18.03.2024 | Bruno Blumenthal
Against the Procured Security Incident - Supply Chain Risk Management
Suppliers and service providers have a significant impact on a company’s security. No organisation operates in isolation. High-profile incidents such as SolarWinds (2020) or Xplain (2023) show how significant the impact of security incidents at suppliers can be. Supply Chain Risk Management (SCRM) or Third Party Risk Management (TPRM) is therefore increasingly in the focus of regulators (FINMA, BAV, etc.) and standardisation bodies (ISO/IEC, NIST, BSI, etc.). It is therefore high time to address the question of how to ensure security in your own supply chain. Over the past few years we have supported our customers in several projects in this area. Each company has a different starting point and different challenges, but a few general principles have proven to be useful.
What risks are lurking in the supply chain?
There are different risk scenarios that need to be considered. If a service provider processes data, it can be stolen. If the supplier provides software, it can be tampered with. If the supplier is hit by a cyber attack, such as ransomware, it may not be able to deliver its products or IT services. If the product, software or IT service does not have the necessary security features, its integration into the security architecture is impaired. Cybersecurity supply chain risk management must address all of these risks.
What can be done?
It sounds like a big challenge, and it is. So where do you start? Firstly, it is important to know your own suppliers and service providers. After all, you can only manage what you know. Good supply chain risk management therefore starts with an inventory of suppliers as the first step towards a comprehensive supplier management. Supply chain risk management cannot be driven by the security organisation alone. It needs the cooperation of legal, finance and procurement. Without robust, centralised procurement processes, it is difficult, but not impossible, to ensure that cyber risks in supplier relationships are adequately identified and addressed. Cyber risks do not necessarily depend on the size of the contract. Critical software can cost little or nothing and still pose a significant cyber risk. A methodology is needed to identify critical suppliers regardless of the size of the contract. Each procurement project is then assessed in this way. Factors in the assessment may include the nature of the item being procured, the importance of the solution to business processes, or the type of data being processed. An outsourced IT service that processes customer data is more critical than a desktop application that has no connection to the outside world. Once I have identified my critical suppliers, I need to communicate my expectations of them. It is not enough to assume that the supplier will take adequate care of the security of its products and services. Security must therefore be explicitly and specifically requested in tenders and contracts. The following are examples of issues that should be contractually addressed:
- The supplier has an appropriate cyber risk management system.
- The supplier’s employees receive regular cybersecurity awareness and training.
- Cybersecurity is an integral part of the suppliers development and maintenance processes.
- The supplier has processes for reporting and remediating vulnerabilities.
- The supplier shall have processes in place for reporting and remediating vulnerabilities.
- The supplier is obliged to pass on the requirements to his suppliers if necessary.
- The supplier provides a means to verify compliance with contractual obligations.
How do I check my suppliers?
The last point brings us to the next issue. How can you be sure that the supplier is fulfilling his obligations? In the past, suppliers were often sent a self-assessment questionnaire. While such self-assessments are better than nothing, they have limited value. Certification of the supplier, e.g. to ISO/IEC 27001, is an indication that the supplier provides a certain level of security. However, such certification alone should not be relied upon. The most effective approach is to carry out your own audits, contractually agreed with a right to audit. However, these are expensive, both for your company and for the supplier. In practice, therefore, they can only be carried out selectively and should be reserved for particularly important suppliers or where there are clear grounds for suspicion. In recent years, assurance reports have become an important tool for supplier verification. These are usually prepared in accordance with the ISAE 3402 or ISAE 3000 standards. IT service providers in particular have such reports drawn up. In such a report, an independent auditing company confirms that the provider has effectively implemented defined security controls. It is important to understand that the audited controls are defined by the provider itself. The ISAE standards only define the process of the audit, not the content of the audit. Therefore, in order to use such a report as evidence in my supply chain risk management, one must first analyse the scope of the controls audited and ensure that they meet the requirements. Of course, it is not enough to include the right to audit in contracts or to require the delivery of assurance reports. Audits need to be planned and carried out. Assurance reports need to be requested and reviewed. This requires appropriate internal processes or ICS controls.
One of the challenges we see with our clients is that suppliers are overwhelmed by the requirements. It is always surprising to see how many companies struggle to meet even basic security requirements. It is worth taking a closer look and considering cybersecurity as a criterion when selecting suppliers. The situation is often even more difficult for OT solutions in industrial environments. There is often no alternative that meets the functional requirements and provides the desired cybersecurity. Unfortunately, awareness of cybersecurity is often still very low, especially in the OT world. Nevertheless, it is advisable to show suppliers what is expected of them. This is the only way to change the market for the better. As long as customers do not demand cybersecurity and are not prepared to pay for it, suppliers will not move.
How do you deal with suppliers who are not ready, and not purchasing products or solutions is not an option? In this case, it is worth investigating exactly where the shortcomings in the product or in the supplier’s security lie, so that these can be addressed with compensatory measures and cyber risks can be reduced. This requires an understanding of these vulnerabilities and the associated risks. Cybersecurity supply chain risk management can provide just that.
What if something happens anyway?
Even with the most careful supplier selection, an incident at a supplier’s premises cannot be ruled out. It is therefore important to be prepared to deal with an incident. The supply chain must be part of the incident response process. The necessary groundwork must be laid when selecting suppliers and in contracts. Incident response plans must also be tested regularly, at least with key suppliers and vendors.
Conclusion
We have learnt that you need to know your suppliers, communicate and agree on expectations and monitor compliance. Finally, you need to anticipate and prepare for a potential security incident in your supply chain. Ultimately, supply chain cybersecurity is a shared responsibility that you must address in partnership with your suppliers. After all, you must recognise that all companies are part of a complex and interconnected system in which you are both customer and supplier.
Cybersecurity Risk Management Compliance
