In business we rely on our suppliers. But what if you depend on a hacked supplier? They can be suppliers of goods we sell or use to create products, they can be suppliers of people, they can be suppliers of software or computing resources, they can be utility companies, they can be landlords. Without them, our business is dead in the water. Every company has suppliers that are critical to the business, yet few have thought about the risk of a cyber attack hitting one of those suppliers, and yet fewer have plans in place for what to do the day that happens.
In this blog post we want to share our approach to supply chain risk management, and how this affects our business continuity planning. In short: how do we prepare for a hacked supplier? We will go through the four phases of our apprach:
- Create a supplier inventory and assess business impact
- Use threat intelligence to review the risk exposure of the supplier
- Plan internal actions to take to better protect the business
- Make cybersecurity collaboration through incident response and information sharing part of the contract
Below we discuss each of these aspects in detail.
Supplier inventory and business criticality
The first part we need to do to prepare for the case of a hacked supplier, is creating an overview of our suppliers, and what they mean for our business. Where can you go to find the suppliers you rely on in day-to-day business? Your accountant! Go through the invoices you have paid the last 12 months and list then in a simple table with three columns; supplier, services provided and any problems experienced because of that supplier.
|Supplier||Services provided||Problems experienced|
|Google Cloud||IaaS (cloud computing services)||N/A|
|Recruitment company Inc.||Sourcing of personnel||N/A|
|DevConsult||Software development||Delays in feature delivery because of lack of capacity|
In addition to the companies we pay for services, we should not forget providers of free services we may depend on, or partners helping with delivery of our services.
Now, let’s say we have created a table with our suppliers. How do we assess the criticality of each supplier to our business? We need somehow to map the services they provide to us, to how we are creating value in our business. There are many ways to perform value stream mapping but we favour a simple approach here called SIPOC. SIPOC is short for “Supplier – Input – Process – Output – Customer”. This helps us capture the inputs needed for our value creation processes.
Based on the SIPOC diagram, it is time to extend the supplier table above with another column called “Criticality”. Here we assess what would be the worst-case business impact of a disruption of the suppliers services and ability to fulfil its contract. Key questions to consider are:
- If the service of the supplier is unavailable for a day, a week, or a month, what would be the impact on our business?
- If the supplier’s computer systems are compromised and confidential data is leaked about them, their systems and their customers, what could be the impact on our business?
- If the supplier is compromised and their systems and people are used to attack our business, what could be the business impact?
For most cyber attacks on supply chains, the worrying impact downstream are either unavailability of a critical service, or that there is further compromise because of this. One example would be a critical supplier has their email system hacked, and their email accounts are used to send very believable phishing emails to us. It is then much more likely that we would trust this email than with the average phishing email. We would likely not see it as unusual at all, and thus be infected with malware or give away our credentials.
There are many examples of supply chain based attacks. Some are intentionally targeting a supplier to reach a specific final target, whereas others are targeting service providers that have a large network of customers that can be affected. One recent example is that of Visser, a speciality parts manufacturer to a number of industries including automative and aerospace, that according to this Techcrunch article was hit with ransomware. Customers of Visser include Lockheed Martin, Tesla and SpaceX.
Supply chain cyber risk assessment
Many companies have some form of risk assessment in their procurement process. In most cases this is related to financial risk, and in some cyber security risks are included as well. From the outside, it can be hard to tell if a company is likely to be hacked, but this is what we want to do. We want to know if there is reason to worry about the business impact identified for each supplier. This has two purposes; first to sort out suppliers we do not want to buy from because we think the risk is too high. The second, is to prepare for an attack on a supplier we still want to buy from by considering “what could happen, and how can we act to minimise the impact to our business?”.
Let us first try to answer the question “how likely is it that they will be hacked?”. We can change this into two subtopics;
- Which threat actors are likely to attack this supplier? What kind of attacks are these threat actors likely to use? What would be the impact of such attacks to our supplier?
- Does the supplier care about cybersecurity? Do they seem to follow good security practice?
To answer these questions in detail, we would probably need to spend quite some time together with the supplier, and perhaps a specialist consulting company. We don’t have the time and money to do that, so we will look at what we can to make some educated guesses.
Starting with the first part: which threat actors, and what kind of attacks are likely to happen. We can use threat intelligence to answer this. By tracking threat actors and attacks in different business sectors, we can form an opinion of what kind of attacks to expect, and if this is a problem in the business sector of the supplier. We should also consider if that supplier is active in supply chains that are particularly targeted, such as defence industry, high-tech research and development or international financial services.
At Cybehave we track threat intelligence closely, using an automated collection infrastructure that works around the clock to collect open source intelligence. We will soon be making our threat intelligence systems available to our customers to make answering question 1 easier for everyone.
Question 2 is about how much the supplier cares about cybersecurity; do they seem to make an effort to follow good practice? The easiest way is to ask the supplier if they can provide a description of they information security policies and practices, but even this can be too much effort. An alternative is to consider the online footprint: do they seem to follow good practice based on what you can see from the outside?
- Is their web page outdated or up-to-date?
- If they publish software, how do they treat reports of security vulnerabilities?
- If they have a login system on their web page, does it follow good practice for security in login systems (strong passwords, offering single sign-on, two-factor authentication, etc)?
- Do they have compliance documentation for following good security practices?
How much to expect, depends on the nature of the supplier’s services. If it is a cloud vendor like Google Cloud or AWS, you can expect a lot, if it is a local vendor selling healthy lunches, maybe you shouldn’t expect them to be certified to security standards!
When you have done this assessment, you can make a guesstimate of cybersecurity exposure of that vendor.
Basically, if there is a supplier that attracts a lot of interest form hackers and seems to be unaware of how to deal with cybersecurity, it is a good idea to avoid this vendor in the first place. If you need to use the vendor, make sure you make plan for what to do when that company gets hacked!
The green nirvana of a supplier where hackers are not very interested, and they are great at cybersecurity probably don’t need any special treatment.
Most vendors will fall into the yellow category. Here you should think about “what attacks are they likely to be exposed to, and what does it mean for us”. Here are some common cyber attacks to think about:
- Email account hijacking, used to send phishing emails
- Data breach leaking data about the vendor’s customers
- Compromise of software from the vendor, leading to backdoors or trojans used to install malware
- Invoice fraud where the attacker sends fake invoices from the vendor with a different account number
What can we do to reduce the risk to our business from a hacked supplier?
Your internal risk controls should consist of two categories: general defence, and the specific things you do based on a particular risk you have identified. Let us consider three important cases here:
Supplier’s services are unavailable due to cyber attack
If the suppliers services are unavailable, the impact to our business should guide us in our selection of risk controls. Provided we have determined the supply is critical to our business, here are some questions to consider:
- Can we build up an emergency stockpile? Often applies to physical goods, but perhaps not to software, people or cloud services.
- Can we source from multiple vendors with scale-up agreements in case one supplier becomes unavailable? This costs money, but increases robustness.
- Can we reduce our output and buy insurance to cover the cost, including lost customers taking their business elsewhere and the necessary marketing/PR investments needed to regain consumer trust?
The suppliers systems are compromised and used to send social engineering attacks to us
The case where the supplier has had their email accounts compromised is very common, and dangerous. What if the attacker hijacks an existing email thread (link to Magnus case) to inject malicious content?
Focus on phishing protection using a combination of leadership practices, awareness training and technical controls. In this situation it is likely that the technical controls would not help as emails from contacts we often cooperate with are typically seen as more trustworthy by modern systems, especially those driven by machine learning algorithms.
Invoice fraud, where an attacker changes the account number on real invoices, is very difficult to capture. Including information about this type of attack to the accountants and financial department in security awareness training is a good idea, and also to create a procedure that any mismatch between an account number on an invoice and the account number stored in the ERP system should be clarified (and documented) before any payment is made. It can also be a good idea to require sign-offs of two people on payments above a pre-determined threshold value.
Can we collaborate on incident response with our suppliers?
We have talked about we can do to reduce the risk using internal controls. But what should we do when the incident is a fact? And should we involve the supplier in our cyber incident response plan? It is always better to have allies, and such collaboration will reduce the risk to both supplier and buyer. The downside is that it requires determined effort to make it work, and this effort will look like overhead to accounting until a data breach occurs. This means that we need to make the value of such collaboration visible to the stakeholders in both companies.
Make cybersecurity part of interface management and put it in the contract
If it is going to happen, it has to go into the contract. You don’t always have much leverage over the contract, but when you do, you should make cybersecurity a contract issue. Agree on minimum security requirements, information sharing and how to enlist the help of the other party during an incident. Make sure the cybersecurity clauses in the contract are followed up in normal touchpoint between the companies.
Information sharing is important!
When you agree with your supplier a two-way information sharing arrangement it helps both companies. The first part is about threat intelligence. If you are targeted with a certain type of cyber attack, such as phishing emails or exploitation of vulnerable web applications, warn our suppliers of the activity so they can improve their defences if you think this is a sector-wide problem. That protects you, the vendor, and the supply-chain as a whole. It also builds trust so that people will want to share similar information with you.
Key take-aways for dealing with the risk of a hacked supplier
- Create an inventory of your vendors. Start with invoices paid to get a list of suppliers you depend on.
- Assess the business impact of each hacked supplier scenario. Use the SIPOC process to aid with analysis of value streams and business impact.
- Assess the risk exposure of each vendor, starting with the two questions “are they likely to be attacked” and “do they care about cybersecurity”. Use threat intelligence to help answer these questions.
- Plan risk mitigation and incident response to minimise the risk from a hacked supplier!