Why Supply Chains Need Strong Vendor Risk Management
The New Attack Perimeter: Third-Party Suppliers
As technology becomes more tightly integrated with traditional manufacturing processes, OEM components and capital equipment are vulnerable to intrusion. Ultimately, companies that rely on suppliers to secure their own products are falling behind the regulatory and reputational curve. Security is front of mind for government scrutiny and consumer awareness.
Ignoring the integration of security is a business problem that can:
Negatively affect your brand’s perception
Put loyalty-based revenue streams at risk
Be improved with a focus on supplier security collaboration
A more holistic view of security is needed that regards vendor risk management and supplier risk management similarly to any organization’s internal IT security focus. Third and fourth parties are the new perimeter.
Recent News Highlights the Potential Scale of the Third-Party Problem
The media went into a frenzy recently when two security researchers, Charlie Miller and Chris Valaskek, were able to take over a Jeep Cherokee while it was being driven. The researchers exploited a vulnerability in the car’s radio and infotainment system. As Fiat is not the manufacturer of its own entertainment systems, the situation is due to a weakness in the manufacturer’s supply chain with third-party partner Harman International Industries. While Fiat is at the center of media scrutiny, Harman does not expect to be financially impacted. Fiat is far from the first manufacturer to take the heat for a security issue based in a supplier. In fact, this is part of an expanding pattern of vulnerabilities which threaten individual consumers and critical infrastructure.
Here is another third-party partner example: Superfish. The Superfish software is designed to insert targeted ads into Google search results. In this case, the laptop manufacturer Lenovo contracted the software development company to install its product on some of its computers starting in late 2014. The developer, previously ranked as one of America’s most promising companies, left vulnerabilities in its software that broke the security of HTTPS. Superfish blamed its security woes on its own third-party certificate vendor, Komodia. While Komodia remains a going concern, Superfish dissolved soon after the vulnerability came to light.
In an ominous twist, some OEM vulnerabilities might be deliberately implanted. A security researcher from Cambridge University, Sergei Skorobogatov, discovered what he believes is a backdoor implanted into the Chinese-made PA3 chip, commonly used in U.S. military hardware. This chip is used to regulate a variety of civilian infrastructure including nuclear power plants. The backdoor would allow the manufacturer, Microsemi — or an attacker who compromised the manufacturer — to reprogram the chip remotely. Since the vulnerability of the chip is built into the architecture of its hardware, as opposed to the firmware, there is no way to remove the backdoor via a software patch. Any hardware with the PA3 installed will simply remain vulnerable until the chip is replaced — and there are millions of PA3s in circulation.
Concerns For Critical Infrastructure, Vertical Industries: Pharma, Energy
Some manufacturing vulnerabilities do not affect OEM components, but are targeted at capital equipment. Last year’s Dragonfly attacks used targeted spear-phishing attacks to compromise industrial control systems, allowing the hacking group to obtain manufacturing data from a number of pharmaceutical and energy companies. The ultimate purpose of this attack remains unclear, but attacks against ICS controllers have the potential for serious damage. The Stuxnet worm, for example, relied on similar methods to hijack industrial controls at an Iranian enrichment facility. This attack was the first known instance of a cyberattack causing physical damage in the real world.
While consumers will be endangered by vulnerable cars and insecure bloatware, the real danger comes from threats to infrastructure. Attacks targeting vulnerabilities in the manufacturing process will cause physical and economic damage. Components provided by untrustworthy vendors could pose a direct threat to national security. In these instances, responsible vendor management is the only way to ensure that vulnerabilities do not make their way into supply chain. Managers need to recognize that information security risks exist, and continually audit those contracts deemed most vulnerable using a process such as ISO 27001. The alternative is an increasing tendency towards attacks which are not bound by merely economic damage.