Cyber Supply Chain Security Is Increasingly Difficult for Critical Infrastructure Organizations

As the old cybersecurity adage states, ‘the cybersecurity chain is only as strong as its weakest link.’  Smart CISOs also understand that the proverbial weak link may actually be out of their control. 

U.S. retailer Target certainly experienced this lack of cybersecurity control in 2013.  The now infamous Target data breach that exposed the personal information of 110 million people began with a spear phishing attack on one of the company’s HVAC contractors, Fazio Mechanical of Sharpsburg, PA.  Cyber-criminals compromised a Fazio Mechanical system, gained credentialed access to Target, and proceeded to wreak havoc on Target’s data, customers, and reputation.

The lesson here is that cybersecurity takes a village.  CISOs must have oversight and security controls across anything that touches their IT assets including IT vendors, cloud service providers, connected partners and suppliers, etc.  This process actually has a name – cyber supply chain security which ESG defines as:

The entire set of key actors involved with/using cyber infrastructure: system end-users, policy makers, acquisition specialists, system integrators, network providers, and software hardware suppliers.  The organizational and process-level interactions between these constituencies are used to plan, build, manage, maintain, and defend the cyber infrastructure.”

In 2010, ESG published its seminal research report on this topic, Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure (note: I am an ESG employee).  The report exposed an alarming situation with electric utility companies, energy companies, financial services firms, and health care organizations reporting that they are under constant cyber-attack while lacking proper oversight and controls to mitigate these risks.

Have things improved over the last five years?  To answer this question, ESG reexamined the topic and just published a new research report title, Cyber Supply Chain Security Revisited. 

In actuality, some things have improved while others are getting worse.  For example, 60% of cybersecurity professionals working at U.S. critical infrastructure organizations believe that cyber supply chain security is more difficult today than it was just 2 years ago.  Why?

• 44% of cybersecurity professionals working at U.S. critical infrastructure organizations believe that cyber supply chain security is more difficult because their organizations have implemented new IT initiatives that increased the overall attack surface. 
• 39% of cybersecurity professionals working at U.S. critical infrastructure organizations believe that cyber supply chain security is more difficult because their organizations have more IT suppliers than they did 2 years ago.
• 36% of cybersecurity professionals working at U.S. critical infrastructure organizations believe that cyber supply chain security is more difficult because their organizations have consolidated IT and operational technology security, increasing the complexity of the cyber supply chain.
• 34% of cybersecurity professionals working at U.S. critical infrastructure organizations believe that cyber supply chain security is more difficult because their organizations have increased the number of third-parties with access to their internal IT assets.
• 34% of cybersecurity professionals working at U.S. critical infrastructure organizations believe that cyber supply chain security is more difficult because their organizations have sourced IT products from other countries and these changes may be increasing cyber supply chain risk.

Overall, cyber supply chain security continues to be a dicey problem that flies just under the radar at many organizations – including those providing critical services to U.S. citizens.  Furthermore, ESG research indicates that it’s getting more and more difficult to keep up putting us all at risk.

I’ll be blogging about other things we learned about cyber supply chain security over the next weeks and months.  Since the report focuses on the important topic of cyber-risks to U.S. critical infrastructure, ESG has made the report available for free here.  Your feedback is encouraged and welcomed.