Supply chain security
04:00 Wednesday, 15 September 2021
UK Cyber Security Council
If we're looking for an area of cyber security to specialise in, the choices are many and varied: cryptography, hands-on engineering, ethical hacking, security audit … the list rolls on. However, since December 2020 one particular niche of cyber security has come to the fore, has had tens - hundreds - of thousands of words written about it in the IT press, and has woken the world up to a frightening threat: supply chain security.
December 2020 is important because that was when the SolarWinds hack came to light. What’s important is that it wasn’t SolarWinds - a world-renowned system and network management software vendor - that noticed, but security company FireEye.
FireEye discovered that it had been hacked, and when it traced the issue back to source, it realised it was the SolarWinds Orion platform it used that had let the intruders in. The attackers had compromised SolarWinds’ systems, injected the attack code into their product update files, and then waited for SolarWinds’ customers (reckoned to be up to 33,000 strong) to connect and download. Given that the attack on SolarWinds is thought to have taken place in September 2019 – over a year previously – this gave the opportunity for many thousands of unsuspecting victims to download the compromised software.
Since then, supply chain attacks have been on the rise, the most recent at the time of writing (early July 2021) is the compromise of service provider Kaseya’s systems – another supply chain attack, this time one used to distribute ransomware to the vendor’s customers.
Supply chain hacks are not new, of course: this correspondent’s earliest experience of one dates back to the early 2000s. It is perhaps surprising, though, that in modern times the armies of professional and state-sponsored hackers have not adopted this approach sooner. After all, the attack vector is an attractive one: by compromising a single company, you can exploit its trust relationships with all its customers. They – unwittingly – do all the hard work, and the attacker just sits back and waits for the notifications of back doors, or the ransom Bitcoin, to roll in.
Supplier security is a unique area of specialism, because it’s one over which you as an organisation have the least control. You can have all the policies and contracts in the world, with tortuous clauses and impressive penalties for non-compliance, but are they really worth anything in reality? Service level clause penalties are generally limited to the value of the contract – they’re not punitive in this sense. And while we may have financial recompense in the form of indemnity clauses that cater for vendor-induced losses such as those resulting from supply chain cyber attacks, will they really – in the event of something bad happening – help us in the event that our systems are down for weeks, and our reputation is in the gutter?
This is why supply chain security is such an interesting area to specialise in, because the focus has to be on prevention, not response or recourse. Skills-wise, we begin with a fundamental knowledge of the traditional skills of supply chain management – financial acumen, understanding contracts, negotiation and so on – but then we add in elements of policy and procedure, the fundamentals of security standards such as NIST and ISO 27001, preferably a little technical understanding so we are conversant with what the client’s IT and security team are telling us. The skill set is varied and highly non-trivial, and anyone who can pull together the requisite knowledge is likely to strengthen their brand – particularly right now as more and more bad actors jump on the supply chain attack bandwagon.
There is one further element to supply chain management, though, and this where those who focus on this area have the opportunity to shine. Many of us have read corporate announcements where the CEO is “proudly” announcing that the company has entered into a new “£10m partnership with <insert name of big vendor here>”. This is all buzzwords: we haven’t entered a partnership – it’s not some fantastic profit-sharing joint vendor: we’ve merely signed up as a customer to spend £10m with that supplier.
Security is an exception, though: we said earlier that our preference by far is to prevent attacks. And so in our cyber practices, we need to be treating the suppliers as partners – working with them, getting to know them, earning their confidence, sharing experiences of suspicious activity. This is a whole additional range of skills, primarily soft ones – not least communication, openness and empathy.
In many ways, it’s a shame that supply chain security has risen to prominence for such unfortunate reasons in recent months. But in a positive sense it has reminded us what a fascinating niche of cyber security it is.