The phrase “a chain is only as strong as its weakest link” has become a truism for a reason.

Whether we’re talking about steel rings or companies, each link in a chain is a potential weak spot that can be exploited to the detriment of the whole. The validity of this truth has come into stark focus as high-profile disruptions such as 2021’s Suez Canal blockage rocked industries across the globe, and cyberattacks on operational technology (OT) environments have brought critical infrastructure to a standstill.

While companies may be hard-pressed to anticipate a disruption like the one in the Suez Canal, cyberattacks are a different story. The number of attacks on global supply chains is skyrocketing. In 2021 alone, businesses fell victim to 50% more cyber attacks than the previous year, and many of these attacks were carried out thanks to the Log4j vulnerability. This issue left hundreds of thousands of customers and companies vulnerable to breaches by bad actors looking to exploit that weak link. 

The Log4j vulnerability and others like it demonstrate the risks of working with suppliers with poor cyber hygiene practices. With this potential for exposure in mind, it’s time for all supply chain entities, from original equipment manufacturers (OEMs) to developers and those at the point of installation, to invest time and effort into reducing the risk passed from one company to the next.

Double Trouble

There are two types of cyberattacks to watch out for: those on the supply chain and those through it. Attacks on the chain are meant to disrupt a single link in the chain directly, causing a ripple effect by delaying both suppliers and outgoing deliveries. These target a single company providing a critical link in the chain. Attacks through the supply chain occur when a component is compromised by a cyberattack and then passed down the chain to other companies who fail to identify the threat when installing the component. As a result of these two threats, organizations should protect themselves from threats coming down through the supply chain, as well as ensuring they aren’t the weak link in the chain themselves.

When building components or integrating other companies’ products into their own, companies should consider the safety and security of each aspect of the design. They can begin by evaluating any third-party components or software they may be integrating into their own build. That means investigating, testing and verifying that any equipment a company receives works as intended, and does so without anomalies. Before integrating any third-party components, companies should:

• Perform acceptance testing. When first receiving equipment, companies often just incorporate the component and move along to the next step. While they use this opportunity to make sure the equipment turns on and functions, they should also use it as an opportunity to vet for cybersecurity issues, by investigating the core components and putting the device through its paces. When a company fails to do this, it is essentially accepting the risk of the entire supply chain before it without any insight into possible complications.
• Authenticate the specs. Teams should work alongside OEMs to understand the equipment’s key metrics and functions. Doing so can help illustrate the component’s functions, the specifics of the product, and its unique operating procedures. Establishing a baseline for the equipment’s behavior provides metrics for evaluating performance and possible anomalies in the future.
• Monitor for anomalies. Once the baseline is set, companies have the opportunity to look for deviations from the standard. This information can help teams in OT environments determine the source of an anomaly should one occur.

Testing complete components received or used in equipment is helpful. Still, it doesn’t account for all inadequate testing practices and procedures that might have occurred earlier in the chain. It’s up to each entity to investigate and verify the security practices of all of the companies that came before it.

Upstream Accountability

Production flows down the supply chain, yet risk management needs to move the other way. When a company accepts a component, it is inheriting the risk of the suppliers before them, and insight into each link in the supply chain can help to mitigate that risk. When making purchases and partnering with suppliers, it’s in the best interest of each contractor to work with those organizations whose security practices they can vet and verify. The most effective way to do that is by building a supply chain that is secure and accountable from the start. Critical infrastructure providers and contractors should design the bidding and proposal process to reward proper cyber hygiene from its earliest stage. After all, the sales team might not know the origins of every piece of equipment they use, but they’ll find it in a hurry if it’s required to win a contract.

Asking all bidding suppliers to outline the origins of their components and subcomponents as a condition of the request for proposal (RFP) process will set the stage for better defense down the line. Having insight into the origins of equipment gives organizations the chance to turn down bids that might have a higher risk of being compromised. This process may start with individual companies outlining rating systems that weigh scores in favor of better cyber hygiene within their RFPs, but ideally the industry should come together to do this on a wider scale. Still, both versions could go a long way toward creating a market that rewards good practices and that will encourage suppliers to go beyond basic compliance to proactively adopt security practices that better protect their assets and put themselves ahead of their competitors for competitive bids.

The current reality is that 100% of risk won’t be visible in the RFP process, and it’s up to the organization to manage that risk in a way that works pragmatically with operations.

Of course, it’s equally crucial that organizations take measures to better ensure they’re good upstream suppliers for others. To be secure by design, companies should take a clean-build approach that mitigates the risk of introducing errors and vulnerabilities during assembly. Information and details about the project should be kept secure, components should be installed correctly to help ensure that any security measures in place continue to work, and teams should continuously monitor equipment for any issues that might arise so they can respond in real time.

On the Front Lines

OT environments are the front lines of the cyberwar being waged in the background of the critical infrastructure sector. While the public may associate attacks on water treatment plants or power grids with supervillains or sci-fi movies, those in the industry understand that such attacks are far from fictional. The battle for our public infrastructure has already begun. The threat to the companies that offer critical services to the public is real, as threat actors set their sights on huge ransom payouts from companies looking to protect lives and the environment.

While notable events like the Colonial Pipeline attack of 2021 raised the alarm, many companies are still falling short when adopting practices to protect their company assets and the public from cyberattacks coming through the supply chain. The best way to achieve that goal is to encourage industrial operators to change their approach to cyber hygiene, and shift their relationships with manufacturers and vendors to promote sound cybersecurity practices for decades to come.

Ian Bramson is global head of industrial cybersecurity at ABS Group.