Comprehending OT supply chain risk

It's crucial to recognize the possible threat from a supply chain risk and understand best practices to avoid them.

By Dave Weinstein April 11, 2020

Oftentimes, when we think about mitigating cyber threats to industrial networks, we focus on preventing attackers from exploiting industrial control systems to achieve a certain desired effect, such as a plant shutdown, power outage, or other disruptive and dangerous conditions.

Indeed, the seminal case studies have manifested in this fashion. But there’s a growing focus on a different threat scenario, one in which the industrial control system is exploited long before it’s put into production.

Enter supply chain cyber risk. Supply chain cyber risk is a complicated field that spans the entire lifecycle of a product, from its design to its manufacturing, and ultimately, its distribution, storage, and maintenance. This protracted and complex lifecycle affords many opportunities for a threat actor to exploit — either remotely or physically — the product’s hardware or software.

Consider how many “hands” a product passes through during this process, from the upstream supply chain of globally sourced raw materials to downstream distribution and production. Supply chains are naturally federated across different providers and geographies, and while this approach lends itself to economies of scale and other efficiencies, it’s hardly conducive to security. Contrast this with the centralized model governing the security of systems in production. The latter is a far harder target than the former, especially for a well-resourced and patient threat actor.

Last month, a study found the supply chain for the U.S. power industry is increasingly susceptible to cyber threats. The authors of the study cited numerous contributing factors to this threat, including the evolving nature of global supply chains, industry practices, and micro-grid technologies. The report also explores the critical variable of information technology (IT) and operational technology (OT) convergence and its impact on supply chain risk in the electric sector.

Downstream supply chain

We see this phenomenon nearly every day, not only in the electric industry, but across all critical infrastructure sectors. Indeed, it’s the downstream supply chain — namely with respect to installation, updating, and maintenance — where this IT-OT convergence presents the most significant risks to critical infrastructure owners and operators. As the report notes, there have been numerous instances of threat actors exploiting these downstream processes, some of which have resulted in data and intellectual property theft, and others which have subjected the infrastructure itself to risks of disruption.

Upstream supply chain

Upstream supply chains are also at risk. Original equipment manufacturers (OEMs) that distribute their products to others for use have experienced an uptick in threat activity over the last couple of years. While much of this activity is focused on stealing intellectual property related to product designs and production, it can also be aimed at holding production at risk and manipulating the integrity of the equipment itself. So-called “smart” and “connected” products rolling off the assembly line, ranging from IoT devices like thermostats to autonomous vehicles, are the most at risk. The good news is most OEMs understand this risk and are taking proactive steps to ensure the integrity of their supply chains and manufacturing processes.

Despite the complexities of industrial supply chains, defending your organization against supply chain risk comes down to two fundamental best practices:

  1. Monitoring all connections linked to a system’s cycle, whether they’re internal or external.
  2. Securing access to the user controls required to perform critical system functions.

This content originally appeared on ISSSource.comISSSource is a CFE Media content partner.

Original content can be found at Plant Engineering.

Author Bio: Dave Weinstein is the chief security officer at cybersecurity visibility provider Claroty.