Let me begin by posing the seemingly obvious questions: What is a supply chain? And what is supply chain risk?
In the context of security, it’s important to define what supply chain is. It could mean different things to different industries. For example, the supply chain of a computer manufacturer is comprised of vendors who make different hardware components that come together in the end. The supply chain of a software company will consist of other software vendors that make features or functionality that may get embedded in the company’s end product. As a third example, the supply chain of a shipping and logistics company would consist of partners that help package, label, and distribute products to their destination.
The common theme, despite these differences, is that third-party suppliers are, in many cases, getting access to company techniques, data, and the ‘secret sauce’—thereby having the opportunity to uniquely impact—and create risk to—the success of the company they supply. The Cybersecurity and Infrastructure Security Agency (CISA) warns that hackers and criminals can target government and industry through contractors, subcontractors, and suppliers at all tiers of the supply chain. Such risk is multi-fold, with cyber risk being no less important than operational risk or business risk, because a cyber event can trigger a whole cascade of consequences.
However, the supply chain cybersecurity risk management space is still evolving. The National Institute of Standards and Technology (NIST) is creating and updating practical guidance and technical standards for organizations to improve supply chain security. This includes NIST SP1800-34, which provides robust guidance on verifying and proving the integrity of internal components and systems used in a supply chain. Yet such supply chain security can be complemented by zero trust architectures that provide organizations an additional layer of security when there is a compromised component.
Below are common risks posed to a supply chain with example ways a zero trust approach can mitigate such risk.
Account takeover
Common attacks on supply chains occur via account takeover. In such attacks, cybercriminals target customers by infiltrating one of the company’s trusted vendors. Attackers will take over an account at the trusted vendor, then use it to send phishing emails to the target that contain malicious links. When a recipient of the phishing email clicks the links, malware or ransomware is deployed.
Solution: Preventing account takover is key. A zero trust solution makes account takeover difficult because login attempts from users who violate policies set in the zero trust exchange are immediately blocked. A user taking over an account is likely to violate such policies by having various attributes (location, device ID, EDR posture check, and more) mismatch versus the true record.
Fourth-party risk
Your supply chain partners might do everything they can to prevent your data from being stolen, but you have to make sure your partners don’t make your data accessible to their third parties (which are your fourth parties).
Solution: Eliminating widespread or VPN-based network access to supply chain applications that house critical data. This can be done by implementing a zero trust strategy that creates a 1:1 fully encrypted connection between the user and application, on demand. By narrowing the access as such and never placing a user on the network, it limits additional fourth parties from lateral movement and snooping as your suppliers go about their jobs for you.
Supply chain IP theft
According to a research report by Kroll, IP theft is a top priority for 75% of companies. IP theft can be perpetrated by an external attacker or an insider threat.
Solution: IP Theft reduction can be easily achieved via data loss prevention technologies that are part of industry-leading SSE solutions. With many supply chain applications today being internet- or cloud-based, implementing a DLP solution is straightforward step to preventing the exfiltration of critical data.
Supply chain software updates
SolarWinds and Kaseya are good examples of software updates that were pushed to customers that contained malware. Because the products the customers made were so widely installed, there was a subsequently widespread malware infection.
Solution: A zero trust approach uses an inside-out architecture that could prevent risky communications, such as what happened with the SolarWinds breach. SolarWinds’ servers allowed outbound communications within the network perimeter, blocking known bad destinations. This means unknown bad destinations were able to slip through and wreak havoc. A zero trust approach would have never allowed such communications to occur because it wouldn’t have allowed anything to be assumed to be trustworthy in the first place. In addition, zero trust can prevent attackers from further proceeding with such exploits by preventing them from moving laterally, which zero trust does not allow without re-authorization and re-authentication with context specific to each new resource and asset.
In all of these scenarios, if a company provides any of its suppliers with trusted network access, then ransomware and other attacks can occur unfettered. While some of the above attacks were more sophisticated, even the infamous Target data breach of 2013 was perpetrated by an attacker that took gained network access by exploiting stolen credentials from an HVAC contractor - a shockingly simple approach. As outlined above, companies can substantially reduce or eliminate most, if not all, of these attacks by mandating their suppliers use zero trust access methods to access the company’s data and other resources.
Here is a summary of the main benefits of a zero trust architecture:
- The high value assets are hidden from the internet and only made available to authorized users
- The authorized users have isolated access only, because they and their endpoints are never placed on the same network the device is on
- Connections from users to devices are spun up on demand and kept open only for the access session
- Fully encrypted connections are used
- Zero trust allows for business continuity by reducing device and supply chain risk despite known and possible situations that occur from time to time and bring elevated risks. Specifically, a zero trust architecture can allow a device to operate in an internet-connected state safely even with known device vulnerabilities. It is well known that one of the challenges to device and supply chain security is that it is not possible to patch devices at the rate that is required, but the devices must continue to run for business continuity. Zero trust architecture significantly reduces the risk the unpatched devices pose, because it allows them to remain connected to the internet while being in the state of having known vulnerabilities, and still be operated when a zero trust secure connection is used. Further description of the benefit of using zero trust over VPN to reduce inherent device vulnerabilities can be found here.
- A model of how this can work using an agent-based and agentless approach, according to the organization’s preference, is below:
Perhaps one of the most compelling customer installations of zero trust for third parties is Schmitz Cargobull. By using ZPA instead of hardware-based VPNs, Schmitz Cargobull ensures its private applications, like SAP, are never exposed to the internet, making them completely invisible to unauthorized users. This not only improves the company’s security posture but also enables it to extend access to external users for greater business agility and a more secure supply chain. Michael Schöller, Head of Infrastructure at Schmitz Cargobull, explains that “reducing VPN appliances, which have recently made headlines for vulnerabilities, will allow us to increase the availability of our supply chain and access for our consultants” and that “Zscaler will keep our infrastructure hidden from attackers while making us more secure than we were before.”
