Can a tool reduce cyber risk across the OT supply chain?

The National Counterintelligence and Security Center (NCSC) has issued new guidance for supply chain risk management, acknowledging risks throughout the lifecycle of supply chains and making recommendations on ways to reduce these risks.

“The increasing reliance on foreign-owned or controlled hardware, software, or services as well as the proliferation of networking technologies, including those associated with the Internet of Things, creates vulnerabilities in our nation’s supply chains,” the guidance warns.

The report defines a supply chain broadly, as a network of people, processes, technology, information, and resources that delivers a product or service.

“Exploitation of our supply chains by foreign adversaries, especially when executed in concert with cyber intrusions and insider threat activities, represents a direct and growing threat to strategically important U.S. economic sectors and critical infrastructure,” said NCS director William Evanina.

The guidance calls for tools and capabilities that are optimized for specific supply chains, including the development of tools and technologies that provide automatic updates to threat information and risk mitigations, enable rapid detection and automatic response to threats and incorporate artificial intelligence and machine learning to increase agility. That is a tall order for sure.

Supply chains are dynamic, changing animals, and monitoring them takes effort and diligence, as ARC Research analyst Sid Snitkin lays out in a recent report on a new supply chain cyber security threat mitigation tool.

“There are databases for malware and vulnerabilities and many suppliers offer extensive product knowledge bases. But no factory technician is going to spend days searching the internet before upgrading a PLC, especially when they have other, more pressing, responsibilities. Even if they did, searches may not reveal vulnerabilities in embedded modules or banned software unless the supplier has explicitly released its own product alert. Technicians may also lack the cybersecurity expertise to reconcile search results from inconsistent information sources.

“…the highest risk of surreptitious malware injection occurs through the many patch and update files that will be installed during a product’s lifetime. Many technicians lack the time and resources to fully verify the morass of patch and update files they receive from vendors and third-party software suppliers. Technicians can also be tricked into downloading fake patch and upgrade files that have valid certificates and digital signatures stolen from suppliers. Suppliers can also fail to address “hidden vulnerabilities” that emerge in third-party modules that are embedded in their products,” he said.

Snitkin also calls on ICS vendors to know which firmware and software are the correct versions and to have the people, processes, and technologies in place to ensure that customers receive secure distribution packs. He says also that standard approaches to protect customers from receiving modified software — such as vendor-published MD5/SHA file hashes and code signing – are in only limited use today and presume that asset owners have the tools and people to check them.

Snitkin’s report describes a possible solution: a web client that enables users to generate a digital fingerprint of any new firmware or software they are planning to use prior to implementing it. The tool is designed to compare the fingerprint of the unverified content against vendor-certified digital fingerprints that are stored in the repository, providing a confidence and security rating of the firmware/software and all its subcomponents, so the owner can decide whether to use this software or not.

Rating the supplier

Another new tool focuses on creating a trust profile for the supplier, rather than the individual firmware or software.

“Suppliers often are the target as they can be less aware of or not adequately protected against potential threats, due to a lack of resources, among other reasons. Organizations may have their enterprise security goals covered, but need to ask their IT/OT (Operational Technology) suppliers, and their suppliers’ suppliers, across the entire value chain, to have a similar level of adequate security in place,” said UL, senior business development manager, Gonda Lamberink.

“Supply chains may have hundreds or thousands of suppliers, and to achieve transparency into the security posture of all suppliers is hard. Suppliers may not want to share security proprietary information with their end customers either, and internal security teams may become quickly overwhelmed to assess suppliers and their products or services,” she continued.

Lamberink says that UL has created a Supplier Cyber Trust Level tool that fills the need for a single framework or standard that adequately addresses the complexities of securing an organization-wide supply chain. The UL tool guides assessment of suppliers’ security practices and produces a documented supplier Trust Level rating for each supplier. This rating demonstrates the robustness of suppliers’ practices holistically, across their software and hardware development lifecycles, hosted systems and information management systems.

She believes that organizations that use this supplier Cyber Trust Level solution, will minimize their own cybersecurity risk by focusing on the effectiveness and cybersecurity posture of their suppliers’ security practices. The suppliers would also benefit, through independent, third-party review of their self-assessment, UL-assisted assessment, or a full UL assessment, to improve their security and be more competitive in procurement processes.

As companies become increasingly dependant on components from foreign countries, such tools may be increasingly necessary.

Is your automation vendor’s supply chain secure? It is if you use Bedrock. For more details on how Bedrock Automation secures its own operations – and yours — read How Locally-Sourced Intrinsically-Secure Components Keep the Supply Chain Secure.