Securing the Keys to the Kingdom: Hardening the IoT-connected supply chain
Editor’s Note: A version of this article initially appeared in Supply Chain Navigator.
In the IT community, it is often said that the best defense against a cyber-attack is to “think like a hacker.” This tactic may work when an attack is directed at network infrastructure, and the goal is to protect technical information from exfiltration or exploitation. But, when the threat reaches into the realm of industrial technology, cybersecurity is a very different kind of problem.
The union of the digital world with a variety of automation, control and safety systems in the “Factory of the Future” has dramatically expanded the cyberattack surface. This has shifted the economics of cybercrime “by facilitating hacking at scale,” according to Lior Div, CEO and co-founder of Cybereason, in a recent CSOonline article. “Attackers can target one organization and, in the process, gain a foothold to compromise hundreds or thousands more.” Supply chains have, in essence, become the gift that keeps on giving for cybercriminals, he explained.
To harden the IoT-connected supply chain, cybersecurity strategies need to move beyond a single enterprise’s digital infrastructure and encompass all the players within the value chain. In other words, it’s time to stop thinking like hackers and start bringing the risk-based, end-to-end perspective of supply chain professionals to the resistance.
“To address cybersecurity comprehensively across an entire value chain, we must look at the ‘who, what, where and how’ of our connected ecosystem,” said Edna Conway, chief security officer for Cisco’s global value chain. Conway is responsible for driving cyber and operational security throughout Cisco’s vast global ecosystem of partners and suppliers. “People who have not run a supply chain do not necessarily think about the full end-to-end spectrum of the ICT value chain, from design to end of life, the way supply chain practitioners do.”
For example, Conway offered that printed circuit board testing is a fundamental step in validating the quality of an ICT system. “The fidelity and security of such testing and the integrity of the test data can be impacted by a variety of factors,” she noted. She suggested that to be comprehensive we should ask: “Has the test software been designed and developed pursuant to a secure development lifecycle? Is the testing conducted in a secure facility, with trusted personnel on secure systems? Is the test data being shared via a secure method?”
The difficulty of maintaining visibility into the many tiers of the extended supply chain is certainly not new. But, the rapid proliferation of IoT-connected systems now pushes an enterprise’s digital boundaries well beyond direct and second or third tier indirect suppliers, noted Robert Metzger, shareholder at Rogers Joseph O’Donnell law firm in Washington, D.C., and an active voice in the cybersecurity arena. An organization may, therefore, be completely unaware that their systems have become connected to, and dependent on, the digital integrity of some unknown entity.
As a result, today’s enterprises are at distinct disadvantage in the battle against cybercrime. While a business must endeavor to protect systems with undetermined reach, attackers need only exploit a single vulnerability to garner the keys to the proverbial kingdom. “This is why applying risk-based physical, digital and cyber-physical security throughout the third-party ecosystem is paramount. No one node can independently protect itself,” said Metzger, who has worked closely with government agencies including the DoD and recently participated in the Defense Science Board Cyber Supply Chain Study. “Every company has a duty to act responsibly to protect the public against physical or economic harm resulting from poor cyber hygiene.” Unfortunately not all do.
“The market is not populated only with the smartest and best companies who create and follow best practices,” he said. “There are all kinds of enterprises, all over the world, who seek to exploit emerging technologies or new areas of consumer demand to try to get to market first, with little concern for security.”
Emile Monette, cybersecurity strategist, Department of Homeland Security (DHS) Office of Cybersecurity and Communications echoed Metzger’s observation. “Too many enterprises are not paying attention to these basics. This makes it cheap and easy for bad guys to do bad things.”
Monette shared a few common sense cyber hygiene practices both federal and commercial organizations should adhere to:
- Don’t buy software with known vulnerabilities
- Don’t buy hardware for sensitive applications from non-authorized resellers
- Ask suppliers for reasonable assurances about the security measures built into their practices
- Consider the security implications of trading visibility in the supply chain for fast, low-cost production
“The goal isn’t to implement the most technologically sophisticated solution, but to assure the right security is deployed in the right place, at the right time. We don’t approach partners with a prescriptive method to implement security,” she explained. “Instead, we ask them how they run their business and collaboratively determine how our architecture can be implemented within the people, process and technologies that they already use. So, a successful process is rigorous, but it is also flexible.”