Critical infrastructure organizations have large and complex IT networks built on top of an assortment of heterogeneous technologies. Many large enterprises also extend their in-house IT assets to an external web of connected business partners, customers, outsourcers, and suppliers. This multifaceted amalgamation of participants is sometimes known as the cyber supply chain which ESG (Enterprise Strategy Group) defines as: “The entire set of key actors involved with or using cyber infrastructure: system end-users, policy makers, acquisition specialists, business partners, system integrators, network providers, and software/hardware suppliers, etc.”
Cybersecurity principles and best practices are typically applied to internal applications, networks, and systems as large organizations seek to mitigate risk and detect/respond to cyber-attacks. Many enterprises are actually bolstering their internal defenses – ESG research indicates that 57 percent of organizations increased their cybersecurity spending in 2015.
Unfortunately, cybersecurity defenses can be far more onerous when it comes to securing an extensive network of IT suppliers, service providers, business partners, contractors, and customers that make up the cyber supply chain. Why? Monitoring and controlling the cybersecurity practices of an assortment of third-parties can be time consuming, costly, and complex. Alarmingly, cyber supply chain security challenges seem to be getting worse – 60 percent of security professionals working at critical infrastructure organizations say that cyber supply chain security has become either much more difficult (17 percent) or somewhat more difficult (43 percent) over the last two years (see Figure 1).
Why has cyber supply chain security grown more difficult? 44 percent of critical infrastructure organizations claim that their organizations have implemented new types of IT initiatives (i.e., cloud computing, mobile applications, IoT, big data analytics projects, etc.), which have increased the cyber supply chain attack surface; 39 percent say that their organization has more IT suppliers than it did two years ago; and 36 percent state that their organization has consolidated IT and operational technology security, increasing cybersecurity complexity.
U.S. citizens must understand that cyber supply chain security vulnerabilities in the U.S. critical infrastructure expose all Americans to cyber-attack. Furthermore, there are already countless examples of security incidents and data breaches perpetrated using the cyber supply chain as an attack vector. For example:
- In 1982, CIA agents learned of a Russian plot to steal western technologies for updating its outdated gas pipeline system. Armed with this knowledge, the CIA intervened with a covert operation. Unbeknownst to Soviet agents, software stolen in France was actually booby-trapped by the CIA and programmed to create havoc in a series of pumps, values, and turbines and increase pressure across the entire pipeline. Once installed, the malicious software caused a massive explosion. Leaked government documents referred to this event as, “the most monumental non-nuclear explosion ever seen from space,” in the summer of 1982.
- Security researchers who analyzed the 2010 Stuxnet attack on Iranian nuclear facilities believe that malware used to infect programmable logic controllers (PLCs) and modify Siemens Step 7 software was likely carried into the facilities by third-party contractors working with the Iranian government. These third-party contractors were identified, attacked, and compromised and then unknowingly transported Stuxnet into the Iranian nuclear facilities, most likely through the use of USB thumb drives.
- The 2013 data breach at U.S. retailer Target exposed the personal and credit card data of more than 110 million consumers. Security researchers believe that this attack began with a spear phishing attack on a Target HVAC contractor, Fazio Mechanical, of Sharpsburg, PA. Cyber-attackers used an e-mail message to compromise a PC at Fazio Mechanical a few months before the attack and then downloaded password-stealing malware onto the system. The perpetrator then used legitimate Fazio credentials to log onto the Target network and ultimately carry out the attack.
Aside from these isolated incidents, it is also worth noting that critical infrastructure organizations are under constant attack. ESG research indicates that 68 percent have suffered one or more serious cybersecurity incident over the past two years. Furthermore, these security events carried serious repercussions – 36 percent said that cybersecurity incidents resulted in the disruption of critical operations or business processes, 32 percent stated that security incidents led to a breach of confidential data, and 30 percent claim that security incidents led to the public disclosure of a data breach. Cyber-adversaries have exploited cyber supply chain weaknesses in the past, so there is no reason to believe that they won’t continue to do so in the future.
Cyber supply chain security can be difficult, but it is an essential best practice for mitigating cyber risks to U.S. critical infrastructure. To protect U.S. citizens, critical infrastructure organizations should:
- Assess cyber supply chain risk across the organization.
- Integrate cyber supply chain security into new IT initiatives.
- Fully integrate security into IT procurement.
- Address all aspects of software assurance.
- Formalize external IT security relationships with all connected third-parties.
- Push for more help from Washington.
