Managing cybersecurity risks in the supply chain

By Haystax, March 7, 2016 | SHARE

By Marvin Marin One of the thorniest aspects of cybersecurity is how it’s impacted by an organization’s supply chain.  A security manager may never know the pedigree of each chip, transistor or diode that is a part of the enterprise, yet those pieces can and do have an effect on the security posture of the organization. Recently two large corporations drew negative attention due to security issues in the software they deployed with their products.  In one case, the vendor provided private encryption keys by default, allowing the key to be extracted trivially by an outsider and used to sign fraudulent websites, thereby opening an exploitable security hole in to the network. In another case, the vendor pre-installed software that allowed for advertisements to be injected into an otherwise encrypted communication –more commonly known as a Man-In-the-Middle attack.  Both of these cases illustrate how software provided by a vendor may introduce security risk into an environment. While these types of built-in security flaw are not common, security managers need to be alert for the possibilities and devise a plan to proactively handle security issues within their supply chain. On the industrial security side, Supervisory Control and Data Acquisition (SCADA) systems or Platform Information Technology (PIT) present unique challenges. User interfaces can be limited, and many security professionals might not understand how to secure and assess these systems. For instance, how should they audit a weapons or life support system to find vulnerabilities and not harm the system, causing a weapon to misfire or a networked medical device to shut down? Additionally, as some SCADA systems are meant to be monitored by non-cyber professionals (e.g., plumbers, electricians, etc.), how would such personnel recognize a cyber issue even if they could ‘see’ it?  How is a security manager even to know that their SCADA or PIT system may be infected with malware or that a vendor hasn’t overlooked a security problem such as a default password? There have been congressional efforts to address the supply chain cybersecurity issue (see, for example H.R. 5793, introduced in December 2014), but so far no bill has seen major action. As the tech industry generally prefers to remediate problems without legislation, here are some high-level recommendations:

While these recommendations don’t address hostile intent from a vendor or a vendor’s suppliers, being forewarned assists security managers in understanding their threat landscape and tailoring the risk to their organization. It might be impossible to rid the supply chain of all vulnerabilities, but there are best practices that can ameliorate the situation.