cyber security Archives - Total Supply Chain Summit | Forum Events Ltd

Total Supply Chain Summit | Forum Events Ltd Total Supply Chain Summit | Forum Events Ltd Total Supply Chain Summit | Forum Events Ltd Total Supply Chain Summit | Forum Events Ltd Total Supply Chain Summit | Forum Events Ltd

Posts Tagged :

cyber security

Critical infrastructure security Q&A with McAfee’s Mo Cashman

Critical infrastructure and supply chains consist of networks and assets that form the backbone of society. Therefore, the fallout of an attack could be catastrophic. Across the globe, individuals have already experienced shortages of food, energy and other resources, and the inability to access critical healthcare services – despite this, it’s likely that the worst is yet to come.

Dynamic solutions are needed to reflect the fact that emerging threats, and the technology needed to deter them, often change faster than the regulatory process can keep up.

In the latest instalment of our supply chain industry executive interview series, we spoke to Mo Cashman, Enterprise Architect and Principal Engineer at McAfee Enterprise, about the biggest risk factors and 

  1. What are the most dangerous cyber security risks to the UK supply chains and other critical infrastructure?

Over the past year, cyber-attacks on critical industries have certainly seen an increase, with sectors such as healthcare, energy/utilities, and government under constant threat from cybercriminals looking to target critical infrastructures such as telecommunication networks and transport infrastructure. The report also saw a 64% increase in publicly reported cyber incidents targeting the public sector.

Some of the most dangerous cyber security risks to critical infrastructure include ransomware-as-a-service.  Our latest threat research found that the government was the most targeted sector by ransomware in Q2 of 2021. This is a cybercrime economic model that allows ransomware platform owners to earn money for their creations through affiliates. This model allows non-technical criminals to buy both the ransomware and potentially access to targets to launch attacks more easily while paying the developers a percentage of their take. As a result, the developers run relatively few risks, and their customers do most of the work. Some instances of ransomware-as-a-service use subscriptions, while others require registration to gain access to the ransomware. The attacks will typically enter the workplace via a malicious email or through a vulnerable remote access application.

But another entry point not to be overlooked is supply-chain compromises. This is another critical attack vector facing the national infrastructure. In this case, attackers will often enter the network through a trusted connection, system, or user. Unfortunately, this can make them very difficult to detect.

  1. Where do the biggest cybersecurity risks to the UK’s national infrastructure come from?

Interestingly, the most significant cybersecurity risks come from both criminal gangs and national state actors. Nation-state actors specifically target critical infrastructure to steal state secrets and cause national disruption. For example, cyber-attacks such as the Sunburst and SolarWinds have been widely attributed to nation-state actors.

Cybercriminal gangs also pose a significant threat to critical infrastructure. At the recent G7 summit, world leaders recognised ransomware as a global threat, calling upon member states to do more to combat it. The criminal gangs running ransomware-as-a-service networks were identified as a particular issue.

Currently, McAfee ATR and MVISION Insights platform is tracking 31 different Ransomware, APT, criminal groups, such as Darkside and Nation-State Actors like APT32. These groups operate globally and across many sectors, including the UK’s national infrastructure. We’ve noticed that criminal organisations and Nation-State actors often share the same malware or tools, such as Cobalt Strike, Mimikatz and Powershell, and leverage similar techniques, such as Supply Chain Compromise and Spearphishing to gain network access. The only real distinction then becomes the intent of the organisation behind an attack.

  1. What should the government do to improve its national infrastructure’s cyber defences?

Over the last few years, the UK Government has put several different programmes and initiatives in place to combat cyber threats. This includes the establishment of the National Cybersecurity Centre in 2016, which aims to increase cybersecurity awareness and improve skills across organisations associated with the national infrastructure.

Given the rapid move to a culture of remote working, which now looks set to become a permanent fixture, implementing more robust cybersecurity measures has never been more critical. Some additional practices which may help to improve cyber resilience include:

  • Adopting a zero-trust architecture framework that performs threat and data protection at every control point in a single pass to help improve user experience and productivity, reduce the cost of security, and simplify management.
  • Implementing Continuous Monitoring and Response across all enterprise systems
  • Gaining as much information as possible about the enterprise assets and services
  • Eliminating trusted zones and micro-segment resources
  • Operationalise and share threat intelligence
  • Improving security for operational technology networks
  1. What is the ideal interplay between public and private initiatives when it comes to best protecting the UK’s cyber infrastructure?

Private and public organisations must work together to protect critical infrastructures from cyber threats. A great example of threat intelligence sharing and cross-industry collaboration is the Cyber Threat Alliance (CTA). The CTA is a non-profit organisation working to improve the cybersecurity of our global digital ecosystem. In order to best defend against cybercriminals and threat actors, threat intelligence sharing is vital, and the CTA shares approximately 6 million threat indicators with its members each month.

Another example of great collaboration between the public and private sectors is the nomoreransom.org initiative. Set up five years ago by four founding partners, including law enforcement and private security cybersecurity companies. Since then, it’s expanded to include over 150+ public and private entities and credited with saving organisations an estimated $900 million (or £654 million).

These organisations are both fantastic examples of the public and private sector working in tandem to combat cybercriminals and reduce the cyber threats faced across the globe.

Why you could risk your cyber security through the supply chain

Collin Robbins, Managing Security Consultant, Nexor

SMEs to multinational corporate companies experience cyber attacks on an almost daily basis. The majority of the attacks and data breaches can be found coming from the same place – through the supply chain, where security can become weak and mismanaged, or directly through people that work as part of a supply chain using their home network as an entry point to their world of work.

When an organisation enters your supply chain providing goods or services, they may need access to certain proprietary data or systems and your security could become compromised. It is highly likely parts of your supply chain will have this access, for example, providing support for equipment, which creates potential infrastructure entry points. Whilst your own company may have deployed a number of security defences to protect your network – can you say the same about your suppliers?

The supply chain is a risk for your company, no matter what your organisation does. As soon as you start to outsource, you lose an element of control over your data. Some common weaknesses in supply chain management affecting businesses are: 

Lack of resources in the supply chain 

In an ideal world, companies in the supply chain would take sole responsibility for dedicating sufficient resources to manage their own security. In practice, however, many suppliers do not identify security as a core business need, either unaware or indifferent to the potential impact it will have downstream. In these instances, it becomes imperative to impose your minimum expected security standards upstream, where possible, requiring the suppliers commitment to these standards as part of the deal.

This should be reviewed on a regular basis with each supplier to ensure that they maintain this capability. If not, a risk assessment should be carried out to determine if the value to your business exceeds the potential damage a supply chain attack could cause. In the worst case scenario it might be necessary to find a new supplier.

Inability to adapt to supply chain changes

When it comes to suppliers one size does not fit all, supply chains come in varying sizes and the longer your chain the more attention you need to give it. A flexible management approach should be adopted, dependant on the risk associated with each supplier. For example, the risk posed by your third party network management provider will likely be greater than the risks posed by the supplier of commodity software licences. As an upstream company you must ensure there is suitable flow down the chain that monitors security controls.

A lack of communication between business and supplier

Communication between suppliers concerning updated security measures or reporting of incidents is key across the chain. If the suppliers aren’t aware of expected changes to the security of the chain or don’t understand the steps to take in the event of a breach, cyber attacks are more likely to be successful and give criminals access to the core business. Building security requirements into the contracting process helps alleviate these issues as all parties involved will have written confirmation of security expectations. Constant reviews of the process here are essential and can help flag up any weaknesses or communication that has been missed. 

How to prevent an attack through the supply chain

It is important that a business understands the risk a supplier may pose and ensure that the supply chain has appropriate security controls in place. These will vary and flex dependent upon the type of data or influence the chain has on the business. One starting point would be to ensure all suppliers attain ‘cyber essentials’, which is becoming the UK’s minimum standard of security. However, this might be insufficient for high risk suppliers.

Regular auditing of the chain 

Audits of critical suppliers are important to ensure that they are safeguarding data in the ways they claim. The assessment will need to flex depending upon the risk, from a simple questionnaire to a full scale onsite 2nd or 3rd party audit – it’s all about assessing the level of threat and acting accordingly.

Making sure the chain understands the importance

Ensure that your supplier understands the procedures in place to contact you in the event of a breach. Complete a risk analysis of your suppliers to understand the knock-on effects to your company should their systems be compromised, and create a contingency plan around this. This should be set up ready to go at the push of a button if needed, mitigating the damage that can be done to your business.

Mitigate against any risks

As a company, you must decide which controls you can insist the supplier enhances in order to continue business. If they don’t comply, can you put mitigating procedures in place? If you can’t mitigate, you must then consider the impact of an attack on your business, and whether you can accept the risk and deal with it when it happens.

Cyber security is a big threat to many businesses and can impact every entity in the supply chain from the top to the bottom. It is essential that all elements of the supply chain work in tandem to maintain tight security for all involved.