The Importance of a Proactive Supply Chain Cybersecurity Strategy
The implications of a supply chain cyberattack can be widespread and devastating for the victimized company. These might include operational issues such as component or material shortfalls, production downtime, and delayed shipments. And that can just be the beginning.
Supply chains are hugely interdependent, and an attack on one company can reverberate across many industries and economies. A cyber strike that disrupted computer chip supplies would impact nearly every industry that uses electronics. A 2022 breach against tire supplier Bridgestone cost it millions of dollars in lost contracts. An attack against the pharmaceutical giant Merck in 2017 dangerously disrupted the supply of vaccines and therapeutics to hospitals and pharmacies, not to mention costing $1 billion+ in damages. A cyberattack on a segment of the food supply chain, such as recent attacks against meat processor JBS Foods and the New Cooperative grain cooperative, can and did disrupt supplies to numerous customers and consumers. In a worst-case scenario, attackers can even tamper with products, which could have fatal consequences.
The immediate financial impacts can include mitigation and system restoration costs, not to mention the price of whatever ransom may be demanded. The inability to produce and ship merchandise would lead to lost revenue and likely reduced market share.
Data of all categories is also at risk. Sensitive customer or internal data, including intellectual property and confidential company or employee information, may be stolen, creating distrust among vendors, partners, staff, and customers. The legal risks are also substantial, with the potential for severe regulatory penalties in the $100 million+ range. Other costs may include damage to brand and stock price, the costs of compensating customers, higher insurance premiums, and the loss of competitive advantage if stolen trade secrets or intellectual property are put to use.
The statistics on cyberattacks against OT environments are not reassuring. According to a 2024 survey by TXOne and Frost & Sullivan, 28% of organizations reported an OT/ICS ransomware attack, 85% of organizations do not regularly patch their OT environments, and 98% of respondents reported IT security incidents that also impacted OT. With incidents rising and the potential for massive disruption, a robust cybersecurity supply chain risk management strategy is increasingly a business imperative, as evidenced by the various regulations and frameworks governments around the world have begun to implement.
Common Supply Chain System Vulnerabilities
As organizations tighten security across operations, supply chains are becoming a more attractive target for cyberattacks, whether it be from state-sponsored threat actors or garden-variety opportunists in it for the money. As the National Institute of Standards and Technology (NIST) described, “A software supply chain attack can be as sophisticated as malware injection or as simple as an opportunistic exploitation of an unpatched vulnerability.”
Supply chains, as noted, are target-rich. They are also uniquely vulnerable to cyberattacks, largely due to the fact that in a typical supply chain, most of the links are third parties. In fact, research has revealed that adversaries are targeting major organizations through smaller suppliers within the supply chain that may have a lower security posture. Stuxnet, for example, was introduced through vendor-supplied machines, from which it spread to other assets.
Any one, two, three, or more of such links could be the weak one. They may all be weak links in one way or another.
IT Vulnerabilities
Threat actors who wish to conduct supply chain cyberattacks through the IT network have many options to choose from. In one recent example, a simple password breach at data analytics provider Sisense triggered a CISA (Cybersecurity and Infrastructure Security Agency) warning to all Sisense customers to “Reset credentials and secrets potentially exposed to, or used to access, Sisense services” to guard against supply chain attacks that use Sisense’s stolen information.
Attackers may also use standard phishing or social engineering techniques, such as deceptive emails that trick honest employees into taking harmful actions like clicking on links to fake websites or downloading infected attachments. Phone calls or in-person appearances may also do the trick.
Malware or ransomware can be introduced into the supply chain network via compromised websites or infected third-party software. As the NIST (National Institute of Standards and Technology) noted, unpatched vulnerabilities—of which third parties often have many—are easily exploited.
In more sophisticated attacks, culprits may insert a backdoor into legitimate software updates or components from third-party vendors, which can grant access to the entire network. In man-in-the-middle attacks, attackers position themselves between two links in the supply chain where they can intercept, alter, or inject malicious code into the data being exchanged. Other methods include the ones we all know about, such as DDoS (distributed denial of services) attacks that overwhelm systems with traffic, and insider threats, either from well-meaning employees who make mistakes or those with actual malicious intent.
OT Vulnerabilities
Malware or ransomware can be introduced into the OT network through infected USB drives or a plugged-in laptop, either by a careless employee or visiting technician. Once inside, malware can bring down operations, damage equipment, or encrypt data in hopes of a ransom.
OT networks are also rich in unpatched or legacy devices such as PLCs (Programmable Logic Controllers), SCADA (Supervisory Control and Data Acquisition) systems, or other ICS (industrial control system) components, any of which can leave an opening for attack.
The same phishing and social engineering techniques used in IT-based attacks work just as well in OT. Attackers impersonate trusted sources and trick personnel into visiting virus-laden websites or executing malicious code. The expanded use of IoT devices, such as cameras or sensors, offers additional access points.
Remote access software is another vulnerability, with VPNs and RDPs (remote desktop systems) serving as doorways into the OT network. Third-party vendors have become somewhat notorious for constantly adding gateways and access points on the OT network without approval from plant authorities. Plant floor works and basic OT traffic visibility tools frequently uncover unknown access points and vulnerabilities that suppliers set up for remote monitoring and maintenance. This presents an open gateway into the OT network that many are blind to without the right tools and deep-layered protection.
Perhaps most surprisingly, malware or other malicious code can be pre-loaded into software updates or even brand-new hard assets that come directly from their respective vendors.
Effective Supply Chain Cybersecurity Strategies
The NIST recommends a comprehensive approach to supply chain cybersecurity that recognizes several fundamental realities. For one, you must work from the assumption that your systems will be breached, which means going beyond prevention and having a plan for the aftermath. It’s also important to understand that strengthening supply chain cybersecurity is as much about people, processes, and knowledge of security issues as it is about technology solutions.
Strengthening OT Networks: Defense-in-Depth Security
Defense-in-depth security, also referred to as deep-layered security, is a multi-faceted approach that protects networks by placing defense mechanisms at multiple layers within the system to protect vulnerable points against an array of threats.
Secure the System Physically
Securing assets physically in hardened locations with tightly controlled access and camera surveillance can help prevent physical attacks against equipment, such as the 2022 machine-gun attack against two power substations in Moore County, N. Carolina, that left 44,000 people without power.
Install an Intrusion Prevention System
In general, OT networks are big and flat, making it dangerously easy for attackers to spread quickly throughout an entire system. Unfortunately, redesigning networks for VLANs, additional switches and routers, etc. is costly, difficult to maintain and too disruptive to operations for re-architecting to be a viable solution. Therefore, OT needs to focus on managing trusted ICS protocols and communications with an OT-specific IPS. An intrusion prevention system, or IPS device, continuously monitors network traffic for anomalous behavior that could indicate a potential threat. Threats can be identified by spotting known attack patterns, by detecting network behavior that deviates from normal, or by recognizing unexpected activities by users or devices. When a threat is detected, the IPS can automatically block suspicious traffic and alert the security team. Even if a supply chain attack infects one area, placing an IPS device in front of OT assets protects them because only trusted applications are prioritized to run.
Segment the Network
Network segmentation can take a number of forms. Operational zones segment the network into zones based on function and risk, such as control systems, supervisory systems, and enterprise systems. A DMZ (demilitarized zone) is a segregated network segment that acts as a buffer zone between the internal OT network and external entities to provide an additional layer of protection by limiting direct access to sensitive operational assets.
Firewalls
Installing firewalls can help monitor and control traffic between network segments, while industrial gateways manage communications between OT assets and outside networks, allowing only authorized traffic to pass. Unidirectional gateways ensure that data can only flow in one direction to prevent data exfiltration. However, for legacy, unsupported devices that cannot connect to the internet, traditional firewalls are not an option. In these cases, especially in OT environments where downtime is limited or maintenance windows are rare, virtual patching and patch management remain the only viable options.
Access Control
Access control, or more precisely, the lack of it, has long been a weak point in network security. There are several ways to beef up the access controls protecting the network. However, it’s important to keep in mind that in OT environments, strict access controls can conflict with the necessity of keeping operations running.
Role-based access control (RBAC) assigns access and permits actions according to an individual’s role within the organization. The Least Privilege Principle is exactly that: give users the least amount of access they need to their job.
Passwords in OT environments can be especially problematic. Some shops just use the default password on certain systems, which simplifies things but certainly doesn’t secure them. Strong passwords, regularly changed, are recommended. MFA, or multi-factor authentication — “Please enter the 6-digit code we just texted you” — adds an additional layer to password protection but is not always practical in OT settings.
Endpoint Security: Best Practices for OT Environments
Modern worksites usually need to accommodate legacy endpoints in their operational environment, which must interconnect and work well with their many different assets. Endpoint devices such as PLCs, HMIs (human/machine interfaces), SCADA systems, remote terminal units (RTUs), and IoT sensors and activators are all vulnerable to attack, especially as many may be unpatched legacy assets.
Traditional antivirus is not a viable solution as it’s not designed for the ICS environment. Constant virus signature updates require an internet connection, and file scans consume enough processing power to slow operations. So, technology-based steps can and should be taken in the form of adaptive, all-terrain ICS cybersecurity with different endpoint suites that secure both legacy systems and modern devices in a variety of worksite environments.
Supply Chain Risk Assessment and Management Techniques
Supply chain cybersecurity risks are everywhere, from third-party cleaning and maintenance vendors to software to factory-fresh hardware. Fully assessing and managing these risks requires a coordinated effort across the enterprise, involving sourcing, vendor management, security, and other key functions.
The basic steps of supply chain assessment would start with a complete map of the supply chain — all of it. This would include all suppliers, manufacturers, distributors, and customers. Weaknesses in the OT and IT systems should also be assessed. Outside threats, such as natural disasters, political instability, or supplier-based issues, must also be taken into account. Risks should be prioritized according to likelihood and potential impact, with attention paid to the most critical first.
The NIST offers an extensive number of best-practice recommendations, developed for federal agencies and the private sector, for assessing and managing supply chain cybersecurity risks to maintain integrity, security, quality, and resilience. Some of their recommendations include:
- Make security part of every RFP and contract
- Assign a security team to work with new vendors to address security gaps
- Maintain tight control over component purchases
- Unpack and fully inspect/X-ray assets from all non-approved vendors
- Implement track-and-trace programs to verify the provenance of all components, parts, and systems
- Impose tight control over vendors
- Vendors must be authorized and escorted
- Limit software access to a select few
- Limit hardware vendors to mechanical systems with no access to control systems
- Automate manufacturing and testing regimes to reduce human-introduced risks
Secure Software Development and Supply Chain Assurance
Secure Software Development
Security in software development is often an afterthought. Secure software development incorporates security from the beginning, with the goal of creating software that is resilient to attack, protects user data, and maintains the integrity and availability of the software. A specific set of principles and practices is involved, which the NIST has codified into a Secure Software Development Framework (SSDF).
The SSDF recommends dividing practices into four main groups:
- Prepare the Organization (PO): Ensure that the organization’s people, processes, and technology are prepared to perform secure software development at the organization level and, in some cases, for individual development groups or projects.
- Protect the Software (PS): Protect all components of the software from tampering and unauthorized access.
- Produce Well-Secured Software (PW): Produce well-secured software with minimal security vulnerabilities in its releases.
- Respond to Vulnerabilities (RV): Identify residual vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar vulnerabilities from occurring in the future.
Secure software development is an expansive topic, with each group encompassing multiple elements, but it can prove extremely valuable in mitigating supply chain risks. A number of companies with specific expertise in this area can provide guidance. Additional resources such as the BSIMM (Building Security in Maturity Model) framework or the OWASP Top Ten lists can also be helpful in establishing a secure development environment.
Supply Chain Assurance
NIST defines supply chain assurance as “Confidence that the supply chain will produce and deliver elements, processes, and information that function as expected.” Maintaining supply chain assurance requires a comprehensive approach to managing and safeguarding all elements.
Other key principles of supply chain assurance include full visibility of supply chain activities achieved through end-to-end tracking and real-time monitoring of the status of goods in the chain. Quality assurance of supplies, including product inspections and supplier audits, are also key components. Risk assessment and mitigation strategies, such as diversified suppliers, inventory sufficient enough to provide a buffer, and alternate transit plans, should be considered as well. For true supply chain resilience, redundancy and backup plans that allow for fast responses to supply chain disruptions must be put in place.
Survey Third-Party Risks
Given the sheer number and differing security states of third-party supply chain links, the risks inherent in complex chains are hard to overstate. Private industry best practices for assessing third-party risks include screening and due diligence, encompassing background checks and security policy reviews.
Many companies develop custom questionnaires. Questions might cover software and hardware design processes and controls; if mitigation of known vulnerabilities is factored into product design; how vendors stay current and address zero-day vulnerabilities; malware detection/prevention methods; and other development, process, access, documentation, employee background, and audit-related questions.
Adhere to a Multi-Faceted Approach to Supply Chain Cybersecurity
As noted throughout, supply chain cybersecurity requires an across-the-board, multi-department, multi-faceted approach involving risk assessment, management and mitigation, continuous monitoring, supplier and partner audits and insights, technology solutions that segment networks and secure endpoints and other devices, and Incident Response Action Plans that can be executed quickly when needed.
Much of this will be difficult to achieve without employee awareness and training that focuses on risks, best practices, and how individual employees can help or hinder supply chain cybersecurity. Drills can help employees know how to execute the Incident Response Plan prior to an incident. Even basics like how to recognize phishing and other social manipulation techniques can also prove helpful.
Maximize the Impact of Supply Chain Cybersecurity Strategies with OT-Specific Solutions
Even with the greater focus on OT security in recent years, ICS environments remain inviting arenas for supply chain cyberattacks. A frequent mistake is that many OT settings attempt to use adapted IT security protocols for which they were not intended. OT-native supply chain security measures that are specifically designed for the harsher realities and differing priorities of industrial settings, especially the need to maintain security and operations simultaneously, are far more effective.
OT-native solutions recognize and understand OT protocols and systems (SCADA, controllers, etc.) that are foreign to IT, and they have ways to compensate for unpatched legacy systems. OT-native solutions can also detect threats and recognize anomalous behaviors specific to OT assets and functions. Industrial environments are often a lot rougher on equipment than the carpeted IT world, and OT-native hardware solutions that can handle harsh conditions are strongly preferred.
In short, the OT world is a specialized place that requires specialized knowledge and solutions if security is to be effective while production marches on.
Learn More About TXOne’s OT-Native Supply Chain Cybersecurity Solutions
When it comes to protecting your supply chain, TXOne’s OT-native solutions have repeatedly proven themselves in the field and in every environment. Learn more about supply chains and OT security at TXOne.
