Establishing a ‘zero trust’ approach to supply chain security

Writing for Defence Online, Rodney Joffe, Senior Vice President, Security CTO and Fellow Neustar and Chairman Neustar International Security Council discusses the importance of supply chain security

In October, international aerospace pioneer, Airbus, was forced to act after being hit by a series of cyber-attacks that targeted its suppliers. Thought to be Chinese state-sponsored, the attacks resulted in hackers gaining access to sensitive supply chain data. The end goal was to infiltrate the entire Airbus network, by pinpointing and compromising vulnerable third-party VPNs – a tactic that had potential to wreak havoc on not only Airbus, but also its multiple providers and customers.

At any given time, the threat of a third party cyber-attack is enough to evoke great concern amongst cyber workers, however, when national security and military documentation is at stake, the situation immediately intensifies. Unfortunately, these risks are not confined to the defence industry alone.

Supply chain security is becoming a leading concern globally, highlighted by recent research from the Neustar International Security Council.  When asked, nine in ten cyber security professionals, operating across a range of sectors, admitted they are worried about their third party suppliers getting hacked. While these worries may be unsurprising given today’s unsettled security landscape, more shocking is the revelation that only 24 percent of respondents admitted to feeling confident with the prevention barriers they have put in place to guard against these types of attacks.

A major reason for these concerns is that effectively securing a supply chain end-to-end is a complex and constantly evolving challenge, made even more complicated by the increasing uptake in digital transformation initiatives and the explosion of Internet of Things (IoT) devices. More third parties are connecting to an organisation’s network than ever before, and in turn, threat levels are dramatically rising.

With every new device and network adding endless access points for malicious actors, guarding against supply chain attacks requires adopting a “zero trust” approach, revolving around organisations questioning the security of their whole digital network, including that of the third parties they work with.

An increasing cyberattack surface

The growing risk around supply chain security is not without explanation. As more organisations undergo the process of digital transformation to meet the fast pace of change, they are increasingly dependent on third party service providers to support and drive innovation. Whether it be through deploying a cloud platform, automation solution, business intelligence tool, or even by outsourcing work to a manufacturer or software company as opposed to building in-house, the number of providers that businesses work with is only set to rise.

While relying on third parties is key for improving agility and streamlining processes, it also increases the number of digital links to an organisation, which in turn significantly increases the potential for risk. What’s more, the continuous explosion of the IoT poses similar questions around supply chain security. In most cases, these IoT devices have been built by third party manufacturers meaning that the companies actually using them do not have the knowledge of how they have been created or what security measures they have embedded into them.

As a result of this expanded attack surface, malicious actors are now finding alternative ways to penetrate networks. And, as demonstrated in the case of Airbus, third party access points are seen as a weak link for launching attacks.

Adopting a “zero trust” approach

To ensure a safe and secure supply chain, businesses must establish a “zero trust” approach with their providers. This concept is based on the fundamental realisation that there is no such thing as perfect security. Ultimately, an organisation could do everything right when it comes to cybersecurity – by deploying the correct protocols and tools for example – but they are only as secure as their third party suppliers.

“Zero trust” requires security and procurement teams to conduct a thorough risk assessment of their organisation’s supply chain from the outset. Its vitally important that this method is applied to every vendor connecting to the network, from service providers to the electronic devices used within the office including laptops and smart systems.

The importance of standards

During the auditing process, security teams should be making informed decisions based on tangible evidence before bringing an organisation into the ecosystem. This goes beyond a having an initial conversation with a potential supplier. It means ensuring that they closely follow an industry best practice cybersecurity checklist – and that this checklist is validated and authenticated. With this, companies need to pay close attention to industry accreditations and standards and verify that the supplier is adhering to these. If a vendor doesn’t have these standards, then it is more difficult to understand the risks.

Within the defence industry, governments across the globe are doubling down on supply chain security compliance, especially as hackers are now targeting industrial control systems through third parties. For example, in 2017 the US government launched its first cybersecurity executive order stating that all US federal agencies were required to use the National Institute for Cybersecurity and Standards (NIST) cybersecurity framework, and not long after supply chain specifications were added to this framework. What’s more, the US Department of Defence recently announced its cybersecurity enforcement model, the Cybersecurity Maturity Model Certification, meaning that the stakes of non-compliance are higher than ever.

While organisations should continuously adopt their own, always-on approach to security, only by conducting rigorous and ongoing assessment can they be confident that their suppliers take security as seriously they do. Ultimately, missed connections or weak links can cause lasting damage to an organisation’s bottom line, leaving no room for error.

To learn more about cyber security and how your business can stay protected from threats, visit the Cyber Essentials Online website.

If you would like to join our community and read more articles like this then please click here.

 

The post Establishing a ‘zero trust’ approach to supply chain security appeared first on Defence Online.