The Provenance of Products and Services in relation to Cybersecurity

Introduction

The networks and eco-system that cybersecurity resides have become increasingly complex as we identify threats and attack vectors. As businesses access their networks, systems and supply chains they may realise that attack surface which cybersecurity has to defend can be very large. Therefore, understanding the provenance of products and services that make up their networks, systems and supply chain is vital to bringing the size of the potential attack surface. Provenance can be defined as the source or origin of an item, idea or a person. The supply chain can be defined as the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual delivery to the end-user. The supply chain segment involved with getting the finished product from the manufacturer to the consumer is known as the distribution channel. The three main flows of the supply chain are the product flow, the information flow and the finances flow. From a European perspective with the recent and upcoming regulation of GDPR, ePrivacy Act and the Cybersecurity Act it is becoming vital that businesses understand where their products and services originate from and how that may impact their cybersecurity strategies/policies. It should also be used as a means to prevent or mitigate threats and vulnerabilities by having greater knowledge and awareness of the provenance of their products and services.


Why does the Provenance of Products and Services matter?

With an increasingly connected world and the potential of products and services to come from any country, an organisation needs to be able to trust that that the elements within its supply are secure. In supply chain security, the country of origin matters, but isn’t everything. In today’s technological environment, virtually every significant network incorporates foreign technology. The globalised nature of technology development, the inclusion of third-party components, mobility of talent and anti-discrimination laws means having complete trust in the provenance of products and services is not simple.
Of course, if a supplier is headquartered in a country which has a record of attacking the other countries in cyberspace, then that is something organisations must worry about. But it’s much more complicated than saying 'company A is from naughty country X so they should use company B from nice country Y instead'. But, supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption. Despite these risks, many companies lose sight of their supply chains. This doesn't mean they shouldn't ignore security risks. With upcoming and recent regulation like GDPR, EU Cybersecurity Act and the ePrivacy Regulation companies may be liable for data breaches and attacks if they use unsecured products or services. So besides themselves and their customers/users to able to trust the end-product or services there needs to be trust within the elements that make up them.


Does Cybersecurity within Supply Chains Matter?

So yes cybersecurity does matter within the supply chain because of it a key way to manage risk. In order for companies to enable cybersecurity throughout their supply chain, they need to first understand the risks because until they have a clear picture of their supply chain, it will be very hard to establish any meaningful control over it. Second, they need to establish some form of control because this allows them to analysis the companies within the supply chain. Third, they need to check-their-arrangements by building assurance activities into their supply chain management. Finally, companies need to establish a means for continuous improvement and maintenance to security. Though it should be noted if an organisation is not working on their own cybersecurity they are unlikely to put effort into ensuring their supply chain is secure.


Possible Solutions

When organisations think about security, they most often think of securing their networks, software, and digital assets against cyber-attacks and data breaches. But the supply chain - whether a traditional manufacturer or service provider's supply chain or the "data supply chain" relied on by most large companies - is also vulnerable to security risks.

Practically every company has a place in the supply chain, and supply chains are evolving to be as much about the flow of information as they are about the flow of goods and services. Thus, it comes as no surprise that supply chain security is a highly complex, evolving function.

Supply chain security is every organisation's responsibility. The supply chain as a whole is only truly secure when all entities throughout the supply chain carry out effective, coordinated security measures to ensure the integrity of supply chain data, the safety of goods, and the security of the global economy. There numerous tactics and methods they can utilize to enhance the security of their supply chains and contribute to global supply chain security (in no particular order):


  • A third-party audit on supply chain companies security to truly ensure they are compliant with certification schemes, regulation and standards.
  • Conduct Social Engineering Assessments (remote and physical) against employees and any representatives who might work outside of the company but also within the company supply chain and implement proper training.
  • Implement Threat Intelligence into the infrastructure to catch propagating malware, data exfiltration, and unauthorized access attempts before they cause damage.
  •  Secure Architectural Engineering must be kept at the forefront of organizations' mindset when implementing technology, training users, and expanding offices.
  • An organisation is only as secure as it's the weakest link. Knowing their vendors, suppliers and partners. Then, take reasonable steps to verify their security practices and procedures.
  • Implement a robust, centralized governance process for IT procurements. Limit the number of people who are authorized to purchase or enter into contracts for products and services that may connect to an organisation's networks. Ideally, this process should be linked to the organisation's cybersecurity team, allowing products and services to be vetted for potential risk and negative impact.
  • A social media policy that limits the information that can be put online by employees that can be used for purposes of spear phishing.
  • Be careful of responding to all communications and emails, verify the communication is coming from the party identified. There is a trend now for hackers to identify themselves as company or vendor employees who companies normally communicate with. The hackers are betting employees won’t check email origination too closely.
Also, these solutions are scalable to the size of the organisation. A small company might only have the time and resources to ask that its suppliers have the right certifications while large multi-national corporations would do in-person audits.  


Conclusion

Hopefully, this post has given information on provenance and supply chains in relation to cybersecurity. The key facts to are that in order to manage cybersecurity within supply chains to know where products and services originate from. Also, to minimise risks and threats from the supply chain requires a holistic approach because there is no silver bullet to preventing attacks from within the supply chain.

Sources

https://www.merriam-webster.com/dictionary/provenance
https://whatis.techtarget.com/definition/supply-chain
https://digitalguardian.com/blog/supply-chain-cybersecurity
https://www.ncsc.gov.uk/blog-post/managing-supply-chain-risk-cloud-enabled-products
https://www.ncsc.gov.uk/collection/supply-chain-security

Comments

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

A personal interest post - Replacing the Tornado in the RAF

Personal Interest - Cancelled/Unbuilt British Army Projects