13 Best Practices in Cyber Supply Chain Risk Management

13 Best Practices in Cyber Supply Chain Risk Management

Over the past several years, attacks have targeted supply chains across multiple industries and have impacted both the actual operations of the supply chain and the products that these supply chains produce. The supply chain is vulnerable to cyber and physical attacks that can lead to critical operational disruptions, significant damage to brand and reputation, product safety, loss or theft of intellectual property, and substantial fines and fees. What’s more, these types of attacks are increasing and growing in sophistication as the supply chains of major industries are a prime target for malicious actors. 

We are seeing the very tools that were previously only available to nation-state attackers being used by sophisticated attackers for corporate espionage, profit and disruption.1 These very attackers are looking to disrupt critical supply chain and infrastructure much like a nation-state would have in the past. Previously, attackers were only able to target a few computers at once. These widespread attacks make them much more dangerous. You are always a prime target for both state-sponsored attackers and much more.

In Gartner's “Future of Supply Chain Study”2, Heads of Supply Chain were asked, “In terms of data security/IT incidents as a supply chain risk, which of the following capabilities does your company have?” Reponses show that organizational adequacy to handle data security is varied.

  • Internal Digital IT Security. Security of internet-connected facilities and assets was the No. 1 challenge, with 50% saying it was the biggest challenge.
  • External Digital IT Security. Security of digital products was the No. 2 challenge, with 49% saying it was the biggest challenge.

In the Forrester Analytics Global Business Technographics® Security Survey, 2018355% of enterprise network security decision makers reported experiencing at least one breach in the past 12 months. Forty-four percent of those breaches were the result of an internal incident involving an employee or business partner. Internal incidents can involve employees who simply make poor decisions regarding the handling and use of the firm’s sensitive data – or employees with malicious intent. Malicious insiders can also work in collusion with external threat actors: 41% of the breaches that enterprise respondents reported came at the hands of external threat actors. In addition:

  • 54% of respondents attributed their internal attacks to malicious intent, 38% to inadvertent misuse and 8% to a combination of the two.
  • 37% of respondents attributed their external attacks to web application exploits, 35% to software vulnerabilities and 27% to stolen credentials.

Three Cybersecurity Principles

The National Institute of Standards and Technology (NIST)4 shared what they consider to be some of the best practices in supply chain risk management. These best practices are based on three cybersecurity principles.

1. Develop your defenses based on the principle that your systems will be breached. When one starts from the premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information that they have accessed and how to recover from the breach. Cyber supply chain risks cover a lot of territory, with risks coming from:  

  • Third-party service providers or vendors – from janitorial services to software engineering – with physical or virtual access to information systems, software code or IP.
  • Poor information security practices by lower-tier suppliers.
  • Compromised software or hardware purchased from suppliers.
  • Software security vulnerabilities in supply chain management or supplier systems.
  • Counterfeit hardware or hardware with embedded malware.
  • Third-party data storage or data aggregators.

Cybersecurity is never just a technology problem – it’s a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. Information and operational technology security systems won’t secure critical information and intellectual property unless people throughout the supply chain use good cybersecurity practices.

2. Security Is Security. There should be no gap between physical and cybersecurity. Sometimes threat actors exploit lapses in physical security or social engineering in order to launch a cyberattack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access. 

3. Cybersecurity Extends to Suppliers. Companies are using questions like the ones below to determine how risky third-party suppliers’ cybersecurity practices are:

  • Is the vendor’s software/hardware design process documented? Repeatable? Measurable?
  • How does a vendor or third-party supplier handle personally identifiable information? How do they process the data and can they quickly respond to a data removal request from an individual? How does a vendor help me stay compliant with regulatory frameworks such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)?
  • Is the mitigation of known vulnerabilities factored into product design (through product architecture, run-time protection techniques, code review)?
  • How does the vendor stay current on emerging vulnerabilities? What are the vendor’s capabilities to address new “zero day” vulnerabilities? How quickly can a vendor react and what kind of processes do they have in place?
  • What controls are in place to manage and monitor production processes?
  • What levels of malware protection and detection are performed?
  • What steps are taken to “tamper-proof” products? Are backdoors closed?
  • What physical security measures are in place? Documented? Audited?

13 Practices in Cyber Supply Chain Risk Management

Companies have adopted a variety of practices that help them manage their cyber supply chain risks. The following are a few of the practices:

  1. Security requirements are included in every RFP and contract.
  2. Once a vendor is accepted in the formal supply chain, a security team works with them onsite to address any vulnerabilities and security gaps.
  3. “One strike and you’re out” policies are implemented with respect to vendor products that are either counterfeit or do not match specification.
  4. Component purchases are tightly controlled; component purchases from approved vendors are prequalified. Parts purchased from other vendors are unpacked, inspected and x-rayed before being accepted.
  5. Secure Software Lifecycle Development Programs and training for all engineers in the lifecycle are established.
  6. Source code is obtained for all purchased software.
  7. Software and hardware have a security handshake. Secure booting processes look for authentication codes and the system will not boot if codes are not recognized.
  8. Automation of manufacturing and testing regimes reduces the risk of human intervention.
  9. Track and trace programs establish provenance of all parts, components and systems.
  10. Programs capture “as-built” component identity data for each assembly and automatically link the component identity data to sourcing information.
  11. Personnel in charge of supply chain cybersecurity partner with every team that touches any part of the product during its development lifecycle and ensure that cybersecurity is part of suppliers’ and developers’ employee experience, processes and tools.
  12. Continued supply of authorized IP and parts is assured, through legacy support for end-of-life products and platforms.
  13. Tight controls on access by service vendors are imposed. Access to software is limited to a very few vendors. Hardware vendors are limited to mechanical systems with no access to control systems. All vendors are authorized and escorted.

 Honeywell's Pillars to a Foundation of Trust

Every day, around the world, businesses are at risk of cyberattacks. Honeywell acknowledges the risk and believes the best way to minimize attacks and the losses that result from them is to take a pervasive and holistic approach to security. Pervasive means Honeywell approaches security from multiple angles, which include gathering intelligence on cyber events in multiple industries, building protections directly into devices and software, and maintaining a 24/7 level of vigilance on the cyber climate. A holistic approach to security means that we need to pay attention to the entire picture and individual aspects of a product offering.

Honeywell aims to integrate all these elements designed to safeguard an organization to empower our customers to build a solution with security built in from the beginning. We focus on protecting you and our products (e.g., mobile computers, scanners and printers) against sophisticated attacks at all levels, from low-level opportunistic hackers to industrial espionage and cyber criminals. Honeywell is a founding member of the ISA Global Security Alliance, which means that all of our products go through ISA62433 security requirements from their inception.

Honeywell’s story begins 100+ years ago as a global leader in industrial manufacturing and advanced technology. We have used that expertise to drive cybersecurity innovation with over 15 years as a key leader in industrial cybersecurity solutions helping transform and protect the world’s most critical infrastructures. Our broad portfolio includes Operational Technology (OT) cybersecurity software products and services that allow customers to simplify, strengthen and scale industrial cybersecurity across an enterprise.

Our global team of 300+ Certified Cybersecurity Experts have successfully implemented 5,000+ cybersecurity projects, managed 400+ industrial cybersecurity sites, conducted hundreds of risk assessments and have the breadth of resources to help execute projects of every size and complexity across 70 industry sectors often involving critical infrastructure and national security. These include: supply chain, healthcare, oil and gas, refining, pulp and paper, industrial power generation, chemicals and petrochemicals, biofuels, life sciences, CPG, F&B, utilities, water/waste, metals, minerals and mining industries.

Honeywell’s large footprint in multiple industries gives us a broad view of emerging cybersecurity threats in their earliest stages in industries where the typical cybersecurity offerings are not usually present. This allows us to identify issues, develop countermeasures and deploy them to our customers earlier than our competition in this industry that usually does not receive attention. We also leverage relationships to receive pre-disclosures of vulnerabilities from industry councils and partners including Intel, Qualcomm and Google as well as from our participation and work with various organizations such as ICS-CERT (concentrated around Industrial Controls), NVD, DHS CISA and many more. Furthermore, Honeywell’s size, strength and global presence allows us to leverage the broad investment in security across our enterprise.

Cybersecurity is core to Honeywell. We design security into our products, policies and processes. Our baked-in-from-inception approach to cybersecurity, design-to-delivery process has a strong emphasis on building security into products to anticipate and mitigate risk before a breach can happen. We do this by embedding deep domain knowledge, product testing and security requirements of industry-leading security practices throughout our full design and development process to ensure our solutions are as secure as possible from the start.

We aim to make our solutions as free of vulnerabilities and attack surface as possible through such measures as continuous testing, authentication safeguards and adherence to best programming practices. We believe security must evolve with the product that our customers purchase. A group of dedicated white-hat penetration testers with industry-leading certifications such as OSCE/OSCP, completely independent from the engineering team, continuously test our solutions to ensure we have the highest standards for defense.

Contact a Honeywell Solutions Expert today!  Call 1-800-934-3163.

1 https://arstechnica.com/information-technology/2019/05/stolen-nsa-hacking-tools-were-used-in-the-wild-14-months-before-shadow-brokers-leak

2 Gartner, Deploy Effective Supply Chain Strategies to Fortify Cybersecurity, Mark Atwood, Katell Thielemann, Kamala Raman, Published July 30, 2019

3 Forrester, Top Cybersecurity Threats In 2019, Josh Zelonis, Published December 10, 2018

4 NiST: Best Practices in Cyber Supply Chain Risk Management

Copyright © 2020 Honeywell International Inc. All rights reserved.

Barry J. Ewell

Barry J. Ewell is a Senior Content Marketing Communications Specialist for Honeywell Safety and Productivity Solutions. He has been researching and writing on supply chain topics since 1991.