Supply chains, a new vulnerability for cyber-attacks

Issue 6 2021 Transport (Industry), CCTV, Surveillance & Remote Monitoring, Asset Management, EAS, RFID, Logistics (Industry)

The security threat landscape is in a constant state of flux as cybercriminals work hard to develop tactics to overcome organisations’ defences. One popular route into a secured network is via the supply chain and history is not short of examples of successful cyberattacks that were achieved by this method.


Rudie Opperman.

Software company SolarWinds fell victim to a supply chain attack, which compromised various US government agencies as well as big corporate enterprises, such as Intel, Cisco, Deloitte and Microsoft. Many South African firms also recently suffered a supply chain attack that affected over 1000 companies (www.securitysa.com/*scm1). Threat actors typically target companies within the supply chain, as these tend to have less sophisticated and robust defences.

How can organisations be sure that they aren’t inadvertently leaving themselves open to attackers who may gain access via the wider ecosystem? To build trust in these relationships, they need to know that their system supplier continuously assesses and counters these risks, not only within their own systems, but also those of their sub-suppliers. It’s critical to know how solution manufacturers control and maintain their entire supply chain and ensure all products have a safe journey from individual components to completed product.

Evaluating and choosing the right partner

Supply chain security begins with choosing partners through a rigorous evaluation process. This should include an analysis of critical areas, such as each company’s information security policies and quality and sustainability management processes. As a minimum, a company should be certified by a third party, according to ISO 9001 or IATF 16949 and ISO 27001 A.15 or NIST SP-800 161.

This is only the beginning. Sub-suppliers’ processes should also be assessed for risk management, as well as their production facilities and processes. Site visits should be made and followed up with on-site audits to check if the company meets the security requirements and standards set for approved vendor qualification. As part of the evaluation of a potential new partner, suppliers should conduct an in-depth analysis of the organisation’s financial position and ownership structure.

It may be useful to choose certain companies to be appointed as strategic sub-suppliers, especially for critical components. Investing time in building these relationships will improve trust and ensure that all parties are committed to achieving long-term goals, particularly when it comes to upholding security processes.

Regular supplier audits provide reassurance and add value

The best way for your supplier to ensure sub-supplier compliance to the specified requirements is to conduct regular on-site audits, annually or bi-annually. These can be supplemented by quarterly business reviews, to follow up on performance against expectations and collaboratively discuss any changes that need to be made. The audit process should be thorough and conducted on every site within the supply chain, from the component supplier to the distribution centre.

Individuals with malicious intent can physically introduce threats into a network or directly to the products; therefore, the audit process should also include assessments of the physical facilities, particularly the quality assurance procedures and associated machinery. This will ensure that products are not tampered with and that unauthorised individuals are not allowed access to restricted areas. For example, entries and exits must be continuously guarded and access controls and visitor registration must be logged and stored. Some areas may require continuous surveillance, even using guards to secure the facility and surroundings.

Protecting data transfer within the supply chain

Data transfer in the supply chain network must be protected by security protocols, utilising encryption methods and authentication. Sub-suppliers and partners need to maintain a high level of information security, to mitigate risks of any gaps in the supply chain. Having a systematic approach to identify and manage sensitive company information is critical. This system should include people, processes, IT systems and physical locations and should comply with ISO 27001 and the PoPI Act. This will improve awareness and enable effective risk management.

From a personnel perspective, employees can often represent a significant cybersecurity risk and are often on the front line of attacks. This risk can be mitigated by empowering and educating employees to ensure they have a high level of information security awareness. Implementing a training programme that frequently updates employees on threats and tactics is invaluable to helping protect an organisation from attacks and should be present at every company within the supply chain.

Maintaining integrity at the product level

As expected, surveillance products must function as designed and intended, with consistent integrity. This can be achieved if the product’s hardware and firmware are successfully protected from unauthorised change or manipulation during the product’s journey through the supply chain. Starting with component materials, traceability – which includes the material handling process – always ensures the status, revealing any deviations that could compromise quality and signal tampering.

Suppliers and manufacturing partners are required to maintain a traceability system for produced batches, from incoming material to the finished component. During production, the physical component will undergo multiple tests, verifying conformance and highlighting any deviations.

It isn’t just the security of devices themselves that needs to be assessed. A secure software development lifecycle (SDLC) must be demonstrated to show that software is being developed with cybersecurity in mind. This helps to minimise the end customer’s exposure to vulnerabilities; and if these do occur, a clear process of how vulnerabilities in components are identified, communicated and patched must be established.

Robust security at every stage

As new cybersecurity threats emerge, it’s worth investing time to evaluate and understand every step in the production process where vulnerabilities could occur. Introducing more transparency within the supply chain will help alleviate worries, build trust and also create a dialogue between organisations and their entire supplier network. This will ensure that processes are robust and repeatable, thereby holding every party to the same cybersecurity standard and ensuring consistency. A regular assessment and auditing process will pay dividends in maintaining high-quality products and protecting sensitive data from falling into the wrong hands. Businesses should also ensure that they have a credible security partner who can offer them the expertise and support to stay ahead of evolving cybersecurity threats, especially those without the in-house resources to do so themselves.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Axis sets science-based targets for reducing emissions
Axis Communications SA News
Axis Communications has committed to set company-wide emissions reduction targets in line with the Science Based Targets initiative (SBTi), which aims to drive ambitious climate action across the private sector globally.

Read more...
Duxbury awarded Axis SA Distributor of the Year
Duxbury Networking News CCTV, Surveillance & Remote Monitoring
Axis Communications held its Annual Partner Awards on 1 July 2022 to celebrate and acknowledge the efforts of Axis’ partners by awarding them for key projects and achievements throughout the year.

Read more...
Passion, drive and hard work
Technews Publishing Editor's Choice CCTV, Surveillance & Remote Monitoring Security Services & Risk Management
Colleen Glaeser is a leader in the security market, having made her mark in the male-dominated security industry through determination and hard work, along with a vision of making the world a safer place.

Read more...
Cybersecure surveillance cameras
HiTek Security Distributors News CCTV, Surveillance & Remote Monitoring Cyber Security
Provision-ISR builds customer trust and opens up new opportunities with Check Point Quantum IoT Protect Firmware built into Provision-ISR cameras.

Read more...
Network strobe siren
Axis Communications SA Perimeter Security, Alarms & Intruder Detection
The new AXIS D4100-E Network Strobe Siren can be used to deter intruders, improve operational efficiency and more with the power of light and sound.

Read more...
Cathexis releases Carbon, a new user-friendly GUI
Cathexis Technologies News CCTV, Surveillance & Remote Monitoring
Cathexis has launched its latest user interface, Carbon 3.1, with an enhanced feature set, offering improved performance.

Read more...
Maintaining security and CCTV functions in difficult economic times
Leaderware Editor's Choice CCTV, Surveillance & Remote Monitoring
To avoid being seen as “just another overhead”, Dr Craig Donald says security needs to demonstrate its relevance and importance to organisational survival.

Read more...
Next-level manufacturing with smart cameras
Industrial (Industry) CCTV, Surveillance & Remote Monitoring Logistics (Industry)
New technology offered by smart cameras provides an entirely new way of monitoring and controlling safety measures and optimising process flow within the manufacturing and logistics operations.

Read more...
Security BIS named AxxonSoft’s Distributor of the Year 2021
News CCTV, Surveillance & Remote Monitoring
With its focus on AxxonSoft solutions and technical support, Security BIS secured the title of AxxonSoft Distributor of the Year again for 2021.

Read more...
New full-colour Smart Dual Illuminators camera series
Dahua Technology South Africa Products CCTV, Surveillance & Remote Monitoring
Using deep learning to accurately detect targets, the cameras can intelligently switch between the IR mode when there is no target, and full-colour mode when a target is detected.

Read more...