Supply Chain Vulnerability

The massive exploit of SolarWinds last year is a prime example of what is called a “supply chain” vulnerability. The vast majority of those impacted by the Russian SolarWinds attack probably had never even heard of the company SolarWinds and did not realize that they were dependent upon that company for critical infrastructure. Indeed, modern supply chains, manufacturing, technology, and Internet and telecommunications networks are dependent upon complex webs of supply chains—or, more accurately, supply webs—which are vulnerable to disruption and attack.

For commercial entities, supply chain security can be the difference between being able to deliver products and services effectively or going out of business. Yet, it is incredibly complex and difficult even to identify what your supply chain is and identify your dependencies. There are some things you can do today to ensure greater visibility into your supply chain and better ensure the security and resilience of your supply chain.

Know Your Risks

For any company, then, the first step in “supply chain” security is to attempt to identify the critical supply chain and the risks and impacts associated with supply chain failures. Failures can include disruption (e.g., your essential product is on a ship blocked in the Suez canal), contamination, or a general lack of protection.

Typically, we look at CIA: risks to confidentiality, risks to integrity, and risks to availability. So, look at what your business is and what it is dependent upon. Identify the key players in your environment—vendors, suppliers, communications, Internet, transportation, etc. Include those with access to your computers and networks, cloud providers, service providers, and others. Essentially, what you need to stay in business. Upon whom are you dependent?

Get it in Writing

In the short term, the most effective way to mitigate supply chain security is to:

1. identify your supply chain of products and services;
2. identify the risks associated with those vendors or suppliers on that supply chain;
3. obligate those in the supply chain to take reasonable steps to both mitigate their risks and possibly identify and mitigate the risks associated with their supply chains.

In contracts, purchase orders, statements of work or other legal arrangements with critical providers, you need to identify what you want them to do from a supply chain, security, availability and confidentiality standpoint; what standards you want them to adopt, how you want them to certify or audit compliance and what consequences will ensure if they fail to comply. This will likely also mean that your vendors and suppliers will seek to impose the same standards on you—and you need to be prepared to meet these challenges.

Example Questions

Searching for a “vendor risk assessment template” will yield results that may be useful to your organization. However, realize these are just templates and your organization has a unique relationship with vendors, partners, and technology solutions. Some questions you may ask a prospective Service Provider:

• How frequently are your employees trained on your IT security policies, and how are the policies enforced? Are employees reprimanded\terminated for failure to comply?
• Approximately what percentage of ‘Service Provider’ machines are running deprecated\unsupported operating systems?
• Is Endpoint Detection and Response (EDR\MDR) installed on all desktops, laptops, and servers?
• Are all external network gateways (including the cloud) protected by a business-grade firewall and intrusion prevention system?
• Describe your vulnerability management procedures; include the last assessment date and remediation process.
• Is MFA mandatory for all employees to access all internal services such as email, systems holding customer data, etc.?

Using these types of questions can help your organization compare two similar partners\vendors by  analyzing their attention to security and not simply choosing the lowest cost option.

Concluding Words

With great power comes great responsibility. Supply chain security is monumentally difficult. For the short term, companies need to identify critical dependencies in their supply chain and prepare for the resiliency of those supply chains upon which they depend. This will take time, energy, and resources—as well as careful negotiation and drafting. In the end, however, it may be the difference between having or losing a company.