Supply chains, a new vulnerability for cyber-attacks

Issue 6 2021 Transport (Industry), CCTV, Surveillance & Remote Monitoring, Asset Management, EAS, RFID, Logistics (Industry)

The security threat landscape is in a constant state of flux as cybercriminals work hard to develop tactics to overcome organisations’ defences. One popular route into a secured network is via the supply chain and history is not short of examples of successful cyberattacks that were achieved by this method.

Rudie Opperman.

Software company SolarWinds fell victim to a supply chain attack, which compromised various US government agencies as well as big corporate enterprises, such as Intel, Cisco, Deloitte and Microsoft. Many South African firms also recently suffered a supply chain attack that affected over 1000 companies (*scm1). Threat actors typically target companies within the supply chain, as these tend to have less sophisticated and robust defences.

How can organisations be sure that they aren’t inadvertently leaving themselves open to attackers who may gain access via the wider ecosystem? To build trust in these relationships, they need to know that their system supplier continuously assesses and counters these risks, not only within their own systems, but also those of their sub-suppliers. It’s critical to know how solution manufacturers control and maintain their entire supply chain and ensure all products have a safe journey from individual components to completed product.

Evaluating and choosing the right partner

Supply chain security begins with choosing partners through a rigorous evaluation process. This should include an analysis of critical areas, such as each company’s information security policies and quality and sustainability management processes. As a minimum, a company should be certified by a third party, according to ISO 9001 or IATF 16949 and ISO 27001 A.15 or NIST SP-800 161.

This is only the beginning. Sub-suppliers’ processes should also be assessed for risk management, as well as their production facilities and processes. Site visits should be made and followed up with on-site audits to check if the company meets the security requirements and standards set for approved vendor qualification. As part of the evaluation of a potential new partner, suppliers should conduct an in-depth analysis of the organisation’s financial position and ownership structure.

It may be useful to choose certain companies to be appointed as strategic sub-suppliers, especially for critical components. Investing time in building these relationships will improve trust and ensure that all parties are committed to achieving long-term goals, particularly when it comes to upholding security processes.

Regular supplier audits provide reassurance and add value

The best way for your supplier to ensure sub-supplier compliance to the specified requirements is to conduct regular on-site audits, annually or bi-annually. These can be supplemented by quarterly business reviews, to follow up on performance against expectations and collaboratively discuss any changes that need to be made. The audit process should be thorough and conducted on every site within the supply chain, from the component supplier to the distribution centre.

Individuals with malicious intent can physically introduce threats into a network or directly to the products; therefore, the audit process should also include assessments of the physical facilities, particularly the quality assurance procedures and associated machinery. This will ensure that products are not tampered with and that unauthorised individuals are not allowed access to restricted areas. For example, entries and exits must be continuously guarded and access controls and visitor registration must be logged and stored. Some areas may require continuous surveillance, even using guards to secure the facility and surroundings.

Protecting data transfer within the supply chain

Data transfer in the supply chain network must be protected by security protocols, utilising encryption methods and authentication. Sub-suppliers and partners need to maintain a high level of information security, to mitigate risks of any gaps in the supply chain. Having a systematic approach to identify and manage sensitive company information is critical. This system should include people, processes, IT systems and physical locations and should comply with ISO 27001 and the PoPI Act. This will improve awareness and enable effective risk management.

From a personnel perspective, employees can often represent a significant cybersecurity risk and are often on the front line of attacks. This risk can be mitigated by empowering and educating employees to ensure they have a high level of information security awareness. Implementing a training programme that frequently updates employees on threats and tactics is invaluable to helping protect an organisation from attacks and should be present at every company within the supply chain.

Maintaining integrity at the product level

As expected, surveillance products must function as designed and intended, with consistent integrity. This can be achieved if the product’s hardware and firmware are successfully protected from unauthorised change or manipulation during the product’s journey through the supply chain. Starting with component materials, traceability – which includes the material handling process – always ensures the status, revealing any deviations that could compromise quality and signal tampering.

Suppliers and manufacturing partners are required to maintain a traceability system for produced batches, from incoming material to the finished component. During production, the physical component will undergo multiple tests, verifying conformance and highlighting any deviations.

It isn’t just the security of devices themselves that needs to be assessed. A secure software development lifecycle (SDLC) must be demonstrated to show that software is being developed with cybersecurity in mind. This helps to minimise the end customer’s exposure to vulnerabilities; and if these do occur, a clear process of how vulnerabilities in components are identified, communicated and patched must be established.

Robust security at every stage

As new cybersecurity threats emerge, it’s worth investing time to evaluate and understand every step in the production process where vulnerabilities could occur. Introducing more transparency within the supply chain will help alleviate worries, build trust and also create a dialogue between organisations and their entire supplier network. This will ensure that processes are robust and repeatable, thereby holding every party to the same cybersecurity standard and ensuring consistency. A regular assessment and auditing process will pay dividends in maintaining high-quality products and protecting sensitive data from falling into the wrong hands. Businesses should also ensure that they have a credible security partner who can offer them the expertise and support to stay ahead of evolving cybersecurity threats, especially those without the in-house resources to do so themselves.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Retail solutions beyond security
Issue 8 2020, Axis Communications SA, Technews Publishing, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring
The need for security technology to deliver more than videos of people falling or stealing from retail stores is greater than ever.

AI-powered hardhat detection
Issue 8 2020, Hikvision South Africa , Industrial (Industry), CCTV, Surveillance & Remote Monitoring
Hardhats save lives, but only if people wear them. Intelligent, AI-powered hardhat cameras are helping to ensure workers in dangerous locations stay safe at all times.

The development of onboard cameras
Issue 6 2021, Axis Communications SA , Transport (Industry)
Over the past decade, network cameras have become an essential part of transportation safety and security and the range of solutions they can be a part of has also increased.

Leveraging intelligence for surveillance
Issue 6 2021, Leaderware , Editor's Choice, CCTV, Surveillance & Remote Monitoring
Have companies seized the opportunities to complement and enhance the capabilities of both CCTV surveillance and that of intelligence gathering to gain strategic and operational insights?

Expanding options and improving service
Issue 6 2021, Technews Publishing, Electronic Tracking Systems , Transport (Industry)
The challenge for tracking and recovery companies like Mtrack is to keep ahead of the pack in terms of technology, expand into new markets and focus on providing better service than ever.

Early warning is essential
Issue 6 2021 , Editor's Choice, Fire & Safety, Logistics (Industry)
The trend is for larger, taller and more flexible warehouse constructions with dense and complex racking systems and an increasing level of warehouse automation, which pose a number of challenges for fire safety.

More than tracking
Issue 6 2021, Technews Publishing, iCAM Video Telematics , Transport (Industry)
Fleet management has never been an easy job, especially in South Africa where many innovations have been developed and exported to deal with the challenges we face.

A smarter security solution
Issue 6 2021 , Transport (Industry)
CathexisVision is a flexible and scalable video surveillance management technology that offers a range of smart surveillance solutions to address the security challenges of the logistics and transport sector.

TETRA network deployed at ACSA
Issue 6 2021, Global Communications , Transport (Industry)
During the migration to the TETRA network, gateways co-existed to prevent downtime of communications. The migration was completed without any negative impact on operations.

Updated fleet management software
Issue 6 2021 , Transport (Industry)
Upgrade dramatically improves user experience via a new and more intuitive look and feel, along with enhanced performance to assist customers to adapt to changing market conditions.