Cybersecurity Tips: Supply Chain Security

In this article, learn about recent challenges with the nation’s supply chain and get expert insights on how to secure your supply chain. These tips were developed with the Security Industry Association’s (SIA’s) Cybersecurity Advisory Board during Cybersecurity Awareness Month 2021 as part of SIA’s efforts to promote responsible connectivity and encourage SIA members to strengthen their cybersecurity postures.

Supply Chain Vulnerabilities

Recently, the United States witnessed several material attacks on its nation’s supply chain across many different industries. First there was the SolarWinds attack, then the attack on the water supply in Tampa, Florida, followed by the Colonial Pipeline, the attack on JBS food supply industry and, most recently, the Kaseya attack. It is highly desirable for a bad actor to expand their reach by attacking a common supplier to cause cascading impacts to several other targets.

This type of attack vector strongly punctuates the point of how imperative it is to focus on not only protecting national critical infrastructure, but to also focus on the protection of commercial businesses that support critical infrastructure.

Securing Your Supply Chain

As private-public partnership is established, businesses can take a more proactive approach to securing assets. A holistic security posture must include improving physical security, cybersecurity, infosec and operational technology security. Once a strong security program is established, the organization needs to make it part of its overall culture. Creating a “security by design culture” is both a mindset that is practiced amongst all levels of the organization but is also embedded in the protection of all assets and organizational affiliates – including external partnerships with suppliers and vendors. Holding suppliers and vendors to the same standards of risk mitigation and associated protocols will help strengthen the program and overall security posture of the organization.

Organizations need to ask meaningful questions of their suppliers and vendors to garner an accurate understanding of what their security program and protocols look like. Some examples of questions to ask may include:

1. Do you have a documented approach for your security program? Can you produce it?
2. What are the compliance standards that your organization meets (NIST, ISO, SOC, HIPPA, PCI-DSS, Sarbanes Oxley, etc.)?
3. Does your organization engage in third-party audits? Can you produce the results?
4. Does your organization conduct background checks on employees?
5. How do you protect/monitor your digital assets from insider threats (non-malicious/malicious)?
6. What are your procedures in vetting your suppliers?
7. Does your product have security features (signed firmware, support certificates, TPM modules, encryption, support 801.1x environments, etc.)?
8. Can you provide a software bill of materials?
9. Where is your product manufactured?
10. What insight do you have into the manufacturing process? On site management?
11. Where is your software developed?
12. Do you employ code verification/validation and code vulnerability scanning prior to release?
13. What is your process for firmware/software updates?

Establishing acceptable practices and standards for the supply chain will improve the security posture of the organization. Visibility not only into suppliers and vendors, but their standards of their suppliers will provide layers of security within the supply chain. It is impossible to thwart all threats. No organization is impenetrable. However, creating a solid security program that includes internal and external stakeholders will make the organization a hardened target, costing bad actors more time and money to penetrate, making it a less profitable target.

Looking for more resources on cybersecurity? Check out the Cybersecurity Advisory Board page and this blog highlighting SIA’s educational content related to breaches and cybersecurity.