Supply Chain Security

On June 27, 2017, the NotPetya malware was unleashed via a malicious, modified update to the accounting software package, M.E. Doc, which is used by many businesses in the Ukraine and elsewhere. Included in the malicious update package were exploits that helped the malware spread to computers throughout the world, causing extensive damage. Initially, NotPetya was thought to be a variant of the Petya ransomware, but further analysis determined that it was much more destructive, causing irreparable damage to the systems it infected. In fact, it has been deemed the most devastating malware in history. According to reports in the media, NotPetya cost two US companies, Merck and FedEx, approximately $1 billion in remediation costs, related expenses, and lost revenue. In 2018, the US and UK officials attributed the attack to the Russian military as an attempt to destabilize the Ukraine, but the damage caused by the attack was much more far-reaching than simply the Ukraine.

In October of 2018, Bloomberg Businessweek published a story that stated China conducted supply chain attacks in which tiny chips were secretly installed on motherboards made by US-based company SuperMicro. These chips reportedly allowed the Chinese to make undetected alterations to the operating systems on servers that used the tampered motherboards. According to the report, companies such as Apple and Amazon were impacted.  And, while both companies denied they were impacted, the importance of supply chain security was once again highlighted.

More recently, reports made to the NJCCIC by victim organizations that were crippled by ransomware attacks found the point of entry for the ransomware was a common service provider used by all of the impacted organizations. As in the NotPetya attack, in which the credentials of an administrator in M.E. Doc’s parent company, Intellect Service, were compromised, the credentials of an administrator servicing each of the impacted organizations were stolen. These compromised credentials allowed the attackers to plant the ransomware.

Organizations can do all the right things in securing their environments, but attacks against their IT supply chain can torpedo all their efforts. Vendor management, third-party management, supply chain management – whatever the term used – needs to be a staple of your organization’s cybersecurity program. In most cases that means conducting due diligence reviews – taking reasonable steps to ensure the hardware, software, and services that you procure from vendors does not introduce unacceptable cyber risks into your organization. The reasonable steps may include, but are not limited to, direct observation (e.g. onsite visits) of the third party, reviews of the third-party’s information security policies and standards, reviews of independent audit reports of the third party, relevant certifications, open source searches, and reference checks.

It would be infeasible for every organization to inspect each chip on the motherboards within the systems they purchase, and your approach to conducting due diligence reviews may be unique in both scope and risk acceptance, but there are tools and resources available to help ensure that those reviews are “reasonable” and can help you manage supply chain risks.

Your organization’s information security policies and standards, as well as any applicable statutory, regulatory, or contractual requirements should be your starting point for developing your vendor management program, as any vendor you use should be subject to the same security controls as required for your internal systems. To help your organization build out its vendor management program, you may want to consider resources such the National Institute of Standards and Technology’s (NIST) Best Practices in Cyber Supply Chain Risk Management guide. (Please note: at the time of publication of this bulletin the document is not accessible due to the US Government shutdown). The US Department of Homeland Security’s National Strategy for Global Supply Chain Security, and the Federation of Scientists’ Cyber Supply Chain Risk Management: An Introduction also provide insights into supply chain security risks.

Other resources and approaches include those offered by the Santa Fe Group’s Shared Assessments, a risk membership program that provides organizations with a way to obtain detailed reports about a service provider's controls (people, process, and procedures) and a procedure for verifying that the information in the report is accurate. Shared Assessments was created by six members of the financial services industry, several accounting firms, and industry service providers to develop a standardized process and set of tools to conduct third party risk assessments of service providers. Shared Assessments tools include their Standardized Information Gathering (SIG) Questionnaires that allow organizations to build, customize, analyze, and store vendor questionnaires. 

More recently, nine technology companies - Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, and Airbnb founded the Vendor Security Alliance (VSA), an independent, non-profit coalition that aims to help member companies evaluate or assess the security and privacy of third-party providers whom they heavily rely on and even entrust with their users’ most important data. The VSA has also created a benchmark of acceptable cybersecurity practices vendors need to comply with. To get an idea of the questions the VSA asks vendors, you can review their online questionnaire.

When purchasing Commercial-Off-The-Shelf (COTS) technology products, organizations may consider using the product evaluations conducted through the National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme (NIAP CCEVS). NIAP CCEVS oversees evaluations of commercial IT products for use in National Security Systems. NIAP evaluations are conducted by NVLAP-accredited commercial testing labs, called Common Criteria Test Labs (CCTLs). A product vendor chooses an approved lab to complete the product evaluation against applicable Protection Profile(s). A Protection Profile is an implementation-independent set of security requirements and test activities for a particular technology that enables achievable, repeatable, and testable evaluations.

And prior to procuring cloud services, organization may consider using resources such as the Cloud Security Alliance’s Cloud Controls Matrix and the Federal Risk and Authorization Management Program (FedRAMP) that provide standardized approaches to security assessments for cloud products and services.

In addition to the above resources, a number of companies have launched vendor risk management platforms that provide subscribers with reports on the security posture of their vendors and other third-parties. How that information is obtained and the scores derived is the secret sauce for each of these platforms. And while scores provided by such platforms should not be your only criteria, they may add helpful insights when conducting due diligence reviews of third parties.

Contract Vehicles

One very important tool that can help protect your organization from supply chain risks is the contract between your organization and the third-party vendor. All contracts should include clauses that, at a minimum, address:

  • Confidentiality in order to protect against the disclosure of confidential information by the third party;

  • Third parties and any sub-contractors they use are subject to the same security policies and procedures as your organization and shall conform to the same security controls and documentation requirements as they apply to your organization’s internal systems;

  • Outsourcing agreements contain security provisions specifically tailored to the particular outsourcing initiative;

  • Appropriate management, operational, and technical control safeguards are in place to facilitate the confidentiality, integrity, availability, and privacy of your organization’s sensitive information the third party generates, accesses, receives, stores, processes, or transmits; and

  • Third parties acknowledge in writing that they are responsible for the security of the sensitive information that the third party possesses or otherwise stores, processes, or transmits on behalf of your organization.

In addition, all contracts associated with third parties that have access to your organization’s sensitive information should specify:

  • All sensitive information will be held in strict confidence and accessed only for the explicit business purpose of the contract;

  • The third party must be compliant with and maintain compliance with the protective conditions outlined in the contract;

  • Any violation of the protective conditions outlined in the contract amounts to a material breach of contract and entitles your organization to terminate the contract without penalty;

  • The third party is liable to protect all sensitive information it stores and/or accesses;

  • In the event of a security breach, due to its actions or inaction, the third party shall bear all responsibility and expenses associated with the response to the security breach;

  • The third party must return or destroy all sensitive information received upon completion of the contract;

  • Auditing of the third party’s security posture and compliance is authorized at any time; and

  • The contract’s protective requirements shall survive any termination agreement.

As highlighted in the NotPetya and other supply chain incidents, supply chain security is critical to the veracity of an organization’s cybersecurity program. It is also critical to national security, as attacks on supply chains can have devastating impacts to critical infrastructure.bThe resources provided above should help you formulate or add to the existing supply chain security program in your organization.