Management, compliance & auditing

Cyber Security Risk in Supply Chain Management: Part 1

Introduction

Cyber security is generally thought of as various types of security devices like firewalls, Web Application Firewall (WAF), IDS/IPS, SIEM, DLP etc. to safeguard network, applications and data. But what if, for example, the deployed security solutions have a bug inside? The latest example of this is exposing of a vulnerability in Lenovo notebooks. Lenovo notebooks are shipped with a program named "Superfish-Visual Discovery", and recently a vulnerability known as Man-in-the-Middle (MITM) has been discovered in this software, so all the security controls installed in the notebooks like antivirus etc. cannot catch it, because it is the default shipped in the software. This is an example as to how important is to take not only networks but also each component of a supply chain into consideration.

Cyber security in the supply chain is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the Advanced Persistent Threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

Cyber Security Threats in Supply Chain

The below section will show some examples of cyber security threats in the supply chain:

• Network or computer hardware that is delivered with malware installed on it already (such as Superfish installed on Lenovo notebooks).
• Malware that is inserted into software or hardware (used by Dragonfly cyber group, discussed later in the document).
• Vulnerabilities in software applications and networks within the supply chain that are discovered by malicious hackers.

Cyber Security Scope in Supply Chain

Cyber security of any one organization within the chain is potentially only as strong as that of the weakest member of the supply chain. A determined aggressor, notably advanced persistent threats (APTs), will make use of this by identifying the organization with the weakest cyber security within the supply chain, and using these vulnerabilities present in their systems to gain access to other members of the supply chain. Whilst not always the case, it is often the smaller organizations within a supply chain who, due to more limited resources, have the weakest cyber security arrangements.

Cyber security is needed in all phases of a particular supply chain because an organization cannot be sure from where a risk will evolve. One example I have already given is regarding the vulnerability in the packaged software in Lenovo notebooks. Another example will be of a particular code behind a software. Areas of concern for an organization will be like who all has access to code? Who has written the code? Where it is stored? How can tampering in the code be detected?

So cyber security fits in all phases of a particular supply chain, whether it is a hardware supply chain or a software supply chain, though a software supply chain is more important.

Compliance Requirements for Cyber Security in Supply Chain

Various compliance regulations such as PCI DSS clearly articulate in their requirements about how to manage risks in the supply chain, whether that includes an internal process or involvement of third party service providers, merchants etc. For example, PCI DSS 3.0 includes requirements like penetration testing, application development lifecycle security, and threat modeling – all facts to the point that supply chain risks are an escalating concern. PCI DSS 3.0 requirements indicate that a downstream software supply chain is an emerging attack vector.

It is very important for organizations to understand that to cover cyber risks in a supply chain, organizations not only need to assess everything in their internal environment but also for all the actors involved in the supply chain. For example, credit card organizations which are compliant with PCI DSS need to assess risks with merchants, distributors, credit card makers, banks, service providers – i.e., all the actors involved in the complete supply chain.

Cyber Security Outbreak: Recent Examples in Supply Chain

This section will illustrate the recent examples that have led to greater emphasis on covering cyber security risks in the supply chain.

1. A recent example of this is the installation of adware known "Superfish" in Lenovo notebooks. End users cannot detect it to be malicious nor will the antivirus software installed on the system, because software of this kind needs to be trusted since they come by default. Superfish software tends to install a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate. Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.
2. A cyber espionage group named Dragonfly was able to attack the pharmaceutical sector by setting up trojans in legitimate software. Because of this plantation of trojans in the supply chain, the Dragonfly group was able to control the now malicious software by replacing legitimate files with malicious files in the software. This malicious software in result, when downloaded from the supplier's website, provided remote access functionalities that could be used to take complete control over the system where the software was installed, or it could have been used to make the remote system act like a bot.
3. Another example of cyber attack risks in the supply chain is that of shylock banking trojans. Attackers use the website builders to compromise legitimate web sites by redirecting their requests to a malicious domain. As soon the request lands onto the malicious domain, malware gets downloaded onto the system and thus attacks like man in the browser was performed. This attack is so severe that it even avoids detection and protects itself from analysis. Thus attackers target the website builder used by many companies, thereby infecting at a large magnitude.
4. Another great deal of cyber risks involved in a supply chain is involvement of third parties, which are often used to store confidential data. Similarly, an attack was observed on large data aggregators where a small botnet was transferring data from the internal systems to a botnet controller on the Internet through the encrypted channel. This attack has resulted in theft of a data aggregator that licenses information to use in credit decisions.

Thus we have seen how important it is to look out for cyber security risks in the supply chain. In the next article we will see mitigation strategies that can be adopted to address these cyber risks in the supply chain.

References

1. http://en.wikipedia.org/wiki/Supply_chain_cyber_security
2. https://www.cert.gov.uk/wp-content/uploads/2015/02/Cyber-security-risks-in-the-supply-chain.pdf