Control the Uncontrollable, The Path to Supply Chain Security
By Ed Chandler, AE and Cybersecurity Lead, TÜV SÜD America
When I was initially asked to write this article, I didn’t hesitate as to what the article should be about. My mind immediately jumped to supply chain security. For any organization, it is hard enough to protect information that is within their own walls, but can you protect your organization in your Supplier’s walls? Throughout this article, I will cover the history of cyber security compliance, security obligations, new methods of security, and adding secure products to your final solution.
When I think about the history of cyber security, I immediately think about how computers have made a difference in everyone’s lives, both at home and work. The invention of the computer is probably the most profound change in our lives, and throughout my life I have seen organizations with a minimal number of computers all the way through to multiple computers per employee, whether they are in the office or on an assembly line. Additionally, even mobile employees are utilizing computers in more ways every day. There is no question of the Return on Investment or “ROI” of adding technology, but there is also risk associated with it, and people have not historically protected this information. Due to the constant push for ROI, IT organizations look for ways to justify securing budget from within their organization. And it can be a struggle for CISOs to obtain additional budget to protect the company, even with the constant expansion of their threat landscapes.
In the past year our supply chain has been on high alert, and we have learned how brittle it is. Now, while most of the disruption is directly or indirectly related to COVID-19, there are many other disruptions that can impact the supply chain and the final products that we use in our everyday lives. However, the question is how do you protect yourself against threats outside of your organization’s walls? There are solutions available, and the good news is that these are not new concepts, but some industries have yet to adopt them. Let’s look at how some industries have minimized their risk traditionally and presently.
Organizations that accepted credit cards at high volumes were amongst the first targets of cyber-attacks. This was due to the ease of monetizing a credit card number and selling it on the Darknet. The initial response by the card brands was to create their own cyber security standards. The challenge to a program like this was that it became difficult for merchants to meet the requirements of, in some cases, four different card brands. In some circumstances it meant that even if they met the requirements for one it would automatically make them non-compliant with another. The confusion prompted the creation of the PCI-SSC (Payment Card Information Security Standards Council), which led to the establishment of PCI-DSS (Payment Card Information Data Security Standard). This produced concise and clear requirements for those who choose to accept credit cards as payment. The initial versions of this standard were snapshots in time, but due to an evolving threat base over time the assessments evolved into an ongoing management of security. Additionally, the card brands’ increased ability to locate fraud faster made it more difficult for stolen cards to be used. And as it became increasingly more difficult to obtain cards, values dropped, and as cards were being quickly shutdown, these once highly sought-after targets became less lucrative. Many of you are probably thinking, this isn’t really about the supply chain, however, it is a fantastic case study of how organizations were able to secure partners outside of their walls.
Supplier’s trust, or lack thereof, can be one of the most damaging aspects to any organization. An example of this is Target. Target had a good cyber security program but opened their firewall for a HVAC vendor who did not have them same kind of security controls in place. This led to one of the largest cyber breaches in history. However, the good that came out of this was the emphasis on securing your vendors.
The question is how did we get to where we are today in the manufacturing industry? A lot of it has to do with the historical relationship between suppliers and customers. Our customers consistently expect you to build efficiencies repeatedly to minimize cost, while improving quality and security over time. This includes on-time delivery, concepts such as “Just in Time Manufacturing”, and automation. All of these are great concepts and can create the efficiencies your customers are looking for to minimize costs. However, until about three years ago, cyber security was not even a thought for most of the manufacturing industry. The most common objection within the sector was, “we don’t have information that is valuable”. While it is true many in this industry do not have Personal Information, Health Information, or even Credit Card Data, criminals have learned organizations are willing to rather than cause interruptions to their customers. Companies are beginning to realize that breaches not only affect themselves, but also their customers upstream which can be Millions of Dollars a minute and result in contractual fines and/or a loss of future business.
How do these organizations ensure that their supply chain is secure today? There are a few ways in which companies push requirements to their suppliers. The most common being questionnaires, where we ask our suppliers to complete these to measure and minimize risk. These questionnaires can be great ways to communicate the minimum-security requirements, however they are not the best at enforcement. Many times, organizations will just have their sales teams fill out the questionnaires, and the chances of an organization checking “No” to these are slim to none. Thus, leading to potential operational issues, and distrust with your suppliers.
Another common way organizations secure their supply chain is through conducting supplier audits. This will ensure that their suppliers are meeting the minimum requirements to continue conducting business together. While this enforces trust between you and your supplier, the problem is that either the cost is high, not only to you, but also to your supplier leading to push back and ultimately you are only touching a subset of your suppliers. Additionally, it is important not to overload your suppliers as this can have a negative impact.
The above two scenarios are the same problem that the Card Brands ran into when trying to implement cybersecurity measures to their merchant network. So, learning from history we can look at what other sectors are doing to build the foundation of a framework.
ISO 27001 is the most widely used Information Security Framework in the world, and for good reason. It allows organizations to demonstrate they have the basic pillars and buy-in from upper management to maintain information integrity. This can be used in place of multiple supplier audits minimizing the overheard of your supplier. Not only that, but it also allows you to share a globally accepted accredited certificate to your customers rather than a report. Finally, this is a language many within the manufacturing industry already speak. Such as:
- Internal Audit
- Management Review
- Corrective Action
These are all things that our industry is used to speaking about, and part of their everyday life, through their ISO 9001 certification. As cybersecurity professionals, we consistently strive to find ways to tie security into other parts of the organization, and by doing so will provide the coverage we dream about. By utilizing a framework like ISO 27001 it allows security teams to collaborate with teams such as quality, operations, management as well as create efficiencies through integration of internal audits, and building consistent corrective actions as a team to gain buy-in from the entire organization. Additionally, with this framework you can add in additional compliance requirements, and it can be easily cross-walked to other common frameworks such as NIST 800-171, and COBIT. Those are widely used successful frameworks, however unlike ISO 27001 they cannot provide a trusted accredited certificate.
As the market develops, TÜV SÜD is starting to see requests for standards around Supply Chain (ISO 28000) and Business Continuity (ISO 22301). This is to ensure that organizations can continuously run even in the chance of disruption, and we anticipate that these standards will continue to grow as we find more flaws in the supply chain.
As each industry is unique so are their desires for supplier security, this has led to industry specific standards across the Supply Chain. These are based upon the two major markets, and I anticipate this will continue to be replicated by other industries throughout their supply chains.
Automotive is probably the most forward thinking of all manufacturing segments. The industry is notorious for strict supplier guidelines with very heavy penalties for delayed product, and non-compliance. Unlike others, they have implemented requirements both for enterprise security as well as the security of the products being supplied themselves. This has led to many manufacturers looking at how they handle data and securely code new products.
The idea of product security is new for many. There are standards coming out daily, such as NIST 8259 for IoT, and IEC 62443 for Industrial Control Systems. However, automotive continues to impress me with their forward thinking around security. Recently, ISO 21434 has come out to ensure that suppliers are creating a secure lifecycle for their products. This has forced the industry to look for outside help, provide security training internally, and plan how they will provide the minimum level of security to their customers products. This has truly revolutionized the concept of supply chain security as it added a new dimension.
While not the entire automotive industry has adopted third-party audits, the German OEMs worked to build TISAX (Trusted Information Security Assessment Exchange) through their partner Verband Der Automobileindustrie (VDA). This requirement is being pushed through their entire supply chain and is actually a subset of the ISO 27001 requirements. The main purpose of this standard is to ensure information, data, and prototype security. This was initially adopted by European base suppliers, and it has started to gain momentum in the Americas and Asia. The impact of the requirement is that someone who wants to conduct business with one of the German OEMs will not be able to provide a bid for the work until they receive their TISAX Labels.
One area we continuously overlook is the importance of planning for a worst-case scenario. An incident response plan is critical for any organization. This is amplified with the current state of ransomware attacks, which can create mass disruption if not properly mitigated. Ransomware can be easily avoided, but continuously is not taken seriously. However, we consistently create budgets to pay attackers rather than invest in our business to prevent or minimize the damage of these attacks. If you think about it, by paying the attacker, we only promote the attacks. Additionally, we train for worst-case scenarios our entire lives starting in kindergarten with fire drills, tornado drills, and even dangerous person exercises. However, many organizations have never considered running a tabletop exercise to test their incident response program. Leading to the first time they test it is during a live scenario, setting anyone up for failure.
As professionals, we should always have our customer’s best interests at heart, and we should provide them the same security that we expect ourselves. Although we continue to look for a silver bullet usually in the technology space, the reality is that there is none and only a multi-pronged approach will minimize your risk. The smartest CISOs I have spoken with are of the assumption that it isn’t an if, but a when it will happen.
Conclusion
- To adopt a framework that will allow you to cross borders in the creation of policies for both you and your suppliers,
- History repeats itself so look at others’ prior outcomes when putting your solution together and use what has already been learned,
- Implement and test your incident response program.
About the Author
Ed Chandler, AE and Cybersecurity Lead, TÜV SÜD America.
Ed Chandler has worked in the technology field since 2010, and Cybersecurity since 2011. During this time, he has had great success working for organizations such as Trustwave, Great Bay Software, and Virtual Forge. In Cybersecurity he has had the opportunity to work with organizations in sectors such as Financial Services, Education, Government, Healthcare, and Manufacturing.
Ed can be reached online at Edward.Chandler@tuvsud.com and at our company website http://www.tuvsud.com/en-us/contact-us
FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.