Explainers & Guides
Top 3 things you should know about securing your supply chain
With geopolitical tensions escalating, our critical national infrastructure is increasingly in the crosshairs of state-affiliated threat actors, especially from China and Russia. While operators of CNI tend to have strong defences in place, their digital supply chains remain a major source of risk. To make CNI supply chains more resilient, we need a more collaborative approach and transition third-party risk management from a compliance exercise into the realm of security operations.
Earlier this year, the US Cybersecurity & Infrastructure Security Agency (CISA) issued a joint advisory with the Federal Bureau of Investigation (FBI) warning that “PRC state-sponsored cyber actors are seeking to pre-position themselves on information technology (IT) networks for disruptive cyberattacks against the U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” This was followed by a threat alert from the UK National Cyber Security Centre (NCSC), also highlighting the escalated threat emanating from cyber attacks by state-sponsored threat actors against UK Critical National Infrastructure.
After the United States and the Ukraine, the UK is the third most targeted country in the world by threat actors, and UK operators of CNI in critical sectors such as transport, healthcare, energy, other utilities as well as financial services and the public sector are increasingly prominent targets of these attacks. This year alone, we have already seen attacks against the MoD, the NHS, and the UK Electoral Commission, all purportedly conducted by state-linked threat actors.
Many of these attacks today are directed at the weakest links in the target’s cyber security posture. These weak links are often found in organisations’ extensive networks of suppliers and business partners, whose software or hardware are either deeply integrated into their own systems and processes, or which handle sensitive data on their behalf. These outsourcing relationships have created a complex set of dependencies and introduced weaknesses that are being increasingly targeted by attackers.
Supply chain attacks have fast become one of the leading cyber threats facing organisations, and can be among the most devastating, as prominent examples such as the SolarWinds (2020), Log4J (2021) or the recent MOVEit Transfer (2023) supply chain attacks attest to. According to the Identity Theft Resource Center, for example, the number of organisations impacted by supply chain attacks has increased by more than 2600% over the past five years alone.
But the problem doesn’t stop with risks emanating from direct suppliers and partners of operators of CNI. These third-parties, in turn, depend on a network of often hundreds of other organisations or sub-contractors for the provision of their own services, and the list goes on.
When ClOP exploited the MOVEit Transfer vulnerabilities last year, many of the thousands of high-profile victims did not even use MOVEit Transfer themselves. Instead, they were impacted through suppliers like the HR and payroll solutions software Zellis or PBI Research Services, a widely used research information provider to the financial industry, which were using MOVEit Transfer to process their clients’ data.
This is why regulators are increasingly zoning in on supply chain risks facing organisations in CNI, including from their 4th, 5th and nth parties.
New regulatory regimes such as the UK Government Cyber Security Strategy and related Cyber Security Assessment Framework (CAF) and Indicators of Good Practice, the new NIS 2 regulation, the UK’s upcoming Cyber Security and Resilience Bill, as well as the Digital Operational Resilience Act (DORA) have all broadened their requirements to include stipulations pertaining to the necessity of organisations to also be aware of risks emanating from suppliers in their extended supply chains.
The main problem is that traditional approaches to supply chain security simply will not allow operators of CNI to achieve the goals set out in the aforementioned regulations, especially with respect to identifying risks in their extended supply chains beyond third-parties, and to substantially reduce the risks from supply chain attacks. What is needed is nothing less than an entirely new approach to supply chain cyber security.
But let’s start with where the main problems lie with more traditional supplier risk assessment approaches. These approaches still rely, to a large extent, on highly manual and time-consuming risk assessments that provide at best a point in time insight into the security postures of individual suppliers. Also, right now, each operator of CNI is performing their own assessment on each individual supplier’s security. Whilst there is a need for nuance based on the individual context, there is a vast amount of duplicated effort across operators of CNI when performing these reviews, especially given the often significant overlaps between their respective supply chains.
The time- and resource-demands of reviewing supplier assessments alone are great enough. This makes continuous monitoring of suppliers’ security postures, beyond occasional re-assessments, a distant dream. The same is true for efforts to map the entire supply chain ecosystem and achieve greater visibility into risks beyond immediate third party suppliers, in 4th, 5th, and n-th parties.
Approaching TPRM principally as a compliance-driven exercise also doesn’t help. A common problem today with incident response to active supply chain attacks is that security teams at operators of CNI don’t commonly have either a full comprehensive register of all their suppliers at hand or established links with security teams at these suppliers. As a result, security teams often struggle to gather crucial information, such as supplier criticality, data handling practices, and data on their security controls to ascertain which of their suppliers might be affected and could pose a risk to them during ongoing attacks. This scramble for information from various departments, including procurement and compliance, costs valuable time.
Meanwhile, risk assessments typically involve interactions with sales or procurement teams at suppliers during their onboarding processes, leaving security teams without direct links to their peers at supplier organisations when disaster strikes. This disconnect further complicates swift incident response and assessment.
So what can operators of CNI do to overcome these challenges and constraints that more traditional approaches to third-party risk management bring with them? There are really three main steps that would make a fundamental difference to how operators of CNI can approach supply chain security and risk management more effectively: 1) Increasing their visibility into their extended and overlapping supply chain ecosystems; 2) Transitioning TPRM into the real of security operations; and 3) adopting a collective defence approach to TPRM in partnership with industry peers.
If you are interested in finding out more about how operators of critical national infrastructure such as UK water companies, police forces and others are already working closely together on Risk Ledger to share information, gain enhanced visibility into their extended supply chains, uncover hidden concentration risks, reduce the burden of duplicate supplier assessments, and Defend-as-One against emerging threats, please get in touch with our experts.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
