Supply Chain Cyber Risk Management - no longer a risk, but a reality

By Pia Chakravarti and Michael Boddie

_{Share this article}

A number of recent cyber attacks have shone the light on the significance of an organisation’s supply chain and the significant ripple effect a cyber attack can have across an entire ecosystem of participants.

While supply chain risk has long been recognised at an enterprise level as a key risk, recent cyber supply chain incidents have had significant impacts on business operations, hitting home the potentially crippling reality of third-party cyber risks. Over the past 18 months, in Australia and globally, the impacts of cyber security incidents have been felt acutely across the supply chain, impacting customers and wider society. Therefore, it has never been more pertinent for organisations to have a strong understanding of their cyber supply chains and associated dependencies.

Traditionally, the focus of cyber supply chain risk management (SCRM) oversight activities have centred on the criticality and sensitivity of data and ensuring a robust control environment is in place for the discrete parts of the supply chain involved in handling or storing this type of data. Whilst this approach certainly provides comfort over a key subset of suppliers, it could also mean a number of suppliers - and the potential risks they present - are being excluded from such oversight, resulting in blind spots across the wider cyber supply chain. Hence, a realignment may be required to ensure the inherent risk of all suppliers is being considered, particularly those being granted access to organisational environments, both IT and physical.

Exploitation via valid user credentials is a common attack vector that has been identified in recent cyber supply chain incidents, providing a point of entry to systems enabling access to the wider supply chain. The use of valid credentials allows a malicious actor to bypass network defences, with their behaviour deemed legitimate. Software vendors are particularly lucrative targets for this technique due to the privileged level of access assigned and the size of their supply chains. In addition, software vendors are more regularly making use of open source code libraries to complement and enhance their products, creating an additional attack surface malicious actors are actively exploiting. The exploitation of open source code presents malicious actors with the potential for huge gains as they seek increased return on investment for their exploits but through targeting key cyber supply chain providers.

No textbook answer to successfully tackle cyber SCRM exists. This means that at an organisational level, practical and pragmatic approaches should be tailored to fit business objectives and risk appetite. However, there are key steps all organisations should consider, irrespective of size or industry, to help manage cyber supply chain risks, which are becoming ever-more prevalent. These include:

Identifying key suppliers and what role they play in the cyber supply chain
Understanding the risk profile of key suppliers both individually and collectively
Tailoring oversight activities to the risk profile assigned to each supplier
Ensuring effective incident response plans and playbooks are in place, which include supply chain threat scenarios
Regular testing and review of incident response plans, working in collaboration with supply chain providers.

Ultimately, collaboration and trust with your suppliers will help to strengthen the ecosystem that you operate in and enable rapid resolution in the event of an incident. As organisations strive to have a more mature approach to SCRM, evolving current approaches to think about the supply chain as a collective ecosystem with associated interdependencies, will ultimately help support resiliency and provide protection throughout the supply chain. This way of thinking has been recently reinforced by the Security of Critical Infrastructure Act (SoCI), which now requires providers of Australia’s Critical Infrastructure to identify the risks and hazards across their supply chain along with associated interdependencies. Whilst this legislation only applies to providers of critical infrastructure, it does highlight the significance of understanding and protecting the supply chain across the nation and a number of the learnings are applicable to every organisation as they seek to protect their business from this reality.