Securing the Supply Chain: Where do we go from here?


Most western counties are built on the principle of freedom and rest upon the salient idea that industry should be minimally regulated, where possible, to promote innovation and competition. In North America, much of the critical infrastructure is built and managed by the private sector to benefit the consumer by creating a competitive market of choice. Innovation is achieved by collaborating with other organizations, both domestic and foreign to find new ways of improving on technology and the things consumers use in their daily lives. Yet, a free and open market model can also create some challenges in protecting our nation’s intellectual property and digital assets.

Supply Chain Vulnerabilities

Recently the United States witnessed several material attacks on its nation’s supply chain across many different industries. First, there was the SolarWinds attack, then the attack on the water supply in Tampa, FL, followed by the Colonial Pipeline; the attack on the JBS food supply industry, and most recently Kaseya attack. It is highly desirable for a bad actor to expand their reach by attacking a common supplier to cause cascading impacts to several other targets. This type of attack vector strongly punctuates the point of how imperative it is to focus on not only protecting national critical infrastructure but also focus on the protection of commercial businesses that support critical infrastructure.

Private/Public Partnership

National security, in the traditional kinetic sense, can be considered the job of the federal government. They are responsible for the protection of borders, ensuring that democracy is intact, and the freedoms our citizens hold so dearly are protected. In addition, national security matters have traditionally been kept internal to the federal government and on a “need-to-know” basis. The digital revolution has blurred the lines of the public/private sector causing an increased demand for a more integrated approach to information sharing of intelligence and threats.

Many private organizations are not prepared to defend against nation-state attacks and without information sharing by government entities on the threats to their organizations, they remain vulnerable. Creating a strong public-private partnership with the common goal of sharing information about cyber-attacks not only helps in protecting organizations and agencies but can improve national security. Private organizations need to be updated frequently on the threats they face. As such, the government agencies responsible for monitoring threats need to be able to efficiently communicate those threats to the organizations that need to know. In turn, private organizations need to be transparent with investigators about cyber breach incidents. They also need to report incidents and cooperate with federal agencies in their investigations. This partnership will create a stronger culture of security.

Securing your Supply Chain

As the private-public partnership is established, businesses can take a more proactive approach to securing their assets. A holistic security posture must include improving physical security, cybersecurity, infosec, and operational technology security. Once a strong security program is established, the organization needs to make it part of its overall culture. Creating a “security by design culture” is both a mindset that is practiced amongst all levels of the organization but is also embedded in the protection of all assets and organizational affiliates -including external partnerships with suppliers and vendors. Holding suppliers and vendors to the same standards of risk mitigation and associated protocols will help strengthen the program and overall security posture of the organization.

Organizations need to ask meaningful questions of their suppliers and vendors to garner an accurate understanding of what their security programs and protocols look like. Some examples of questions to ask may include:

  1. Do you have a documented approach for your security program? Can you produce it?
  2. What are the compliance standards that your organization meets? i.e. NIST, ISO, SOC, HIPPA, PCI-DSS, Sarbanes Oxley, etc.
  3. Does your organization engage in third-party audits? Can you produce the results?
  4. Does your organization conduct background checks on employees?
  5. How do you protect/monitor your digital assets from insider threats (non-malicious/malicious)?
  6. What are your procedures in vetting your suppliers?
  7.  Does your product have security features? i.e. signed firmware, support certificates, TPM modules, encryption, support 801.1x environments, etc.
  8.  Can you provide a software bill of materials?
  9.  Where is your product manufactured?
  10.  What insight do you have into the manufacturing process? On-site management?
  11.  Where is your software developed?
  12.  Do you employ code verification/validation and code vulnerability scanning prior to release?
  13.  What is your process for firmware/software updates?

Establishing acceptable practices and standards for the supply chain will improve the security posture of the organization. Visibility not only into suppliers and vendors but their standards of their suppliers will provide layers of security within the supply chain. It is impossible to thwart all threats. No organization is impenetrable. However, creating a solid security program that includes internal and external stakeholders will make the organization a hardened target, costing bad actors more time and money to penetrate, making it a less profitable target.