Editor's Choice


Cybersecurity for operational technology: Part 3: Third-party supplier risks to OT Systems

October 2021 Editor's Choice

According to a recent World Economic Report, the Covid-19 pandemic has increased our reliance on the global supply chain, while the Internet has accelerated the digitisation of business processes(1). To remain competitive, manufacturing companies are increasing their reliance on suppliers to help adopt 4IR innovations such as Artificial Intelligence, Machine learning, IoT and Big Data. This has exponentially increased risks from a cybersecurity perspective. As supply chains have become integrated, interconnected and increasingly complex, supply chain cyber-attacks are on the increase as they are very effective. Suppliers are most likely the second or third biggest risk in terms of cybersecurity.

The SolarWinds hack

A supply chain attack targets third-party suppliers who already have access to their customer’s systems. This is easier than trying to hack customer’s systems directly. This is effective as it hides the malware inside trusted software which is then distributed to thousands of customers. A recent example is the SolarWinds hack – one of the largest ever recorded cyber-attacks(2). SolarWinds provides tools for thousands of organisations to monitor their IT networks and infrastructure systems. Early in 2020, hackers used an inadvertently sent out software update to customers that included the hacked code(3). The exploit created a backdoor through which hackers could gain access to customer’s IT systems. Hackers could then access system files, exfiltrate or alter data and impersonate user accounts. The backdoor could also be used to install more malware, allowing them to escalate and maintain their hold on IT systems. The malware went undetected for months. This affected up to 18 000 customers, including critical agencies in the US government. More than 80% of the targets were Fortune 500 companies, i.e. Microsoft, Cisco, Intel and Deloitte.

This was a complex attack and required material resources. Nation-state hackers are believed to have been responsible, i.e. Russia’s Foreign Intelligence Service, known as the SVR. The real danger to enterprises is that once this approach has been used, it is out in ‘the wild’ and can be re-used or modified by other groups with far fewer resources.

Supply chain attacks are only one of the cyber risks from third-party suppliers. Here are a few more to take note of:

• New vendors and technologies are emerging all the time. IoT devices are a major concern as the focus is mass-producing low-cost connected devices, not protecting customers from cybersecurity threats.

• Support staff accessing your systems on-site or remotely with insecure connections or devices. This can introduce malware or open your systems to new vulnerabilities.

• Insecure software development can result in software being installed that can be easily exploited. This is especially risky with Internet-facing systems.

• Improperly trained support staff who neglect to apply basic security configurations.

• Insecure configurations of cloud and or software as a service are also common.

Assessing the risks

Regular risk assessments need to be conducted on third-party providers to address all the potential risks that they can introduce to your organisation. This will identify, assess, measure and monitor any risks associated with the relationship. The next step is to implement mitigating controls to address the risks. Third-party providers need to be effectively managed throughout the whole ‘Vendor Lifecycle’ from selection and on-boarding to off-boarding. Suppliers need to be challenged about their approach to cybersecurity and what security certifications and frameworks they have adopted. If they develop software or are a cloud or SaaS provider, they should have mature, secure development processes and apply cloud security principles(4).

Secure development applies fundamental, sound and secure software development practices based on established best-practice documents from organisations such as BSA, OWASP and SAFECode(5). If they do not have anything in place, they should commit to a prioritised roadmap to improve their cybersecurity posture. Procurement and IT should build a cyber-reputation scorecard and avoid suppliers with a poor record. This will require effective and regular threat intelligence. Threat intelligence is information that helps organisations understand, identify, prevent and respond to security threats(6). Supplier contracts should be updated to address cybersecurity and introduce penalties should breaches be resulting from any negligence.

Targeted cybersecurity training should be conducted for OT and procurement staff. Adopting a best-practice cybersecurity framework is important. This provides an holistic view of what is needed and will help establish your organisations’ current level of maturity and provide a roadmap for improvement going forward. This will be covered in detail in the next article.

References

(1)WEF, 2021 Advancing Supply Chain Security in Oil and Gas: An Industry Analysis http://www3.weforum.org/docs/WEF_Advancing_Supply_Chain_Security_in_Oil_and_Gas_2021.pdf

(2)Business Insider, 2021 - The US is readying sanctions against Russia over the SolarWinds cyber attack. Here’s a simple explanation of how the massive hack happened and why it’s such a big deal, https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?IR=T

(3)Chatham House, 2021 - The SolarWinds hack: A valuable lesson for cybersecurity,

https://www.chathamhouse.org/2021/02/solarwinds-hack-valuable-lesson-cybersecurity?gclid=EAIaIQobChMIhOT948Lp8gIVGqd3Ch0fTw0_EAAYBCAAEgJjZvD_BwE

(4)Cloud Security Alliance, https://cloudsecurityalliance.org/

(5)Nist, 2021 - Secure Software Development Framework, https://csrc.nist.gov/projects/ssdf

(6)ZeroFOX, 2021 - What is External Threat Intelligence, https://www.zerofox.com/blog/what-is-external-threat-intelligence/


About Bryan Baxter


Bryan Baxter.

Bryan Baxter has been in the IT Industry since 1992 in various roles before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, [email protected], www.wolfpackrisk.com


Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Yokogawa digital plant to accelerate green hydrogen revolution
Yokogawa South Africa Editor's Choice Electrical Power & Protection IT in Manufacturing
Yokogawa explains how a digital plant approach and autonomous operations can integrate the full green hydrogen value chain, from renewable power generation to end-use applications, and why digitalisation and system integration are central to making green hydrogen viable in South Africa.

Read more...
Next-generation autonomous mobile robots from Omron Robotics
Omron Electronics Editor's Choice
The new LD-150 and LD-300 autonomous mobile robots from Omron Robotics offer higher payload capacity and advanced navigation in a compact footprint, with wireless inductive charging and fleet management integration to support high-throughput material transport in demanding production environments.

Read more...
ElectroMechanica reintroduces TechTop to Southern Africa
ElectroMechanica Editor's Choice
ElectroMechanica has officially restored a vital pillar of the southern African motor market, announcing its appointment as the exclusive SADC-wide agent for TechTop.

Read more...
DriveRadar and AI provide smarter maintenance in tough mining conditions
SEW-EURODRIVE Editor's Choice
SEW-EURODRIVE’s DriveRadar system has already embedded AI into predictive maintenance for African mining operations. Jonathan McKey explains how the system monitors external conditions, interprets data and tells operators exactly how much longer a drive can run safely before intervention becomes necessary.

Read more...
Engineering simplicity: shaping the future of valve automation
Festo South Africa Editor's Choice Valves, Actuators & Pump Control
Festo’s VTOP pneumatic assembly offers a streamlined approach to managing pneumatic and electrical interfaces at the valve assembly.

Read more...
XTS for highly efficient end-of-line packaging of beverage bottles
Beckhoff Automation Editor's Choice
Italian machine builder Clevertech used Beckhoff’s XTS linear transport system to help a Dutch distillery double its bottle packaging throughput to 225 bottles per minute while cutting format changeover times from 30 minutes to just seven.

Read more...
Control systems, remote monitoring and human skills in the food sector
Editor's Choice Industrial Wireless
The convergence of specialist skills and advanced technology is becoming critical, a trend underscored by two recent projects completed by Associated Energy Services in the food manufacturing sector.

Read more...
Motion control for flight simulators
Beckhoff Automation Editor's Choice Motion Control & Drives
Turkish specialist, SANLAB is a leader in motion platforms and simulation technologies. At the heart of these platforms are application-specific servo drives, servomotors and industrial PCs for real-time control, which are supplied by Beckhoff.

Read more...
Conductivity sensing as a cornerstone of South Africa’s water smart industry
ifm - South Africa Editor's Choice Sensors & Transducers
South Africa’s engineers operate at the intersection of resource constraint and industrial ambition. Few parameters illustrate this balancing act as clearly as water quality. Whether in municipal treatment works, food and beverage plants or mining operations, the ability to measure water quality accurately and continuously has become non-negotiable.

Read more...
Jendamark catalyst shrinking technology leverages SEW-EURODRIVE precision
SEW-EURODRIVE Editor's Choice Motion Control & Drives
[Sponsored] Innovative technology for shrinking catalytic converters, designed and built in South Africa by Jendamark Automation for the global market, relies on the precision of SEW-EURODRIVE’s highly dynamic servo-geared units and software.

Read more...









While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd | All Rights Reserved