Supply chains, a new vulnerability for cyber-attacks

Issue 6 2021 Transport (Industry), CCTV, Surveillance & Remote Monitoring, Asset Management, EAS, RFID, Logistics (Industry)

The security threat landscape is in a constant state of flux as cybercriminals work hard to develop tactics to overcome organisations’ defences. One popular route into a secured network is via the supply chain and history is not short of examples of successful cyberattacks that were achieved by this method.

Rudie Opperman.

Software company SolarWinds fell victim to a supply chain attack, which compromised various US government agencies as well as big corporate enterprises, such as Intel, Cisco, Deloitte and Microsoft. Many South African firms also recently suffered a supply chain attack that affected over 1000 companies (*scm1). Threat actors typically target companies within the supply chain, as these tend to have less sophisticated and robust defences.

How can organisations be sure that they aren’t inadvertently leaving themselves open to attackers who may gain access via the wider ecosystem? To build trust in these relationships, they need to know that their system supplier continuously assesses and counters these risks, not only within their own systems, but also those of their sub-suppliers. It’s critical to know how solution manufacturers control and maintain their entire supply chain and ensure all products have a safe journey from individual components to completed product.

Evaluating and choosing the right partner

Supply chain security begins with choosing partners through a rigorous evaluation process. This should include an analysis of critical areas, such as each company’s information security policies and quality and sustainability management processes. As a minimum, a company should be certified by a third party, according to ISO 9001 or IATF 16949 and ISO 27001 A.15 or NIST SP-800 161.

This is only the beginning. Sub-suppliers’ processes should also be assessed for risk management, as well as their production facilities and processes. Site visits should be made and followed up with on-site audits to check if the company meets the security requirements and standards set for approved vendor qualification. As part of the evaluation of a potential new partner, suppliers should conduct an in-depth analysis of the organisation’s financial position and ownership structure.

It may be useful to choose certain companies to be appointed as strategic sub-suppliers, especially for critical components. Investing time in building these relationships will improve trust and ensure that all parties are committed to achieving long-term goals, particularly when it comes to upholding security processes.

Regular supplier audits provide reassurance and add value

The best way for your supplier to ensure sub-supplier compliance to the specified requirements is to conduct regular on-site audits, annually or bi-annually. These can be supplemented by quarterly business reviews, to follow up on performance against expectations and collaboratively discuss any changes that need to be made. The audit process should be thorough and conducted on every site within the supply chain, from the component supplier to the distribution centre.

Individuals with malicious intent can physically introduce threats into a network or directly to the products; therefore, the audit process should also include assessments of the physical facilities, particularly the quality assurance procedures and associated machinery. This will ensure that products are not tampered with and that unauthorised individuals are not allowed access to restricted areas. For example, entries and exits must be continuously guarded and access controls and visitor registration must be logged and stored. Some areas may require continuous surveillance, even using guards to secure the facility and surroundings.

Protecting data transfer within the supply chain

Data transfer in the supply chain network must be protected by security protocols, utilising encryption methods and authentication. Sub-suppliers and partners need to maintain a high level of information security, to mitigate risks of any gaps in the supply chain. Having a systematic approach to identify and manage sensitive company information is critical. This system should include people, processes, IT systems and physical locations and should comply with ISO 27001 and the PoPI Act. This will improve awareness and enable effective risk management.

From a personnel perspective, employees can often represent a significant cybersecurity risk and are often on the front line of attacks. This risk can be mitigated by empowering and educating employees to ensure they have a high level of information security awareness. Implementing a training programme that frequently updates employees on threats and tactics is invaluable to helping protect an organisation from attacks and should be present at every company within the supply chain.

Maintaining integrity at the product level

As expected, surveillance products must function as designed and intended, with consistent integrity. This can be achieved if the product’s hardware and firmware are successfully protected from unauthorised change or manipulation during the product’s journey through the supply chain. Starting with component materials, traceability – which includes the material handling process – always ensures the status, revealing any deviations that could compromise quality and signal tampering.

Suppliers and manufacturing partners are required to maintain a traceability system for produced batches, from incoming material to the finished component. During production, the physical component will undergo multiple tests, verifying conformance and highlighting any deviations.

It isn’t just the security of devices themselves that needs to be assessed. A secure software development lifecycle (SDLC) must be demonstrated to show that software is being developed with cybersecurity in mind. This helps to minimise the end customer’s exposure to vulnerabilities; and if these do occur, a clear process of how vulnerabilities in components are identified, communicated and patched must be established.

Robust security at every stage

As new cybersecurity threats emerge, it’s worth investing time to evaluate and understand every step in the production process where vulnerabilities could occur. Introducing more transparency within the supply chain will help alleviate worries, build trust and also create a dialogue between organisations and their entire supplier network. This will ensure that processes are robust and repeatable, thereby holding every party to the same cybersecurity standard and ensuring consistency. A regular assessment and auditing process will pay dividends in maintaining high-quality products and protecting sensitive data from falling into the wrong hands. Businesses should also ensure that they have a credible security partner who can offer them the expertise and support to stay ahead of evolving cybersecurity threats, especially those without the in-house resources to do so themselves.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Elvey partners with HALO
Elvey Security Technologies News CCTV, Surveillance & Remote Monitoring
Elvey Group has partnered with HALO Europe to provide Africa’s first body-worn solution with zero upfront costs. This includes an IP68-certified body camera and a 4G-connected device.

Invisible connection and tangible protection via cloud
Dahua Technology South Africa Perimeter Security, Alarms & Intruder Detection CCTV, Surveillance & Remote Monitoring Products
Dahua Technology has launched its AirShield security solution that uses advanced, stable and reliable RF communication technology and cloud services, integrating alarm hubs, various detectors and accessories, with several software apps.

The importance of the operator’s frame of reference
Leaderware Editor's Choice CCTV, Surveillance & Remote Monitoring Security Services & Risk Management Mining (Industry)
The better the operator’s frame of reference and situational awareness, and the more informed they are in dealing with CCTV surveillance in the mining industry, the more successful they are likely to be in surveillance.

Enhancing surveillance on mines
Avigilon Technews Publishing Axis Communications SA Forbatt SA Hikvision South Africa Bosch Building Technologies Editor's Choice CCTV, Surveillance & Remote Monitoring Integrated Solutions Mining (Industry)
Smart Security approached a number of surveillance vendors to find out what the latest in surveillance technology is that can make a difference to security operations in mines, as well as general operations.

Surveillance to improve worker safety
Axis Communications SA Mining (Industry) CCTV, Surveillance & Remote Monitoring Integrated Solutions
With substantial deposits of mineral resources, mining is critical for South Africa’s economic growth and prosperity; however, mining can be dangerous, especially for the people working on the ground and in the shafts.

Safety and security integrated in JUKA 614
Veracitech Products Asset Management, EAS, RFID Mining (Industry)
The JUKA 614 security checkpoint full body X-ray scanner provides the best possible image at the lowest health risk in the shortest time, by making use of the smallest footprint at the lowest cost.

Radar-video fusion camera
Axis Communications SA CCTV, Surveillance & Remote Monitoring Mining (Industry) Products
The AXIS Q1656-DLE Radar-Video Fusion Camera device brings video and radar analytics together in AXIS Object Analytics to deliver detection and visualisation.

Centralised VMS for multiple sites
Mining (Industry) CCTV, Surveillance & Remote Monitoring
Dispersed mining operation relies on AxxonSoft for centralised video management as well as device health monitoring and the reliable distribution of analytics to various camera brands.

Outdoor-ready sound projector
Axis Communications SA Products
The new AXIS C1610-VE Network Sound Projector is an alternative to the horn speaker wherever appearance or accessible placement is a key consideration.

Explosion-protected bullet camera
Axis Communications SA CCTV, Surveillance & Remote Monitoring Mining (Industry) Products
The AXIS P1468-XLE Explosion-Protected Bullet Camera is the world’s first explosion-protected camera specifically designed for Zone and Division 2 hazardous locations, delivering 4K resolution under any light conditions, through Lightfinder 2.0, Forensic WDR, and OptimizedIR.