scope of supply chain cyber attacks.

Supply chain cyber attacks can involve hardware or software. According to NIST, some of the most common threats to the cyber security of the supply chain include:

* Third-party vendors — anyone from software engineers to janitorial providers — having physical or virtual access to information systems.
* Lower-tier business associates with poor cyber security practices.
* Compromised software.
* Hardware that has been compromised by malware or that is counterfeit.
* Unsecure supply chain management or supplier system software.
* Data aggregators or third-party data storage.

Cyber criminals are increasingly hacking legitimate software updates. A recent study by Symantec found that this type of supply chain cyber attack surged by 200% in 2017. One of the most infamous examples is the NotPetya malware, which was spread through a compromised update of a popular accounting software package.

While supply chain cyber attacks are a threat to all industries, the problem is especially acute in the healthcare industry, which is rapidly implementing IoT devices. At any one time, the world’s hospitals are running up to 80,000 exposed devices, and these devices can be attacked at numerous points on the supply chain.

The U.S. government is also vulnerable to supply chain cyber attacks; for this reason, the FCC has drafted a proposal that would prevent telecoms from using Universal Service Fund money to purchase hardware manufactured by companies that “pose a national security threat to United States communications networks or the communications supply chain,” noting that compromised equipment could “provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more.”

Preventing Supply Chain Cyber Attacks

Proactive supply chain risk management is key to preventing supply chain cyber attacks. Here are some examples of best practices:

* Know your organization’s vendors. Often, the purchasing and accounting departments are well-versed in a company’s supply chain ecosystem, but cyber security personnel are left in the dark.
* Establish specific security metrics for your vendors to adhere to, and include them in every RFP and contract. Don’t forget about physical as well as technical security controls; e.g., measures taken to ensure that hardware is not physically tampered with.
* Institute no-tolerance, “one strike and you’re out” policies for vendors who provide products that are found to be counterfeit or fall short of security specifications.
* Tightly control hardware component purchases. Unpack and thoroughly inspect all components purchased from vendors that are not pre-qualified.
* Tightly control vendor access to your hardware and software. Limit software access to as few vendors as possible. Limit hardware vendors’ access to mechanical systems only, with no access to control systems. Authorize and escort all vendors while they are on your premises.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.