A list of some critical supply chain attacks include:
- Solarwinds, March 2020 – Malicious code was inserted into software update pushed automatically to end users
- LOG4J, December 2021 – A critical vulnerability was exploited which allowed malicious code to be remotely executed
- MOVEIT, June 2023 – A vulnerability was exploited in a file transfer service provided by Progress, resulting in data theft
- Synnovis, June 2024 – A pathology lab was subject to a ransomware attack which led to disruption across the NHS, as well as data being stolen
Threat actors have targeted supply chains for various reasons, including the increased victim base and potentially easier targets compared to large organisations. Suppliers are often at a privilege, with pre-approved access to sensitive information without organisations having the same level of control. This lack of control and visibility increases exponentially when considering fourth parties and beyond.
Problems with supply chain assurance
There are several common challenges organisations come up against when building assurance of their supply chains.
Supplier Identification
When an organisation has been operating for a long time, or a new organisation does not have an effective supply chain assurance process defined, the identification of new and existing suppliers can become complicated. There may be conflicting processes across the business, meaning the first step should be to standardise the process centrally.
Cross-function collaboration
The separation between assurance functions in supply chains can cause issues. For successful Supply Chain Risk Management (SCRM) with evidenced risk reduction, collaboration and connections must be established between Procurement and the due diligence function. This ensures information sharing, as well as accurate supplier inherent and residual risk ratings.
An example of complications caused from lack of collaboration includes supplier relationship managers having insufficient knowledge to accurately complete initial procurement questionnaires, resulting in incorrect data classification and type being recorded as in scope of the supplier engagement. For example, during security due diligence, it may be identified that personal information is in scope. As this contradicts procurement held information, data privacy teams may not be aware of the supplier, and as such may not have completed the appropriate impact assessments as required under GDPR. By sharing information, this can be avoided.
Accountability
As part of the initial supply chain assurance process definition, and before a supplier is on-boarded, the accountable business owner must be identified and agreed. There may be instances where risk acceptance is the only option to proceed, which can cause delays when an informed individual is unaware of their responsibility.
Ineffective contractual clauses
Supplier contractual clauses provide the justification to complete assurance. Without the contractual requirements, suppliers may be unwilling to complete the assessment, may have insufficient security controls compared to the Minimum Security Standard set by an organisation, or may have insufficient incident response reporting times.
Understanding supply chain assurance
SCRM is the identification and ongoing risk assessment of the suppliers providing services to an organisation. From a cyber security perspective, it helps ensure that suppliers are aligned to the security controls expected by the organisation, covering confidentiality, integrity and availability. This is essential to protect the organisation’s data and also to ensure operational services are resilient to cyber threats.
How SCRM is completed may vary, but industry best practices have been published in the last few years to provide an overview of how it should be implemented. An example is shown below.
The high-level stages of the process are as follows:
- Supplier identification: Ideally through a centralised Procurement process, the business records the requirement to on-board a supplier or additional services from an existing supplier. This also extends to the identification of fourth parties where appropriate.
- Initial scoping, supplier classification & triggering due diligence: Details of the supplier are captured, including service overview, location, financial information, data in scope, and service impacts. An inherent risk rating is assigned to a supplier, calculated from a variety of sources, with the outcome triggering the relevant due diligence assessments.
- Assurance: The relevant due diligence functions (including but not limited to security, business continuity, cloud security, physical security, data privacy, anti-bribery & corruption, and ESG) complete assurance – generating the supplier’s residual risk rating.
- Risk identification: From the assurance process, risks are identified, classified and recorded in a centralised risk register.
- Risk management: Ongoing risk management activities occur to close or accept any findings.
- Reassessments & monitoring: Obtaining continuous visibility of suppliers by revisiting the assurance process on a pre-defined frequency, or incorporating monitoring capability.
- Contractual requirements: Once assurance activity is concluded (where being performed prior to supplier on-boarding), supplier contracts can be finalised. This can include the requirement to close risks and communicate incidents impacting the service provided or the organisation’s data, as well as defining Minimum Security Standards and the future right to audit.
- Incident response: Defining processes that should be followed in the event of a data breach, an indication of compromise from threat intelligence sources, or reports of a wide-scale critical vulnerability being exploited in the wild.
- Off-boarding: Outlining processes that should be followed at the end of contractual terms, including for scenarios such as a supplier ceasing operation, including control of assets, how data is handled and retention periods. As part of this, it may be advisable to create exit plans that are reviewed regularly, particularly for critical suppliers, to ensure smooth transitions occur when needed.
The key part of an SCRM process is the actual assurance process performed on in-scope suppliers. A range of options can be used here, including:
- Site visits: Completing an assessment with the supplier at its location to view critical security controls. While there can be benefit to site visits, particularly helping to understand the supplier context, from our experience they are often not necessary or beneficial.
- Questionnaires: Sending a questionnaire to suppliers for completion. There may be multiple versions depending on the different supplier types, services and inherent risks assigned. Questionnaires should be reviewed and updated frequently to account for updates to internal policy and industry best practices, evolving threat information and new regulations.
- Certification / audit reviews: If the supplier has an applicable certification or external audit, this can be reviewed. We have seen this work previously with Cyber Essentials +, ISO 27001 certification, and SOC 2 Type 2 external audit reports. It is essential to ensure the certification or audit report provided has a scope appropriate to the service you as an organisation are utilising from the supplier.
- Evidence-based assessments: Potentially in parallel to a questionnaire-based review, a supplier may provide a number of their internal policies for review or network diagrams to show connections to both the organisation and fourth parties.
- Continuous monitoring: Obtaining continuous visibility of a supplier’s security can provide deeper insight and is a growing requirement for mature supplier security assurance. This can include visibility of external facing infrastructure security, the supplier’s reputation, if data associated with the company is being sold on the dark web, and whether they have suffered any data breaches.
Ultimately, the purpose of performing the supplier assurance process is to identify applicable risks to you as an organisation. Findings identified during the supplier assurance process should be compared to the understanding of the service and business context. This will provide an accurate view of risk to the organisation, with risks raised as per a process aligned to wider organisational risk management, and the relevant stakeholders made aware.
The risk management of a supplier should be continuous throughout its lifecycle as security controls are updated, requirements and services change, and the threat landscape alters. A key input to this is through reassessments. Organisations have a responsibility to ensure visibility of vendor security is maintained beyond standard, point-in-time assessments using a data-driven risk-based approach.
This ensures that the higher-risk vendors are assessed more frequently through formal reassessments, whilst saving resources for ad-hoc activities including incident response and still enabling more impromptu reassessments due to factors such as a change of service, increased scope, supplier incident, threat intelligence information or changes to supplier legal entity.
Incident Response
In parallel to ongoing assurance activity, consideration must be given to incident response. Supplier incidents can occur in different ways, for example if a supplier becomes unavailable and cannot provide its services, or the supplier stores organisational data within its environment which is compromised. Establishing incident management procedures is an essential part of supply chain assurance activities. Ideally, this should be fully aligned to existing incident response processes, with tailored playbooks and simulation testing in place.
How can we help?
At BAE Systems, our Security Consultants are experienced in supporting organisations with the various concepts within supply chain assurance. From initial process definition, identification of suppliers, completion of due diligence and implementing supplier assurance tooling, to incident response processes and training requirements, we can embed our specialists within your teams to mature your approach to this increased threat.