An approach to Supply Chain Risk Management
SCRM requires an understanding of the context in which the system will be used, the most likely vulnerabilities and threats to the system, and the impact of a realised risk. The following four aspects of SCRM will assist you with managing supply chain risk:
- know your system
- understand your supply chain risk
- manage your supply chain risk
- monitor your supply chain and controls.
Step one: Know your system
Good SCRM in an organisation requires knowing what your most important systems are from a business and security perspective.
To enable assessment of the criticality, sensitivity and business value of a system, consider the following elements of the system:
- National Criticality. Does the nation depend on the system or service in some significant way? For example, if it is a warfighting capability or critical infrastructure in a time of war, what will be affected if the systems confidentiality, integrity and availability (CIA) cannot be trusted?
- Threat to life. Do real threat to life concerns exist if the system is vulnerable to a threat in some way?
- Immediate data access and data sensitivity. Know the sensitivity and amount of data the system immediately handles. If this system is compromised, what would it immediately expose? Some considerations include:
- Is the data classified? If so, it has explicit sensitivity.
- Does the system handle Personally Identifiable Information (PII) or Intellectual Property (IP)? If so, what impact would exposure have?
- Interdependency of the system. Knowing what could be exposed or enabled if the system is compromised, helps to identify critical systems. This is a pre-requisite to correctly assess what could and would likely be achieved by a supply chain threat. Four considerations for assessing the impact of a system compromise include:
- Level of access the system has to other systems. If the system or service is one or more steps removed from the data of a sensitive system, then it may be used to access or control the actual sensitive system of concern.
- Dependency of other internal systems on this system or service. If the system is acting in a critical administration or security enforcing role , or it is the main backbone of your entire network, then it provides a critical failure point for the control of data that is in that system.
- Dependency of external systems on this service - who else is impacted? If your service is taken offline, or loses data - who else will it impact?
- Longevity or lifespan. The longer a system is in operation in a specific state, exposure to supply chain risk increases. For example, a system expected to have a life span of a decade or more presents a much greater opportunity for interference compared to a short term deployed system.
Assessing the criticality of a system should be considered where it fits into national security priorities. This assists in determining how much the supply chain risk should be consulted wider than the organisation itself. With regard to system sensitivity, five broad categories can be defined from ‘nationally critical’ to ‘locally important’:
- Nationally Critical. The system is recognised as critical to the function of the nation, and underpins the security of systems nationally and the wellbeing of the nation. Some national critical infrastructure will be in this category.
- Nationally Sensitive. The system if compromised would impact national security, but not cause the significant undermining of other systems. This may include some nationally classified systems.
- Critical. A compromise of the system would have significant but localised impact to the security of many systems. This may include some smaller critical infrastructure.
- Sensitive. The system contains data important to national security, but impact is localised. This may include stores of PII.
- Locally Important. The system is important for the owner of the data primarily, with little impact beyond the organisation itself.
As a system sensitivity trends from locally important to nationally critical, more consideration to all aspects of supply chain risk needs to be considered.
Case study 2: Demonstrated sensitivity of unclassified but nationally critical data
In 2016 a public announcement was made by the Australian Government that the Bureau of Meteorology (BoM) had been compromised by malicious cyber actors. Australian weather data and predictions are a key dependency for many Australian and overseas services, and any issue with that service impacts others significantly. The announcement of a cyber-compromise caused a significant volume of questions to the Bureau from its extensive range of clients, all concerned they were potentially negatively impacted.
The dependency of external services on BoM was extensive, although there was no loss of weather service, just the potential or perceived impact to other services caused a significant impact.
Step two: Understand your supply chain risk
The information security of a cyber-system is typically considered with respect to incident impact on the confidentiality, integrity and availability (CIA) of the system and the data it holds.
Knowing the breadth of influence, and depth of access of a system informs real world impact of any incident on the system, either from physical, supply chain, or system compromise breach sources. Knowing real world impact upfront will inform a proportionate evaluation of threat and vulnerabilities.
Determine overall risk by overlaying where your system is vulnerable, with real threat to the system. This will ultimately determine and appropriately prioritise supply chain risk.
Consider the most realistic, likely, and high impact risks first. Supply chain risk management should not detract from managing more immediate risks.
Understand components of your supply chain
Managing supply chain risk in your system is a whole of product or service life undertaking. In order to understand the breadth of cyber supply chain risk, be aware of four primary aspects in a product’s life:
- Vendors. The potential for the vendors to introduce unique vulnerability, either during design, manufacture, supply or the aftercare of the product they are responsible for.
- Delivery and deployment. As the product is in transit from a vendor to the customer there is a risk of tampering or data extraction, enabling immediate or future malicious operations.
- Service. The ongoing service and administration of equipment and services deployed in an organisation is a significant vector for risk. For example, the compromise of managed service providers from 2016 – 2018 was one of the most commonly observed realised risks in ACSC cyber investigations. The relatively low cost of exploitation, extensive access provided, difficulty of detection and complexity of remediation makes this one of the simplest means for criminal groups to exploit multiple victims.
- Decommissioning. As a product or service is moved to end of life, there is potential for the old product or service to contain sensitive information or enable access to the new system in some way. For example, there is a good reason second hand hard drives can sell for more than their new counterparts.
Across the above four control points of supply chain, cyber security risk is introduced in two main ways:
- Interference risk. The vendor can be influenced to conduct adverse actions on behalf of another party. This risk is enduring and relevant where the vendor is subject to extrajudicial control or influence.
- Technical risk. Where the vendor does not apply adequate quality control over their products and services. Technical risk includes not just the inherent security of the product or service, but also the vendor’s ability to secure their own systems from unintended external influence. Low quality products and services is a commonly realised risk due to the cutting of security costs by a vendor in order to deliver a more cost competitive product.
The vector for supply chain interference, targeted and/or non-targeted, can come through either software, service provision or hardware.
Case study 3: Multinational companies offering nation specific service provision to comply with local legislation
In 2018, Apple announced a new data centre will be utilised within China, operated by a Chinese company, in order to meet new Chinese data protection legislation for data generated within China. In this case the country is able to influence extrajudicial law, which may be in contradiction to Australian law. Reuters noted Apple as saying “The addition of this data centre will allow us to improve the speed and reliability of our products and services while also complying with newly passed regulations.”
This is not specific to Apple, but applies to other service providers too. Google’s rumoured project ‘dragonfly’, a customised search engine for China is another example. It is too early to know the actual impact to Australians in China, but it may be assumed that if the data was generated in China, it will likely fall under a separate set of capabilities, and legislation, to the data generated in Australia. This is despite the fact that the owner, and possibly user, of a service is not Chinese.
Be cautious of making decisions solely based on nationality of a vendor. A vendor from a country whose laws are not likely contrary to Australian law, does lower the immediate elevation of risk associated with likely adverse extrajudicial control in nationally critical systems. However:
- If the vendor is from a country of possible concern, and considered “high risk”, that alone should not rule out the vendor unless there is specific Government direction to do so in the circumstance. Instead, consider the actual role of the system under question relative to critical data and complimentary security controls.
- Conversely, if a vendor is not from a country of concern with regard to extrajudicial influence, this should not immediately rule them as a lower risk option with regards to overall cyber supply chain risk. There are still cyber security vulnerabilities that must be considered.
Determining the cyber security posture of a vendor is at minimum, asking for evidence of compliance with commonly known standards they would already have to comply with for the different regions they operate in. In the absence of that, ask for demonstration that the vendor has complied with best practice guidelines such as the ACSC Essential Eight. Be aware that a multinational corporation may struggle to provide some of these assurances beyond a local level and compliance is no guarantee that the system is secure.
Knowing if a sub-contractor is used should be part of negotiations and contractual agreement. A vendor must notify you if any of your data or service delivery is outsourced to another party. If you deem your data or service is critical or sensitive, it is your organisation and reputation at risk. Sub-contracted services are becoming practically difficult to determine where there is increasing dependency on abstracted cloud services, however it remains a legitimate and important consideration if the system or data is deemed sensitive.
Case study 4: Defence data stolen through sub-contractor breach
In 2016, sensitive but unclassified data on a Defence project was stolen through a sub-contractor. The ACSC investigation found the sub-contractor had been employed by a service provider to Defence, rather than directly by Defence. This is not uncommon, however the security controls in the sub-contractor did not meet the expectations the department had of the service provider.
Given the sub-contractor did not provide “classified” services, they would not have fallen subject to the same controls as the service provider. To raise awareness of an increased risk, the client should define what data is ‘sensitive’ and provide a contractual obligation to inform them if the provider outsources the handling of any sensitive data. Once aware of their involvement, to mitigate this activity, the sub-contractor should have demonstrated a certain level of cyber security maturity to the client and provider.
Know the likely supply chain threats – intent and technical means
Pervasive supply chain threats are a combination of foreign interference intent and technical capability.
Determining the likelihood of a threat being realised is backed by historical evidence. Look for historical targeting in two main areas:
- History of your organisation being targeted by cyber adversaries. This information may be sensitive within the organisation. However, if the system is of critical sensitivity, an understanding of historical security incidents must be asked of the relevant area in the organisation. Know if the organisation has had ongoing targeting or even successful compromise, especially where there is indication it was targeted by a nation state. Previous targeted incidents represent a real targeting requirement of the organisation by a nation state that is unlikely to cease. Previous incident data will also inform the systems of interest to the defender and the intruder. Be mindful that the tradecraft used in the last attempt is not necessarily the tradecraft used to gain access the next time.
- Know what targeting looks like in your sector. Through trusted forums and reporting, an organisation can learn from the experience of others. Additionally, public reporting, by security companies or victims of target activity, provide a lot of information regarding what real ‘Advanced Persistent Threat’ or nation state activity looks like and what they target.
Threat to supply chain is not limited to extrajudicial influence. Foreign interference is not just related to a vendor’s country of origin. As the case studies demonstrate, it is usually simpler to compromise another product or service in the supply chain without lawful interference, in order to achieve the required outcome.
In addition to extrajudicial control resulting in technical interference, consider the risks posed by people with privileged access. If a person servicing your equipment is a citizen of another country, even if they reside in Australia, they may be compelled under that country’s law to conduct actions on behalf of that nation.
In order to accomplish some objective on the system of interest, a malicious cyber actor has multiple technical options. Some categories of technical threats to supply chain include:
- Unauthorised access – which ultimately enables a malicious actor to do almost anything at any time to the system.
- Temporal unauthorised access to data on a system. This may come in the form of abuse of an authorised access, such as a contracted service provider, to a temporal opportunistic access such as uncontrolled physical access to a device as it is in transit.
- Persistent unauthorised access to a system. A ‘backdoor’ in the system that enables unauthorised future access any time. This is one of the most commonly feared threats, perhaps because it is easily understood, invasive, and unwanted.
- Passive snooping or modification of data or the system. Outside of unauthorised access, data access can occur if the system exposes opportunity to view, create, or modify data in transit or at rest, resulting in snooping or manipulation of data.
- Denial of service. The deliberate or accidental, disruption of the system through some vulnerability. Whatever the motivation, service disruption is a significant consideration for nationally critical systems, particularly where there may be threat to life. It may be enabled by the above two threats, or even by poor quality components in supply chain, such as the case with counterfeit technology.
Obsolescence. Although it may not be a deliberate attempt to compromise system security, the incorporation of unmaintainable hardware and/or software in a system is a persistent threat for critical systems. Consider the enduring risk of non-updatable software deployed into critical systems that are now internet connected.
Step three: Manage your supply chain risk
Treat high risk. Avoiding risk may be possible through re-architecture of a system or process in order to minimise the impact of a realised risk. Reducing risk could be accomplished by choosing vendors who have a demonstrated commitment to cyber security.
Transferring or accepting significant risk must be well understood if considered viable. This must be a conscious and documented decision, and may require consultation with external parties who will also be affected by the risk if realised. Be aware that you may also be transferring risk to your customers.
Avoiding the risk may be possible through re-architecture of a system or process in order to minimise the impact of a realised risk. Look to change the impact factors for a product or service. For example, if an untrusted network equipment component is utilised, it may be possible to architect around the product so that other trusted components handle encryption, authorisation, and audit; thereby reducing the dependency on that component to enforce whole of system security. However, a cost benefit analysis should be conducted to determine if this actually increases complexity of the system outside reasonable ability to implement and maintain the system.
Case study 6: Re-architecture avoiding supply chain risk
In 2018 an organisation requested ASD assistance, regarding use of a cellular network dongle in a sensitive system. The dongle required the installation of unverifiable software in order to make the dongle work. The software may have been installed with a high level of privilege on that system, and so could undermine security of the business.
ASD recommended re-architecture of the system to remove the need to install the software on the device, by using an alternative technology, thus avoiding the need to install unverifiable software on the sensitive system.
Where risk cannot be avoided by re-architecture or policy control, consideration must be made for another service that carries lower risk. For example, privileged security enforcing software running on every system is inherently difficult to change the level of impact without at least reducing the scope of deployment to non-critical systems and utilising a more “trusted” product in critical systems.
Risk may be treated or reduced through additional controls around the service. Where a high residual risk remains with the current proposed solution, the cost of additional controls must be considered in total cost, and must be realistically maintainable. A vendor may offer transparency, and the ability to audit their security, however if the customer is unable to provide the ongoing resourcing to audit the vendor, it is unsustainable treatment.
A common risk treatment is to ensure monitoring. However, practical implementation must be thought through as to what will actually be detected, and who is doing the monitoring. Your security team or operations centre must be consulted to ensure that monitoring will fit in with existing processes, or at least identify a viable change to process.
In circumstances and national security contexts of unacceptable or undeterminable, significant and widespread impact, exclusion of a specific vendor in certain circumstances may be warranted. If so, you need to:
- Conduct a cost benefit analysis of excluding the vendor. Direct cost may be financial and in the millions but if the system is exposed to high risk, is a nationally critical system and the vulnerabilities are difficult to mitigate, the impact of a realised risk may be much higher.
- In some circumstances pertaining to nationally critical systems, Government guidance may be provided to assist the decision making.
- Ensure compliance with relevant financial legislation and policy. There are vendor exclusion criteria in the security considerations for government procurement policy and arrangements. To support those requirements, this document details a method to determine justifiable national security exclusion, particularly for Government organisations. A sound risk based decision methodology will avoid unjustifiable vendor exclusion based solely on the fact of foreign ownership.
Step four: Monitor your supply chain and controls
Ensure records of procurement decisions around SCRM are recognised and recorded.
Maintain asset lists. What systems are deployed where? If an issue does arise, how will you identify the systems affected? For example, if specific routers are affected, can you locate all of them in your organisation?
Review critical systems through their lifetime. Additional information may become available at a later date about a vendor or product. Although it may be too late for a specific procurement or even architecture, it will inform a realistic and accurate understanding of impact and likelihood that can be communicated to the system owner and stakeholders.
Ensure that security operations centres (SOC) or security teams monitoring systems, know the critical systems, and have the appropriate capability to monitor those systems for any cyber security incidents.
Raise awareness. Make ownership of your cyber supply chain security a whole of organisation responsibility.
Ensure a well understood incident reporting chain exists. Any cyber security incidents that have a significant impact must be reported to senior management, and likely to government. For example, Australian government, critical infrastructure and large business dealing with sensitive systems, must report any cyber security incidents to the ACSC.
Case study 7: Excellent monitoring detects a targeted cyber security incident
An organisation reported to the ACSC that they had detected brute force attempts against an internet facing remote access system. The attempts were utilising non-public and correct user names, indicating this was not standard internet based brute-forcing.
Due to well set up logging, monitoring and an understanding of the business, initial investigations demonstrated some level of information leakage already from the internal network. Not long after the initial report, an inauthentic successful user password combination was made, confirming internal network credentials and remote access were compromised. Further investigation revealed a significant APT compromise of the network, but the monitoring and business knowledge meant the incident was self-detected early.