The security threat landscape is in a constant state of flux, as cybercriminals work hard to develop tactics to overcome organizations’ defences. One popular route into a secured network is via the supply chain and history is not short of examples of successful cyberattacks which were achieved by this method. In fact, software company SolarWinds recently fell victim to a supply chain attack, which resulted in global repercussions. Threat actors typically target companies within the supply chain, as these tend to have less sophisticated and robust defences.
How can organizations be sure that they aren’t inadvertently leaving themselves open to attackers, who may gain access via the wider ecosystem? To build trust in these relationships, they need to know that their system supplier continuously assesses and counters these risks – not only within their own systems, but also those of their sub-suppliers. It’s critical to know how solution manufacturers control and maintain their entire supply chain and ensure all products have a safe journey from individual components to completed product.
Evaluating and choosing the right partner
Supply chain security begins with choosing partners through a rigorous evaluation process. This should include an analysis of critical areas, such as each company’s information security policies and quality and sustainability management processes. As a minimum, the company should be certified by a third party according to ISO 9001 or IATF 16949 and ISO 27001 A.15 or NIST SP-800 161.
This is only the beginning. Sub-suppliers’ processes should also be assessed for risk management, as well as their production facilities and processes. Site visits should be made and followed up with onsite audits to check if the company meets the security requirements and standards set for approved vendor qualification. As part of the evaluation of a potential new partner, suppliers should conduct an in-depth analysis of the organization’s financial position and ownership structure.
It may be useful to choose certain companies to be appointed as strategic sub-suppliers, especially for critical components. Investing time in building these relationships will improve trust and ensure that all parties are committed to achieving long-term goals, particularly when it comes to upholding security processes.
Regular supplier audits provide reassurance and add value
The best way for your supplier to ensure sub-supplier compliance to the specified requirements is to conduct regular onsite audits, yearly or bi-yearly. These can be supplemented by quarterly business reviews, to follow up on performance against expectations and collaboratively discuss any changes that need to be made. The audit process should be thorough and conducted on every site within the supply chain, from the component supplier to the distribution center.
Individuals with malicious intent can physically introduce threats into a network or directly to the products, therefore the audit process should also include assessments of the physical facilities, particularly the quality assurance procedures and associated machinery. This will ensure that products are not tampered with, or unauthorized individuals are allowed access to restricted areas. For example, entries and exits must be continuously guarded and access controls and visitor registration must be logged and stored. Some areas may require continuous surveillance, even using guards to secure the facility and surroundings.
Protecting data transfer within the supply chain
Data transfer in the supply chain network must be protected by security protocols, utilizing encryption methods and authentication. Sub-suppliers and partners need to maintain a high level of information security, to mitigate risks of any gaps in the supply chain. Having a systematic approach to identify and manage sensitive company information is critical. This system should include people, processes, IT systems, and physical locations, and should comply with ISO 27001 and the General Data Protection Regulation (GDPR). This will improve awareness and enable effective risk management.
From a personnel perspective, employees can often represent a significant cybersecurity risk and are often on the front line of attacks. This risk can be mitigated by empowering and educating employees to ensure they have a high level of information security awareness. Implementing a training programme that frequently updates employees on threats and tactics is invaluable to helping protect the organization from attacks, and should be present at every company within the supply chain.
Maintaining integrity at the product level
As expected, surveillance products must function as designed and intended, with consistent integrity. This can be achieved if the product’s hardware and firmware are successfully protected from unauthorized change or manipulation during the product’s journey through the supply chain. Starting with component materials, traceability – which includes the material handling process – always ensures the status, revealing any deviations that could compromise quality and signal tampering.
Suppliers and manufacturing partners are required to maintain a traceability system for produced batches, from incoming material to the finished component. During production, the physical component will undergo multiple tests, verifying conformance and highlighting any deviations. It isn’t just the security of devices themselves that needs to be assessed. A secure software development lifecycle (SDLC) must be demonstrated to show that software is being developed with cybersecurity in mind. This helps to minimize the end customer’s exposure to vulnerabilities and if these do occur, a clear process of how vulnerabilities in components are identified, communicated, and patched must be established.
Robust security at every stage
As new cybersecurity threats emerge, it’s worth investing time to evaluate and understand every step in the production process where vulnerabilities could occur. Introducing more transparency within the supply chain will help alleviate worries, build trust and also create a dialogue between organizations and their entire supplier network. This will ensure that processes are robust and repeatable, thereby holding every party to the same cybersecurity standard and ensuring consistency. A regular assessment and auditing process will pay dividends in maintaining high-quality products and protecting sensitive data from falling into the wrong hands.
This blog was originally published on June 8, 2021, on Axis.com and republished here by permission.