Manufacturing Resilience - The Importance of Cyber Security In Supply Chain Management

Manufacturing is about creating goods, not risk.

In an industry as diverse and multi-layered as manufacturing, supply chains can often be vast and complex networks of suppliers and sub-contractors. This already presents a range of logistical and supervisory challenges to most organisations operating in the sector, however one of the biggest threats to your supply chain’s resilience is a weak, underprepared and neglected cyber security strategy.

Ensuring the safety and security of your entire supply chain is no easy task - potential cyber security vulnerabilities can be inherent, introduced or exploited at any stage of the supply chain chain, requiring a continuous, cohesive and overarching approach to your cyber resilience strategy.

Despite this, many organisations operating in the manufacturing sector still ignore the critical nature of cyber security within their supply chain network.

Are Enough Manufacturers Addressing the Risks?

The NCSC found that just over one in ten (13%) of organisations operating in the manufacturing sector have carried out a review of the risks posed by an immediate supplier - and this figure is almost halved when asked about the wider supply chain beyond immediate suppliers (7%).

Whilst many manufacturers are aware of the need for action, the bottom line is that far too many organisations operating in the sector are ignoring the danger and leaving their organisations vulnerable to a potential breach.

Of course there are many reasons for this - particularly in the case of smaller firms with limited resources (whether financial or in terms of personnel/expertise) available.

These challenges may include:

The core focus of the act is physical site security and protection against potential terrorist attacks, however cyber security feeds into many aspects of the acts requirements - meaning it’s important for organisations to be aware of their overall security posture, including cyber, when establishing which of these controls apply to them.

How Are Cyber Criminals Targeting Your Supply Chain?

Third Party Software Providers:

Since 2011, the cyber-espionage group known as Dragonfly has allegedly been targeted company’s across Europe and North America - The group has a history of targeting companies through their supply chains.

In a recent campaign, they were able to successfully ‘trojanise’ legitimate industrial control systems (ICS) software. They did this by first compromising the websites of the ICS software suppliers and replaced legitimate files in their repositories with their own, malware infected versions. As a result, whenever ICS software was downloaded from a suppliers website, it would install malware alongside the legitimate software which included additional remote access functionalities that could be used to take control of the systems installing the malware.

Compromised software can be particularly difficult to detect if it has been altered at the source - there is usually no reason for the target company to suspect it may not be legitimate, placing greater reliance on the supplier to identify potential abnormalities in their distributable.

Website Builders:

Not all supply chain risks involve a supplier of goods or software - the risk can also manifest itself in the services your organisation uses, for example creative and digital agencies. The Shylock banking trojan is a good example of how this can occur.

The Shylock attackers compromised legitimate websites through website builders used by creative and digital agencies. They employed a redirect script, which sent victims to a malicious domain owned by the Shylock authors. From there, the Shylock malware was downloaded and installed onto the systems of those browsing legitimate websites.

By integrating several features adopted from other malware, Shylock was able to performing customisable ‘man-in-the-browser’ attacks, avoiding detection and protecting itself from analysis. The attack targeted the core script of a website template designed by a UK-based creative, digital agency - meaning it had significantly greater reach as opposed to compromising a large number of legitimate sites individually.

Third Party Data Stores:

It’s becoming increasingly common for businesses to outsource their data to third party companies which store, process and broker the information. This data isn’t always customer data, and can often be related to business structure, financial health, strategy, and exposure to risk.

In September 2013, a number of networks belonging to large data aggregators were reported as having been compromised. A small botnet had been observed exfiltrating information from the internal systems of numerous data stores over an encrypted channel, to a botnet controller on the public internet.

The most high profile victim was a data aggregator that held information on businesses used in credit decisions, business-to-business marketing and supply chain management - with fraud experts suggesting that information on consumers and business practices/habits was potentially the most valuable information available to the attackers. This supply chain compromise enabled attackers to access valuable information stored via a third party and potentially commit large scale fraud.

What Steps Can You Take to Secure Your Supply Chain?

• Develop partnerships with your suppliers - Building a strategic partnership with your suppliers allows for a better flow of information and an opportunity to implement a joint approach to supply chain management securing all links in the chain.

• Bring cyber security to the forefront of negotiations - Make supply chain cyber security a key topic point in early stage negotiations/product assurance engagements.

• Make your suppliers aware of the benefits of security improvements - Explain the value that security improvements on their end can have for both parties. Potentially offering the contract to a supplier who makes necessary security improvements.

• Ensure that security considerations are an integral part of the contract competition process and that it influences the choice of supplier - Require potential suppliers to provide appropriate evidence of their security status and their ability to meet your minimum requirements on cyber security.

• Expect all suppliers to achieve Cyber Essentials - Make sure that any suppliers you bring into your supply chain are certified with an accreditation such as Cyber Essentials or even something more comprehensive like ISO 27001.

How Can PureCyber Help?

PureCyber is recognised as an Assured Service Provider by the NCSC to offer governance and compliance consultancy services/audits. Contact our team of compliance experts to enquire about our full range of Governance Support - including Cyber Essentials, ISO 27001, FISMA, SOC1 and SOC2 standards.

The PureCyber team are here to take over the burden of your cyber security and ensure your organisations data remains secure and well managed, with proactive monitoring and real-time threat intelligence - providing you with a comprehensive and reliable cyber department to support you in all aspects of your security efforts, including: 24/7 Security Operations Centre (SOC) services, Managed Detection & Response (MDR/EDR) Threat Exposure Management (TEM) & Brand Protection Services & Penetration Testing.

Keep an eye on our Events & Webinars page for upcoming PureCyber events

Get in touch or book in a call for more information on our services and how we can safeguard your organisation with our expert cyber security solutions.

Email: info@purecyber.com

Call: 0800 368 9397

Sources:

NCSC - Supply Chain Risk Review Statistics

NCSC - Supply Chain Security Guidance