Line art outline of a green smart phone with a map containing four pins. Blue supply chain concepts: boats, planes, trucks circle the phone on a dark blue background. — Illustration by iStock; *Security Technology*

Expanding Our Supply Chain Risk Management Beyond Data

By Mea Clift, CISSP

1 February 2023

Security Technology, February 2023

Cybersecurity leaders are constantly looking for ways to mitigate the next big threat. In recent years, the field has seen the rise of supply chain risk management practices—looking at what the vendors who keep our data or have access to our systems are doing to protect that data.

To that end, there’s been the development of Software Bill of Materials (SBOMs). These SBOMs act as the nutrition facts of software, listing the aspects that make up software components, and are being lauded as the next revolution for reducing risks from vulnerabilities in software, like Log4j.

Development around SBOMs is fascinating to watch, and continuous improvement is the name of the game when it comes to mitigating cybersecurity risk. This area will expand, along with vendor risk management for cloud services, software providers, and more.

That expansion is occurring during a time when supply chain resilience—from the software we use to the physical materials our companies depend on to the food we eat—is experiencing a revival. In 2020, many businesses struggled to operate because they could not obtain the materials they needed due to COVID-19 pandemic lockdowns. As the world reopened, however, backlogs, factory shutdowns, and conflict have all impacted corporate supply chains.

With attackers focusing on new attack avenues, not just business data, it seems imperative to look at the supply chain cyber risks for all vendors. Supporting enhancements of the cyber environments of the organizations that provide our raw materials, transportation of goods, and manufacturers of the tools and technologies we use every day needs to be part of this process. The vendors of those products and their cyber hygiene need to be considered as vendor risk management develops and matures. This is not just a matter for larger business operations, it’s also a matter of cybersecurity regarding continuity of operations.

For instance, in 2021 Cisco reported a one-year delay on equipment orders, and they weren’t alone. Many technology providers were seeing delays of six to eight months—or more—due to semiconductor supply issues. Even hardware providers for operational technologies (OTs) are delayed currently by close to 11 months, if not more. For critical infrastructure and manufacturing systems, these components are imperative for keeping systems running safely and smoothly. Failure to have replacements readily available could create sizeable vulnerabilities in an environment, or worse, shut down operations completely.

Backlogs, factory shutdowns, and conflict have all impacted corporate supply chains.

Delays in the production of components are not the only concern either. Looking at how supplies arrive to businesses, and around the United States, we see other threats to the continuity of our operations along the supply chain.

The Port of Los Angeles sees 40 million attacks on its network every day, mostly from Russia and Eastern Europe, according to the BBC. The port is one of the busiest in the world, handling more than $250 billion in cargo each year, and saw delays in 2020 because of the pandemic, leading to backlogs of ships waiting to release their cargo. Even a small cyber incident could lead to similar, if not greater, delays in cargo offloads.

On land, railroads move approximately 1.7 billion tons of raw materials around the United States each year. Similarly to the port system, railroads have also seen an uptick in cyberattacks and intrusions that have resulted in delays or shutdowns of portions of their track systems.

If these systems were to be compromised from a cybersecurity incident, goods needed for business operations could be significantly delayed. Chemicals for water systems, wood, steel, petroleum, and other raw materials for manufacturing could be stopped. It’s common knowledge that networks cannot be instantly restored after a cyberattack—some organizations can take days, weeks, or months to recover.

In October 2022, the U.S. Transportation Security Administration (TSA) announced a cybersecurity directive for freight and passenger rail carriers. The directive requires specified carriers develop network segmentation policies and controls to ensure their OT systems can continue to safely operate if their IT system has been compromised, and vice versa, as well as create build continuous monitoring and detection policies and procedures to detect threats to their systems, among other requirements.

While some sectors are moving quickly to address these cyber and supply chain concerns (rail and the ports systems stand out specifically), others such as raw materials and manufacturing may only begin to be required to do so in 2023 with the implementation of the Biden Administration’s proposed cybersecurity strategy.

Many organizations use technologies that were never meant to have connection to the Internet, let alone accessible to attackers. Some of the organizations in this realm are also unprepared to respond to a cyberattack, which is now leading to the development of standards and regulation to require companies address this vulnerability. But there will be delays on implementation due to awareness and affordability.

While this is the long-term solution, encouraging downline vendors by asking questions about their cybersecurity, and choosing more secure alternatives for supplies could assist in helping these organizations begin to prioritize cybersecurity initiatives in their business development plans.

As an organization takes on new vendors for items that may not be related to cybersecurity, a basic cybersecurity assessment should be performed to ensure that the downline organizations are doing their due diligence for cybersecurity protections—to ensure that operations and supplies will still be able to move and perform as anticipated.

Additionally, knowing that certain avenues of travel or producers of raw materials could be at higher risk, alternative solutions for receiving those items, or obtaining them, should be documented and traced to mitigate physical supply chain disruptions. For example, if an organization needed chemicals that were traditionally transported by rail, they should evaluate a vendor that transports the chemical via containers on trucks to minimize downtime for supplies.

Supply chain concerns should not only be reviewed as part of contracts and vendor risk management, but also part of plans around contingency, continuity of operations, and incident response. Business impact analysis of losing key resources down the supply chain should be addressed with alternatives being documented for easy transitions in case of an incident. Understanding alternative vendors and vetting them in the same manner should be performed before adding them to the plans, as well.

During the next few years, with insurance requirements changing, and with other organizations focusing on the greater supply chain for these components, there needs to be an escalation of efforts to help protect many of these organizations from compromise. Cybersecurity professionals working with their own companies to ensure the security of the organization will likely engage with some of these vendors. There must be efforts made to encourage mitigation of risks and growth of cybersecurity programs and environments. Even if it’s to suggest to a vendor to check out an information sharing organization that may apply to them (the Water ISAC, OT-CERT, and partnerships for on-site equipment spares for critical components, for example.)

From a liability and accountability standpoint, security professionals and business leaders should not be afraid to also deny working with organizations that consistently show a disregard to cybersecurity as a legitimate business concern. For example, an organization whose complete operations were down for several months due to a cybersecurity incident may not be a vendor to engage with if one incident can halt all operations.

A client once asked during a meeting about supply chain risk management, “How far down to we look at vendor risk?” The answer is simple: as far as the risk goes that could compromise business operations.

As the world continues to evolve and change with technology, supply chain risk is only going to get deeper. Let’s be ahead of that curve.

Mea Clift, CISSP, PMP, CRISC, CISA, CISM, FAIR, is the cybersecurity program manager at Woodard & Curran. With 25 years in information technology, Clift has extensive experience with cybersecurity and risk management. Beginning in desktop support, she moved into servers, then managed services, cloud services, and finally focused on cybersecurity and risk management. Clift’s IT experiences gave her a unique perspective on cybersecurity and allowed her to see the full spectrum and lifecycle of cybersecurity management. Passionate about helping the next generation of cyber professionals, Clift participates in publishing articles, providing presentations on cyber risk topics, and mentors for Cyversity and ISACA.