pixeltrap - Fotolia
Cybersecurity and business professionals are waking up to the risks of supply chain cybersecurity threats and attacks. The Supermicro bug a few years ago highlighted the vulnerabilities even the most sophisticated organizations face when trying to prevent supply chain cybersecurity attacks.
In 2015, several large U.S. firms, including Amazon and Apple, discovered tiny, unauthorized chips on server boards from Supermicro, a U.S. company founded by Taiwanese immigrants in 1993. In a nutshell, the chips appeared to have been placed there by unauthorized third parties -- widely believed to be Chinese hackers -- for the purpose of injecting malware into the servers. Amazon allegedly discovered the hardware hacks while purchasing Elemental, a video compression software startup that had contracts with major U.S defense intelligence agencies.
The Supermicro example illustrates the growing challenges and risks of global supply chains, which are primarily that any component can be modified without leaving a trace and then accessed remotely.
What should enterprises do in response to a similar supply chain security threat? Unfortunately, there's bad news, and then, there's worse news. The bad news is that third-party risk management -- the team that should own responsibility for supply chain protection -- is typically underfunded, understaffed and poorly supported.
Often, the entire supply chain protection mechanism of an organization is simply to require suppliers to complete a written checklist. Needless to say, that hardly delivers the protection needed.
The worse news is that, without standardization on mechanisms such as blockchain and hyperledger, enterprises have no fail-safe option for enterprises to pursue. So, even if the third-party risk management team is fully funded, staffed and supported, historically, no sequence of actions exists to fully protect the organization from supply chain cyber attacks.
How to prevent supply chain cybersecurity threats
Even without a tested sequence of actions, doing something is always better than nothing. Here are five key steps enterprises can take to protect against supply chain cybersecurity attacks.
1. Make third-party risk management a priority. Have a funded, staffed, trained and prioritized team focused on supply chain threats. If organizations don't have anyone in charge of protecting supply chains, nothing else matters.
2. Identify and prioritize supply chain vulnerabilities. As their first priority, third-party risk management teams should identify and prioritize all critical supply chains in terms of need for protection. This includes information supply chains, as well as physical supply chains.
For example, companies are increasingly becoming aware of the risks posed by incorporating open source software into internal development. Open source software can be more secure than some commercial products, since hackers are often invited to harden the software by attacking it, enabling developers to fix vulnerabilities. It also provides a phenomenal vector for lurking bugs and attacks.
3. Engage suppliers at key steps on the chain. Working with suppliers at key steps includes anyone who produces, manufactures, modifies or distributes components in the supply chain. And engaging suppliers means exactly that. Organizations should meet with suppliers, review their security policies and, if necessary, audit them on a regular basis. Don't just take their word for it -- have them demonstrate the results.
Conduct an on-site visit if possible. Also, note that supply chains aren't necessarily obvious. If you have IoT devices embedded in your HVAC system, for instance, the vendor may be refreshing the firmware on a regular basis. The vendor and its refreshes are part of your supply chain, even if you haven't thought of it that way.
4. Have a test lab focused on uncovering hidden hardware and software bugs. In the Supermicro example, the bug wasn't discovered until Amazon tested the motherboard thoroughly in its labs. This step is problematic for many enterprise organizations; not everyone has the funding or focus to support and maintain a full-time test lab. But one is more important than ever these days, so organizations that can afford it should have one -- and use it.
5. Assess blockchain and other hyperledger technologies for supply chain validation. The holy grail for supply chain protection is a mechanism that validates every modification along the supply chain with an incontestable source and timestamp. Blockchain and other hyperledger technologies enable this without the need for centralized management and control. Although most industries are just beginning to assess these technologies, now is the time to be thinking about them. Ultimately, end-to-end blockchain and hyperledger will provide transparency into the supply chain and protect vulnerable segments from hidden attacks.
The bottom line: To address supply chain vulnerabilities, you need an organized and funded third-party risk management team. That team should engage key suppliers early and often. And your technology team should look at blockchain and hyperledger techniques to protect the supply chain end to end.