security Archives - Total Supply Chain Summit | Forum Events Ltd

Total Supply Chain Summit | Forum Events Ltd Total Supply Chain Summit | Forum Events Ltd Total Supply Chain Summit | Forum Events Ltd Total Supply Chain Summit | Forum Events Ltd Total Supply Chain Summit | Forum Events Ltd

Posts Tagged :

security

Critical infrastructure security Q&A with McAfee’s Mo Cashman

Critical infrastructure and supply chains consist of networks and assets that form the backbone of society. Therefore, the fallout of an attack could be catastrophic. Across the globe, individuals have already experienced shortages of food, energy and other resources, and the inability to access critical healthcare services – despite this, it’s likely that the worst is yet to come.

Dynamic solutions are needed to reflect the fact that emerging threats, and the technology needed to deter them, often change faster than the regulatory process can keep up.

In the latest instalment of our supply chain industry executive interview series, we spoke to Mo Cashman, Enterprise Architect and Principal Engineer at McAfee Enterprise, about the biggest risk factors and 

  1. What are the most dangerous cyber security risks to the UK supply chains and other critical infrastructure?

Over the past year, cyber-attacks on critical industries have certainly seen an increase, with sectors such as healthcare, energy/utilities, and government under constant threat from cybercriminals looking to target critical infrastructures such as telecommunication networks and transport infrastructure. The report also saw a 64% increase in publicly reported cyber incidents targeting the public sector.

Some of the most dangerous cyber security risks to critical infrastructure include ransomware-as-a-service.  Our latest threat research found that the government was the most targeted sector by ransomware in Q2 of 2021. This is a cybercrime economic model that allows ransomware platform owners to earn money for their creations through affiliates. This model allows non-technical criminals to buy both the ransomware and potentially access to targets to launch attacks more easily while paying the developers a percentage of their take. As a result, the developers run relatively few risks, and their customers do most of the work. Some instances of ransomware-as-a-service use subscriptions, while others require registration to gain access to the ransomware. The attacks will typically enter the workplace via a malicious email or through a vulnerable remote access application.

But another entry point not to be overlooked is supply-chain compromises. This is another critical attack vector facing the national infrastructure. In this case, attackers will often enter the network through a trusted connection, system, or user. Unfortunately, this can make them very difficult to detect.

  1. Where do the biggest cybersecurity risks to the UK’s national infrastructure come from?

Interestingly, the most significant cybersecurity risks come from both criminal gangs and national state actors. Nation-state actors specifically target critical infrastructure to steal state secrets and cause national disruption. For example, cyber-attacks such as the Sunburst and SolarWinds have been widely attributed to nation-state actors.

Cybercriminal gangs also pose a significant threat to critical infrastructure. At the recent G7 summit, world leaders recognised ransomware as a global threat, calling upon member states to do more to combat it. The criminal gangs running ransomware-as-a-service networks were identified as a particular issue.

Currently, McAfee ATR and MVISION Insights platform is tracking 31 different Ransomware, APT, criminal groups, such as Darkside and Nation-State Actors like APT32. These groups operate globally and across many sectors, including the UK’s national infrastructure. We’ve noticed that criminal organisations and Nation-State actors often share the same malware or tools, such as Cobalt Strike, Mimikatz and Powershell, and leverage similar techniques, such as Supply Chain Compromise and Spearphishing to gain network access. The only real distinction then becomes the intent of the organisation behind an attack.

  1. What should the government do to improve its national infrastructure’s cyber defences?

Over the last few years, the UK Government has put several different programmes and initiatives in place to combat cyber threats. This includes the establishment of the National Cybersecurity Centre in 2016, which aims to increase cybersecurity awareness and improve skills across organisations associated with the national infrastructure.

Given the rapid move to a culture of remote working, which now looks set to become a permanent fixture, implementing more robust cybersecurity measures has never been more critical. Some additional practices which may help to improve cyber resilience include:

  • Adopting a zero-trust architecture framework that performs threat and data protection at every control point in a single pass to help improve user experience and productivity, reduce the cost of security, and simplify management.
  • Implementing Continuous Monitoring and Response across all enterprise systems
  • Gaining as much information as possible about the enterprise assets and services
  • Eliminating trusted zones and micro-segment resources
  • Operationalise and share threat intelligence
  • Improving security for operational technology networks
  1. What is the ideal interplay between public and private initiatives when it comes to best protecting the UK’s cyber infrastructure?

Private and public organisations must work together to protect critical infrastructures from cyber threats. A great example of threat intelligence sharing and cross-industry collaboration is the Cyber Threat Alliance (CTA). The CTA is a non-profit organisation working to improve the cybersecurity of our global digital ecosystem. In order to best defend against cybercriminals and threat actors, threat intelligence sharing is vital, and the CTA shares approximately 6 million threat indicators with its members each month.

Another example of great collaboration between the public and private sectors is the nomoreransom.org initiative. Set up five years ago by four founding partners, including law enforcement and private security cybersecurity companies. Since then, it’s expanded to include over 150+ public and private entities and credited with saving organisations an estimated $900 million (or £654 million).

These organisations are both fantastic examples of the public and private sector working in tandem to combat cybercriminals and reduce the cyber threats faced across the globe.

How can the Defense Industrial Base better protect against cybersecurity weaknesses in the supply chain?

By Thomas Lind, Co-Head of Strategic Intelligence, BlueVoyant

Securing the Defense Industrial Base (DIB) is a key national security objective of the United States. The task is challenging: it means securing a multi-tiered, interlinking supply chain hundreds of thousands of companies long, ranging from machine shops of a few dozen employees to billion-dollar prime contractors.

In an attempt to assess and support the cybersecurity posture of the defense sector, BlueVoyant recently undertook an analysis of companies in the defense industrial base. Building on research carried out by researchers at Michigan State University and our own insights gleaned from CMMC consulting, we focused on small-to-medium size enterprises (SMEs) as a critical and overlooked component of supply chain resilience. Looking at cybersecurity posture, threats, and compromise, our analysis found evidence of vulnerabilities across our sample set.

However, BlueVoyant research also shows that securing the DIB is a tractable problem. With the right combination of CMMC regulations, cybersecurity monitoring, and support from government, the DIB can be made much stronger and resilient than it is now.

This issue is critical. Businesses in the DIB are high-value targets for nation-state adversaries and other cybercriminals. Today, the news is awash with examples of how these third-party attack strategies have been successful: in the last year alone, cyber attacks exploiting Microsoft Exchange, F5, Pulse Secure, and, of course, SolarWinds have all impacted U.S. defense networks. At the same time, opportunistic ransomware attacks have also risen in frequency and impact, and just last year we reported attacks on US contractors who had been hit by the Babuk, Ryuk, maze and DoppelPaymer ransomware groups.

Securing the DIB is not only a pressing issue for greater national security: it is also eminently possible. BlueVoyant’s recent report, Defense Industry Supply Chain and Security, seeks to support policymakers and defense contractors in shaping a stronger and more resilient cybersecurity posture.

Adversaries pivot to target SMBs

Arguably, defense contractors face the same opportunistic threats as any business, however, the DIB’s biggest problem is the complexity of securing such an enormous ecosystem. Since the first cyber intrusions in the late 1990s and early 2000s, prime contractors and other large companies have developed more robust security defenses against cyberattacks. As a result, adversaries have pivoted towards targeting small to medium-sized enterprises (SMEs) that are subcontractors within the same supply chain. This attack strategy is based on the expectation that SMEs will have fewer and less sophisticated defenses and will thus provide an easier entry point to all entities within the entire supply chain.

Knowing this, BlueVoyant undertook a review of the cybersecurity risk posture within the DIB. To do so, we chose a sample set of 300 companies, avoiding primes and other giant defense contractors and instead limiting the pool entirely to SMEs. In a total industrial base of some 100,000 companies (or more, according to some estimates), three hundred companies is not large enough to identify reliable patterns but large enough to observe statistically significant insights into overall supply chain security. We examined the companies for vulnerabilities in their cybersecurity posture; for evidence of targeted threat activity; and for evidence of compromise. The analysis also sought to identify patterns or trends in risk, in hopes to illuminate how risk is concentrated (or not) within a supply chain – and thus help primes and the DoD to direct their resources and attention in future.

We arrived at two key insights. One, our findings indicate that significant issues exist within our sample set, suggesting wider issues across SMEs in the DIB: just under half (48%) of all companies analyzed had critical cybersecurity vulnerabilities, 20% (one-fifth) had critical vulnerabilities and evidence of significant, intentional threat targeting, and 7% showed critical vulnerabilities, evidence of significant, intentional threat targeting, and also had evidence of potential compromise. Overall, vulnerabilities to ransomware were widely observed throughout the group, especially unsecured remote ports known to be the major route of access for ransomware gangs.

Two, we found that industry type was a stronger predictor of risk than company size alone: manufacturing and R&D companies had the highest risk profiles when assessing email security, IT hygiene, malicious activity and vulnerabilities. 100% of the large R&D companies assessed displayed network vulnerabilities, with 66% of these companies also showing evidence of targeting.

Espionage and intellectual property threats are also increasing

This comes at a time of significant pressure on defense companies. Advanced persistent foreign actors have targeted the DIB for years for the purposes of espionage and intellectual property threats; in the last year, they have achieved significant success, and that in the public eye. In October 2020, the NSA issued an advisory noting that Chinese APT groups were exploiting vulnerabilities in Pulse Secure VP and F5 Networks’ cybersecurity software to target defense contractors, and in April this year these groups were reportedly exploiting another software vulnerability to attack defense contractors with vulnerabilities in Microsoft Exchange services.

To this point, just under half of the companies that we examined had ports vulnerable to ransomware, as well as other severe vulnerabilities. This included unsecured data storage ports, out-of-date software and OS, and other vulnerabilities rated severe to NIST frameworks.

Furthermore, 7% of the companies analyzed showed critical vulnerabilities and evidence of targeted threat activity, and evidence of compromise. Additionally, more than six months after the F5 and Microsoft Exchange vulnerabilities were announced, several companies were still observed with these vulnerabilities on their networks.

CMMC and other regulations are being implemented

In order to address these issues, a series of government regulations have set standards designed to raise the baseline of cybersecurity requirements. Most recently, in 2019 the DoD announced that they were launching the Cybersecurity Maturity Model Certification (CMMC) as an expansion of, and improvement upon, the National Institute of Standards and Technology (NIST). CMMC is designed to help apportion compliance and responsibility in appropriate measures throughout a complex ecosystem and to also ensure third party verification and controls are in place. However, our research found that more than a quarter (28%) of companies analyzed showed evidence indicating they would fail to meet the most basic, tier-1 CMMC requirement.

Perpetual monitoring and management is required

Regulations will certainly help to reduce the attack surface, but compliance is not security. Regulations are typically measured at points in time and are therefore not necessarily synonymous with ongoing effective cybersecurity. Without a doubt, compliance is a key first step towards baseline security – but more is needed. How can organizations create a secure environment for defense companies while also supporting the development of a large and diverse ecosystem? How can they close the gap that exists with these periodic point-in-time assessments and deliver more ongoing monitoring and management of the systems security throughout an entire supply chain? Often smaller firms do not have the resources and budgets to deal with increasing, targeted cyberattacks.

Going forward, continuous cybersecurity monitoring should be a key component for defense companies to secure their supply chain. Here prime contractors can reduce their risk exposure by focusing on the most high-risk segments of their supply chain. Our research highlighted that R&D companies are particularly vulnerable targets for malicious insertion in the supply chain and focusing on them can reduce risk to all segments. Additionally, predictive analysis is possible based on quantitative measures, and can provide the DoD and prime contractors with findings to help them identify and more effectively manage risk. BlueVoyant is undertaking more advanced research, in cooperation with Michigan State University’s top-rated supply chain management program, to see if more reliable predictive measures are possible. 

Focusing on supply chain health

For an industry with such an expansive, interconnected digital ecosystem, supply chain security should be a fundamental consideration. Prime contractors are under enormous pressure to reduce the attack surface of the entire supply chain, but are partly blind to the vulnerabilities that exist. Smaller companies need to put more attention and resources into identifying ongoing risks and understanding overall supply chain health in order to combat the growing threat landscape.

The good news is that the two recent Executive Orders – one on American Supply Chains, and the other on Improving the Nation’s Cybersecurity – direct much-needed attention and funding to cybersecurity in the defense supply chain, but they are only the start. Closer co-operation between the DoD and the private sector is required to support a more vibrant, diverse, and secure defense sector.

Just as threats are evolving, so too are the conditions that shape the US defense industry, and the sector is increasingly introducing commercial technologies and acquisition practices that have the potential to disrupt and change the traditional defense contractor business model for the better. Organizations need to put in place accessible compliance frameworks, robust and proactive risk tracking, continuous external monitoring – all of these steps will support a more secure defense sector and are absolutely achievable with closer co-operation between the DoD and the public sector.

Why you could risk your cyber security through the supply chain

Collin Robbins, Managing Security Consultant, Nexor

SMEs to multinational corporate companies experience cyber attacks on an almost daily basis. The majority of the attacks and data breaches can be found coming from the same place – through the supply chain, where security can become weak and mismanaged, or directly through people that work as part of a supply chain using their home network as an entry point to their world of work.

When an organisation enters your supply chain providing goods or services, they may need access to certain proprietary data or systems and your security could become compromised. It is highly likely parts of your supply chain will have this access, for example, providing support for equipment, which creates potential infrastructure entry points. Whilst your own company may have deployed a number of security defences to protect your network – can you say the same about your suppliers?

The supply chain is a risk for your company, no matter what your organisation does. As soon as you start to outsource, you lose an element of control over your data. Some common weaknesses in supply chain management affecting businesses are: 

Lack of resources in the supply chain 

In an ideal world, companies in the supply chain would take sole responsibility for dedicating sufficient resources to manage their own security. In practice, however, many suppliers do not identify security as a core business need, either unaware or indifferent to the potential impact it will have downstream. In these instances, it becomes imperative to impose your minimum expected security standards upstream, where possible, requiring the suppliers commitment to these standards as part of the deal.

This should be reviewed on a regular basis with each supplier to ensure that they maintain this capability. If not, a risk assessment should be carried out to determine if the value to your business exceeds the potential damage a supply chain attack could cause. In the worst case scenario it might be necessary to find a new supplier.

Inability to adapt to supply chain changes

When it comes to suppliers one size does not fit all, supply chains come in varying sizes and the longer your chain the more attention you need to give it. A flexible management approach should be adopted, dependant on the risk associated with each supplier. For example, the risk posed by your third party network management provider will likely be greater than the risks posed by the supplier of commodity software licences. As an upstream company you must ensure there is suitable flow down the chain that monitors security controls.

A lack of communication between business and supplier

Communication between suppliers concerning updated security measures or reporting of incidents is key across the chain. If the suppliers aren’t aware of expected changes to the security of the chain or don’t understand the steps to take in the event of a breach, cyber attacks are more likely to be successful and give criminals access to the core business. Building security requirements into the contracting process helps alleviate these issues as all parties involved will have written confirmation of security expectations. Constant reviews of the process here are essential and can help flag up any weaknesses or communication that has been missed. 

How to prevent an attack through the supply chain

It is important that a business understands the risk a supplier may pose and ensure that the supply chain has appropriate security controls in place. These will vary and flex dependent upon the type of data or influence the chain has on the business. One starting point would be to ensure all suppliers attain ‘cyber essentials’, which is becoming the UK’s minimum standard of security. However, this might be insufficient for high risk suppliers.

Regular auditing of the chain 

Audits of critical suppliers are important to ensure that they are safeguarding data in the ways they claim. The assessment will need to flex depending upon the risk, from a simple questionnaire to a full scale onsite 2nd or 3rd party audit – it’s all about assessing the level of threat and acting accordingly.

Making sure the chain understands the importance

Ensure that your supplier understands the procedures in place to contact you in the event of a breach. Complete a risk analysis of your suppliers to understand the knock-on effects to your company should their systems be compromised, and create a contingency plan around this. This should be set up ready to go at the push of a button if needed, mitigating the damage that can be done to your business.

Mitigate against any risks

As a company, you must decide which controls you can insist the supplier enhances in order to continue business. If they don’t comply, can you put mitigating procedures in place? If you can’t mitigate, you must then consider the impact of an attack on your business, and whether you can accept the risk and deal with it when it happens.

Cyber security is a big threat to many businesses and can impact every entity in the supply chain from the top to the bottom. It is essential that all elements of the supply chain work in tandem to maintain tight security for all involved.