Why you need to start thinking about supply chain cyber security

Why you need to start thinking about supply chain cyber security

A lot of businesses are already addressing the need to have an understanding of their own cyber security risks and looking at measures to ensure that their business is suitably protected.  The next step on the road to managing your cyber security is to think about your supply chain and whether the organisations that support you pose an acceptable risk to your organisation.

By John Higginson

Principal Consultant, Response

21 Mar 2019

You may ask why you would concern yourself with the cyber security of your supply chain. To put this into context, I suspect your organisation would be somewhat reticent to do business with an organisation with a bad financial credit rating, as it would pose an unpalatable risk to your business. Cyber supply chain risks should be seen in a similar light to that of credit risk and other types of risks related to partnering, insofar as you will probably want to understand the risk to your business of dealing with other organisations.

There are two main ways in which the poor cyber security of your supply chain can have a direct impact on your organisation:

  1. If one of your suppliers is unable to supply you with the goods or services you rely on to operate your business due to them falling foul of a cyber-attack, then this could potentially damage your business output and reputation, particularly when bearing in mind just in time logistics or critical services. This is definitely a risk you would want to avoid, or at the very least minimise and go with a supplier who has insulated themselves against cyber-attacks.
     
  2. The second way in which you are likely to be impacted through poor cyber security of your supply chain is through them being used as a backdoor to gain access to your network. You may ask why your supply chain should be any different from any other business, but the key difference here is that cyber criminals are the confidence tricksters of the 21st century and will look to exploit the trusted relationships you have with your supply chain. Here are two of the ways in which attackers can exploit this trust:
     
    • Firstly, some of your suppliers may have access to your Building Management Systems (heating, power, ventilation, lifts), which in turn may be part of or linked to your network, so if the supplier’s network is compromised, then potentially so is yours…A notorious example of this occurred in 2014, when the US retail business Target was hacked via their HVAC partner and lost credit card details of 110 million customers, at a cost of $61m.¹²
       
    • Secondly, if your networks are not directly connected, the attacker will likely exploit the trust you have with your suppliers and send spoof emails appearing to be from the supplier, but with malicious content embedded to gain a foothold on your network. Due to the trusted relationship you have with this supplier, you are more likely to open any attachments to emails. You may think that you would be able to spot such emails and your staff wouldn’t fall foul of this nefarious approach, but cyber criminals are skilled and can go unnoticed on networks for long periods of time. They utilise a number of approaches including monitoring traffic and patterns to establish the types of emails sent to partner organisations, along with who from and what types of attachments are usual, which significantly contributes to their success.

Having gained access to the environment, there are various ways in which an attack can ‘cash in’. Essentially they are going to steal something, whether that is client details, including bank accounts, email addresses etc., which can all be sold on the dark web, or for a potentially bigger and quicker ‘payday’ they can conduct an increasingly prevalent and profitable attack known as known as Business Email Compromise (or BEC for short).

BEC works by the attacker monitoring the communications to understand how and when you invoice your clients, the attacker then sends an email from your finance department with your normal invoice, but critically then includes updated banking details for your clients to pay into. The attacker will delete any other invoices sent to the target client and covers their own tracks, usually by deleting what has been sent from your network. As the email comes from your network, your clients may well be duped into paying the invoice, or indeed, you may get similar emails yourself! Whilst this attack seems somewhat simplistic, it once again relies on the trusted relationships you have with both your supply chain and your clients and is hugely successful, netting vast sums of money, with estimates from the FBI that $12bn has been defrauded in this way over the past 5 years.³ 

Some things to consider to protect yourself from and reduce your cyber security supply chain risks:

  • Perform a baselining audit of who has access into your network and remove any unnecessary access, both from your staff and external suppliers, then continue to review regularly through an ongoing audit process
     
  • Before taking on new suppliers, or re-engaging existing ones enquire about their cyber security maturity. Whilst there is no industry standard questionnaire for supply chain assurance, cyber essentials+ would be a good place to start to show that they are at least thinking about it. There are ‘cyber credit rating’ type services available that can be helpful here, but shouldn’t be viewed as a ‘be all and end all’, as they can be useful comparatively, but in isolation can be also quite unhelpful
     
  • Ensure you have robust processes in place in house, that do not allow any amended payments to be made without additional authentication for e.g. calling to confirm (don’t call any numbers on an email that asks for a change in payment details – this is likely to be the attacker waiting for your call!), call the known contact on a previously used number
     
  • Educate your staff on what to look for and how to spot this type of attack

Remember nothing and no one is infallible and this type of attack will continue for as long as it is profitable and works.  It will no doubt evolve over time into something else, so you and your staff need to keep up with what is going on in order to be able to defend against it.

Your organisation might not be the overall target, particularly within certain sectors and you may be being used as a stepping stone to get to another more lucrative organisation – ultimately we are all a part of someone’s supply chain.

Related articles: 

Blog post: Business Email Compromise - A Short Reality Check

Cyber Essentials 

References: 

https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
https://www.theguardian.com/business/2014/may/05/target-chief-executive-steps-down-data-breach
https://www.computerweekly.com/news/252450009/Business-email-compromise-made-easy-for-cyber-criminals

Subscribe for more Research like this

About John Higginson

Principal Consultant, Response

John is a member of our Response team, see our Contact page for ways to get in touch.

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider