For years the security community has viewed internal resources as presenting the greatest cyber risk to an entity. In 2021, shortly on the heels of the much-publicized SolarWinds breach, as well as many other supply chain/third party cyber breaches, it can be argued that supply chain/third parties now represent a greater cyber risk than insiders. This poses an extremely difficult problem to address given the number of third parties providing technology services to critical infrastructure entities and the nature of the services provided by the third parties. Even a mid-sized electric distribution utility can have more than 30 vendors that provide critical technology services and/or have access to the utility’s key systems – greatly increasing the entity’s attack surface, and the number of potential attack vectors, which can lead to a damaging breach.
Supply Chain/Third Party Breaches Are Highly Damaging And Costly
The recent reports on the SolarWinds breach are testimony to the impact of supply chain/third party breaches. Approximately 18,000 companies were impacted by the compromised SolarWinds Orion update function. Further, the Cybersecurity and Infrastructure Security Agency (CISA) said malicious actors have access to more backdoors than just SolarWinds Orion. The agency found “evidence of additional initial access vectors and tactics, techniques, and procedures, but the new vectors are still under investigation."
As such, there are costs associated to implement an effective protection program, recovery from breaches, and the cost to obtain the appropriate levels of insurance, for critical infrastructure entities. According to a Moody’s Cyber Risk Outlook Report, “cyberattacks on the software supply chain are raising the threat of damaging reputational trust”. Moody’s also states, “the continued rise of ransomware attacks against companies may force changes in cyber insurance policies and coverage, with insurers raising premiums and modifying coverage to make sure companies take preventative measures.”
CSO Online recently published an article titled “Supply Chain Attacks Show Why You Should Be Wary Of Third-Party Providers." The article states, “The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before, creating a perfect storm. The recent SolarWinds attack is a prime example.”
This is not a new issue – but a risk that has been increasing at an alarming pace. In February 2020, the FBI issued an alert of supply chain cyber threats – signifying the level of risk. The alert stated that “Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution."
Top 5 Ways to Reduce Your Supply Chain / Third Party Cyber Security Risks
- Adopt supply chain/third party controls from the applicable authoritative standard e.g., NIST Cybersecurity Framework, NERC CIP
- Stack rank your supply chain/third parties from a risk perspective
- Apply the controls commensurate with the risk associated with the third party
- Manage your supply chain/third parties with the same oversight as if they are an internal group
- Monitor, exchange information with peer entities, and improve continuously
As an Industry Trusted Advisor – Acumen can assist you
For more information:
- Click here if you are a critical infrastructure entity
- Click here if you are a vendor
- Provide your contact information below to request a free consultation with an Acumen specialist