Strengthening industrial supply chain security by addressing challenges, strategies, collaborative initiatives
Bringing about cybersecurity and protecting across the industrial supply chain involves working through a maze of challenges and complexities that can make even the most seasoned professionals break a sweat. Integration of digital technologies, while undoubtedly boosting efficiency, opens the door to a host of cyber threats that can wreak havoc, highlighting the importance of addressing security challenges. Assessing the adequacy of current regulatory frameworks is crucial to ensure they effectively address these evolving security issues. Additionally, there is a delicate balance between optimizing efficiency and agility in supply chains and prioritizing robust security measures.
Geopolitical tensions and trade disputes further complicate the security landscape, as these factors intersect with cybersecurity concerns, creating multifaceted risks across industrial supply chains. Collaborative efforts among industry stakeholders, government agencies, and cybersecurity experts are essential for enhancing security. By pooling knowledge, developing best practices, and fostering a collective approach to security, these collaborations are focused on bolstering the resilience of industrial supply chains worldwide.
Addressing security challenges in industrial supply chain
Industrial Cyber reached out to cybersecurity experts across the industrial supply chain to evaluate the key challenges and intricacies of securing industrial supply chains. Additionally, they delved into the impact of global interdependencies and interconnected supply chains on the complexity of ensuring the security of industrial supply chains.
Safeguarding industrial supply chains is complex due to their vast and distributed nature, Eric Knapp, CTO (chief technology officer) of OT at OPSWAT, told Industrial Cyber. “Attacks can target various stages, including material acquisition, manufacturing, transportation, and financial transactions. The challenges of safeguarding industrial supply chains fall into two primary categories: direct attacks on the supply chain and using the supply chain as an attack vector.”
When it comes to direct attacks on the supply chain, Knapp said that these cyber-physical attacks aim to disrupt physical processes through cyber means, targeting various stages such as material acquisition, manufacturing, transportation, and financial transactions. The attack surface is vast, encompassing everything from mining and processing to transportation and finance. Defending against these threats needs to incorporate physical security, network defenses, OT (operational technology) security, and comprehensive supply chain visibility.
On using the supply chain as an attack vector, he outlined that this involves adversaries infiltrating the supply chain to introduce vulnerabilities or malicious components that bypass traditional security measures. Techniques include inserting compromised hardware and injecting malicious code into software updates, like in the SolarWinds attack. The methods exploit trust in supply chain components to execute malicious activities within secure environments.
“A zero-trust approach is critical and involves evaluating and validating every component within the supply chain, assuming no inherent trust,” Knapp highlighted. “Implementing a Software Bill of Materials (SBOM) helps ensure the integrity and origin of software components, and continuous testing and validation of critical systems further strengthens defenses.”
Eric Byres, founder and chief technology officer at aDolus Technology, said that currently, a lack of visibility into their supply chains is the biggest challenge. “Industrial operators often don’t know what software and what entities are present in their environments. Even with top-notch asset management controls in place, they don’t see the components within their assets. And, those components can be harboring vulnerabilities, malware, and other risks. Those components may also have originated with high-risk suppliers from hostile nations.”
“The challenges of safeguarding industrial supply chains originate from their complexity and scale, spanning multiple countries and involving many stakeholders,” Dmitry Raidman, CTO and co-founder at Cybeats, pointed out to Industrial Cyber. “Global interdependencies complicate the situation further, making it difficult to ensure consistent security practices due to reliance on international suppliers and manufacturers. Ensuring the authenticity and integrity of hardware and software is very challenging, especially with the risk of counterfeit components.”
He added that interconnected supply chains amplify vulnerabilities, as issues upstream can cascade downstream through the supply chain network. “Additionally, varying global regulations and standards further complicate a unified security strategy.”
Matt Wyckhouse, founder and CEO at Finite State, identified that safeguarding industrial supply chains involves navigating complexities such as protecting diverse endpoints, legacy systems, proprietary technologies, and third-party integrations, ensuring secure data transfer.
“Global interdependencies compound these challenges as supply chains traverse borders, industries, and technologies,” Wyckhouse told Industrial Cyber. “Disruptions in one part of the supply chain can have cascading effects, highlighting the need for resilience, robust cyber-physical security, and risk mitigation measures. Global interdependencies and interconnected supply chains significantly increase the complexity of securing industrial systems. The reliance on international suppliers introduces risks, including differing cybersecurity standards and geopolitical tensions, creating multiple points of vulnerability.”
Highlighting vulnerabilities, impact of digital tech on supply chain security
The executives address the key vulnerabilities adversaries often exploit within industrial supply chains. They also look into the effect that the proliferation has had on digital technologies and interconnected systems affecting the security of industrial supply chains.
Knapp said that adversaries exploit multiple attack vectors, from introducing malware via USB drives at manufacturing facilities to targeting power systems essential for operations. “They can also disrupt the production of raw materials, often sourced from remote or international locations, or sabotage shipping industries to prevent material delivery. Additionally, attackers might compromise component manufacturers, embedding malware into products that infiltrate target environments.”
“The number of digital technologies and interconnected systems has significantly heightened these risks,” Knapp highlighted. “Increased digitalization offers more entry points for cyber-attacks, making supply chains more susceptible to breaches. Cyber threats can now easily propagate through interconnected systems, compromising multiple stages of the supply chain. Also, the complexity of modern supply chains often results in limited visibility and control, leaving organizations unsure of where to focus their security efforts.”
He added that this lack of comprehensive oversight increases the risk, as unidentified vulnerabilities remain unaddressed and provide adversaries with ample opportunities to disrupt operations.
The biggest vulnerability within supply chains is the domino effect — the potential for the compromise of a single target to spread to those downstream, Byres told Industrial Cyber. “It’s why the supply chain is becoming the new attack vector of choice as the ROI is just too sweet. End users trust their vendors and adversaries have learned to exploit that trust.”
He added that digitalization obviously drives massive increases in productivity and efficiency, but software is vulnerable to tampering, it can contain nested packages of unknown provenance, and it can be very complex. “Because of the complexity, securing software supply chains can’t be a manual process; you need sophisticated tools.”
Raidman mentioned that the key vulnerabilities in industrial supply chains include counterfeit components, insider threats, and lack of visibility. “Adversaries exploit weaknesses to introduce counterfeit parts, compromising product integrity. Insider threats from employees with system access pose significant risks. Poor visibility can lead to undetected vulnerabilities and software end-of-life risks.”
He added that the proliferation of digital technologies and connected systems increases the attack surface, making supply chains more susceptible to cyberattacks. “While IoT and automation improve efficiency, they add complexity and potential security risks if not properly secured.”
Wyckhouse detailed that adversaries often exploit vulnerabilities such as outdated software, weak authentication, permissive authorization, improper network segmentation, and insufficient encryption within industrial supply chains. Notable exploits include Stuxnet, BlackEnergy, Triton, Industroyer, Havex, and Volt Typhoon. “These incidents highlight the need to detect and address vulnerabilities proactively.”
He added that the proliferation of digital technologies has expanded the attack surface, enabling adversaries to target critical infrastructure with precision. “Increased connectivity, while enhancing operational efficiency, introduces new risks that require vigilant security measures.”
Assessing regulatory adequacy, balance of efficiency and security in industrial supply chain
The executives analyze whether the current regulatory frameworks are sufficient to address security issues within industrial supply chain. They also explore how companies are navigating the delicate balance between optimizing efficiency and agility in supply chains while prioritizing the enhancement of security measures.
Knapp argues that no regulatory framework is adequate to address security concerns in the supply chain or anywhere else. “Regulations and frameworks are necessary and valuable to align organizations with best practices and establish baseline controls and more mature processes. These things are incredibly important, but they should be seen as a starting point and not as an end goal,” he added.
“Since the SolarWinds incident, there has been a steady drumbeat of regulatory initiatives, notably in North America and Europe,” Byres said. “I’m encouraged to see a common requirement for SBOMs as they are really the starting point for supply chain security. You can’t secure what you don’t know about.”
Some years ago, he added that product vendors were pretty resistant to the whole concept of producing SBOMs — and they certainly weren’t interested in sharing them!
“But now we’re seeing real leadership from many of the major vendors and a commitment to providing SBOMs,” according to Byres. “There is now a proliferation of companies that specialize in generating SBOMs, allowing the big vendors to preserve their efficiency and agility.”
Raidman outlined that existing regulatory frameworks often fail to address industrial supply chain security concerns, lagging behind the evolving threat landscape and leaving exploitable gaps. “More standardized and comprehensive regulations are urgently needed to meet these unique security requirements. Companies strive to balance efficiency and agility with enhanced security by integrating security measures into supply chain management, using technologies like blockchain for provenance and traceability.”
He added that they are also adopting radical transparency by requiring upstream suppliers to share SBOM and Hardware Bill of Materials (HBOM) for technology product development and delivery.
Existing regulatory frameworks, like the EU’s Cyber Resilience Act and the US Executive Order on Improving the Nation’s Cybersecurity, provide a foundation for addressing security concerns, Wyckhouse said. “With increased focus on targeting industrial supply chains, cybersecurity regulatory requirements are expected to intensify. Alignment is also needed as multiple regulatory bodies and emerging standards create challenges for OEMs, leading to inconsistencies, increased compliance costs, complex supply chain management, and the risk of non-compliance.”
He added that companies balance the need for efficiency and agility by adopting advanced cybersecurity measures, leveraging vulnerability assessment tools, enhancing threat intelligence, and implementing continuous monitoring and zero trust to stay ahead of emerging threats.
Intersection of geopolitical tensions, trade disputes, cybersecurity across industrial supply chain
The executives delve into the impact of geopolitical tensions and trade disputes on the security of global industrial supply chains. Additionally, they concentrate on the strategies organizations implement to address cybersecurity threats and attacks originating from nation-sponsored hacker groups.
Knapp assesses that in terms of attacking the supply chain itself, there are plenty of recent examples in the news: damage to pipelines, power grids, communications, etc., are highly effective during times of open conflict. “This isn’t new: supply chains have always been a target during conflicts, and as tensions increase the risk of attacks against supply chains increase as well.”
He also pointed to an example of a supply chain security measure to deal with nation-state hacker groups, emphasizing the importance of compliance with regulations regarding the country of origin for hardware and software components.
“Imagine you sell to the US government and the agency you work with announces it will not purchase products from a certain country or supplier (whether it be a trade dispute or other conflict),” Byres said. “Organizations need to ensure — and often prove — that none of the components of their product originated with the banned country or supplier. They can do this with platforms that produce SBOMs and perform analysis and risk assessment on all the components to show any hidden surprises.”
Raidman mentioned that geopolitical tensions can lead to sanctions and trade barriers, disrupting the flow of goods and materials. “Furthermore, nation-sponsored cyberattacks often target supply chains as a form of economic warfare, increasing the risk to these networks. Organizations are diversifying their supplier base and investing in advanced cybersecurity solutions to mitigate these risks. They are conducting regular threat assessments, requiring software and hardware supply chain transparency, collaborating with intelligence agencies such as CISA, and following security frameworks by NIST or achieving FCC certification as the US Cybersecurity Labeling Program to stay ahead of nation-sponsored threats, thereby enhancing their cybersecurity posture,” he added.
“Geopolitical tensions and trade disputes amplify the risk of cyber threats from nation-state adversaries. These tensions can lead to restrictive trade policies and disrupt the flow of critical components,” Wyckhouse observed. “Organizations must navigate these uncertainties by diversifying suppliers, enhancing threat intelligence, and implementing robust cybersecurity measures. The Volt Typhoon campaign underscores the need for vigilance against state-sponsored cyber threats.”
He added that organizations must adopt measures like leveraging advanced vulnerability assessment tools, enhancing threat intelligence, continuous monitoring, and implementing zero trust. “Tools that leverage source code analysis, deep binary analysis, static application security testing (SAST), and software composition analysis (SCA) are crucial for uncovering hidden vulnerabilities. The tools and methodologies enable construction of a comprehensive SBOMs which is critical for identifying and mitigating risks.”
Examining collaborative efforts to enhance industrial supply chain security
The executives explore how collaborations among industry stakeholders, government agencies, and cybersecurity experts are being utilized to bolster the security of industrial supply chains. They also look into the valuable lessons that can be gleaned from these collaborative efforts.
Knapp said that industry leaders are collaborating and sharing knowledge to foster a collective approach to securing cloud in Industry 4.0 across OT/ICS domains through various initiatives. “These include standardization efforts, information sharing, and private-public partnerships. Organizations like IEC, NIST, and ISO work with industry leaders to develop common cybersecurity frameworks and standards for securing Industry 4.0 environments, establishing clear protocols and best practices. ISACs and sector-specific forums also help facilitate the exchange of actionable threat information and best practices, keeping organizations updated on emerging threats and vulnerabilities,” he added.
“Initiatives like DHS’s Critical Infrastructure Partnership Advisory Council (CIPAC) and ENISA promote collaboration between government and private sectors to address cybersecurity challenges collectively,” according to Knapp. “Additionally, groups like the Industrial Internet Consortium (IIC), the National Cybersecurity Center of Excellence (NCCoE), and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provide platforms for industry leaders to exchange knowledge, participate in working groups, and develop cybersecurity guidelines and frameworks tailored to ICS environments in the cloud.”
Byres said that there’s no doubt the US government is reaching its hand out to industry. “The efforts at CISA to define the minimum elements of an SBOM have brought SBOMs into the mainstream and enabled necessary collaboration and buy-in. Now that standards exist, we can start to focus on how industrial operators can consume SBOMs in an automated way to help secure their supply chains without a lot of extra effort or expense,” he added.
“Public-private partnerships facilitate sharing cyber threat intelligence and best practices, helping bolster overall security. Information-sharing platforms, such as Information Sharing and Analysis Centers (ISACs), enable early threat detection and coordinated response efforts,” Raidman remarked. “The lessons learned from these collaborations highlight the importance of a unified effort, as security is a collective responsibility that requires coordination across the entire supply chain ecosystem.”
He added that proactive measures, including threat hunting, following Secure by Design (SbD) principles, and continuous monitoring for vulnerabilities, threat intelligence, end-of-life, and malicious indicators, are essential for maintaining robust security and resilience in industrial supply chains.
Wyckhouse said that collaborations between industry stakeholders, government agencies, and cybersecurity experts are crucial for enhancing security. “Partnerships foster shared responsibility, responsible disclosure, and continuous improvement in cybersecurity practices. A key solution moving forward involves stronger collaboration between original equipment manufacturers (OEMs) and asset owners/operators. By working together, OEMs and asset owners can develop and adhere to comprehensive security standards that protect against both known and emerging threats,” he added.
“Safeguarding industrial supply chains in today’s digital age requires a multifaceted approach addressing complexities, vulnerabilities, regulatory compliance, geopolitical dynamics, and collaborative partnerships,” according to Wyckhouse. “Organizations must invest in robust security measures and embrace a proactive and collaborative approach.”
He concluded that by fostering strong relationships between OEMs and asset owners, enhancing regulatory frameworks, and leveraging advanced cybersecurity tools, organizations can navigate the complexities of the digital landscape with confidence, ensuring the integrity, resilience, and continuity of their operations.
Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive
Register: June 27, 2024 2pm CETRelated
