How to Align the NIST Cybersecurity Framework Across the Supply Chain

We have seen an increasing number of disruptions caused by cyberattacks throughout the supply chain – many of them recent – which have led to critical operational disruptions, significant damage to brand and reputation, product safety, loss or theft of intellectual property and substantial fines and fees.

Gartner says, “Cybersecurity is an issue for all business processes and capabilities. The supply chain, however, stands alone in the number of “handoffs” from raw material to product or service delivery. All the functional areas of an integrated, end-to-end supply chain – plan, source, make, deliver and customer service – are potential touchpoints where cyberthreats could occur. This also includes handoffs across the extended supply chain with suppliers and customers.”¹

Supply chain cyberattacks have many goals, from ransom, to disruption of service,  to sabotage and IP theft. They can take many forms, target IT and operational technology (OT), and hit every domain and any node. This includes the physical flow of assets – anywhere in the processing, packaging and distribution process – to the virtual flow of data or software across connected devices and systems. Attacks can hit anyone in the ecosystem, from your software provider to a supplier.

These examples underscore the breadth and depth of the problem as shared by Gartner:

• In June 2019, ACSO, a major supplier to commercial and military aircraft manufacturers, saw production stop at its factories across four countries due to a ransomware attack.
• Norsk Hydro was forced to switch to “manual mode” in some of its smelting plants as operations were impacted by the LockerGoga ransomware attack in March 2019.
• In the recent ShadowHammer attack on Taiwanese hardware manufacturer ASUS, a bad actor managed to infiltrate code updates that the company was, in turn, pushing out to its end customers.
• The NotPetya ransomware attack of June 2017 quickly spread globally from a tax preparation program in the Ukraine to devastating effect for major global companies. Among them, pharmaceutical manufacturer Merck suffered almost $1 billion in damages in the attack.
• In defense environments, supply chain risks are rising to the top of concerns, given the very large and complex defense industrial base. Numerous contractor breaches have been reported. Per a recent U.S. Navy report, “It is not beyond imagination that someday a naval combatant would fail to sail because the supply system vectored the wrong grade of lube oil for the LM2500 engines” due to a cyberattack.

According to Symantec’s Internet Security Threat Report, supply chain attacks increased 78% in 2018.² This rate of increase pertains to the software supply chain, where attacks “include hijacking software updates and injecting malicious code into legitimate software.” This is a great concern for software developers, and for products across all industries from the physical supply chain that include embedded software.

It is probably impossible to quantify the exact rate of increase of supply chain cyberattacks. But they are happening and whether they directly target the supply chain, or the supply chain becomes collateral damage due to a more enterprise-wide outage, supply chain leaders are worried.

While definitive numbers are hard to pinpoint, the trend is clear: Bad actors will act wherever they see an opportunity and supply chains, which extend the envelope of enterprise risks to all business ecosystem participants, are fair game. In the ever-changing landscape of cybersecurity, being the weakest link to attack is the most dangerous place to be.

When concerned boards and executives start paying attention to supply chain risks, the first people they will turn to, in addition to supply chain leaders, are IT security and risk management (IT SRM) leaders. Gartner data shows that the connectivity between supply chain leaders and other corporate groups focused on data security needs targeted attention.

In the Future of Supply Chain Study³, global supply chain leaders were asked: “In terms of data security/IT incidents as a supply chain risk, which of the following capabilities does your company have?” The study documented two critical governance gaps:

• Only 32% have data security integrated into the overall supply chain risk management program.
• Just 32% have supply chain included in corporate data security SWAT teams and committees.

The study also uncovered important technical gaps such as:

• 64% of global supply chain leaders have IT security for data and applications for their own resources.
• In addition, 51% have such security in place for partner portals used in the supply chain.

Particularly worrisome are the high numbers of respondents, often exceeding 25%, who answered, “no plans to use” and “don’t know” when asked what capabilities supply chain leaders are trying to protect and how mature the efforts are. Are supply chain leaders having supply chain cybersecurity discussions with their IT SRM leader counterparts or do they not understand the approach? Either way, this data shows the need for better coordination between IT, security and supply chain to address the expanding risk frontier.

Supply Chain Alignment to NIST Cybersecurity Framework (CSF) 1.1

In April 2018, the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) released version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity (nicknamed the Cybersecurity Framework, or CSF for short). Version 1.1 now includes supply chain security, offering a common language for understanding, managing and expressing supply chain cybersecurity risk. The NIST CSF is currently a widely adopted framework according to a recent Gartner survey.

The CSF’s five Functions – Identify, Protect, Detect, Respond and Recover – were selected because they represent the five primary pillars for a successful and holistic cybersecurity program. They aid organizations in easily expressing their management of cybersecurity risk at a high level and enabling risk management decisions. Gartner suggests, “With the addition of supply chain risk management consideration, supply chain strategy leaders can now work with IT SRM leaders who can bake supply chain cybersecurity into each of the identify, protect, detect, respond and recover core functions of the NIST CSF.”⁴

Identify

The Identify Function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data and capabilities. Understanding the business context, the resources that support critical functions and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

Key Supply Chain Questions for Identify

1. Do you have supplier evaluation criteria aligned to your risk profile?
2. Are your vendors worthy of your trust?
3. Does growing supply chain integration across the ecosystem mean you have shared sensitive information with more vendors than you should?
4. Do you have adequate contractual language in place?

Key Supply Chain Actions for Identify

1. Inventory high-value systems, data and vendors across the supply chain.
2. Document the organization’s business model, role in the overall supply chain and resilience requirements as a result.
3. Map supply chain cybersecurity, safety and resilience roles and responsibilities.
4. Research supply chain legal and regulatory requirements.
5. Determine supply chain risk profiles using threats, vulnerabilities, likelihoods and impacts.
6. Develop adequate contractual terms, allowing for supplier audits and evaluations.
7. Rank suppliers and third-party partners in terms of criticality and ensure appropriate contractual clauses are in place for audits, response plans and recovery testing.

Protect

The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Check out the Honeywell Android Security guide.

Key Supply Chain Questions for Protect

1. What safeguards are available?

• Identity management, authentication and access control
• Awareness and training
• Data security
• Information protection processes and procedures
• Maintenance
• Protective technology

Key Supply Chain Actions for Protect

1. Ensure supplier physical/remote access is managed, verified, revoked and audited.
2. Ensure supplier access authorization uses least privilege and separation of duties.
3. Review network segregations, segmentations and firewalls for all data sharing across the supply chain.
4. Deploy multifactor authentication for applications that contain data of high value.
5. Ensure your data security training for employees and suppliers includes supply chain data security.
6. Ensure encryption for data at rest and in transit especially for personally identifiable information such as Name, Date of Birth, Social Security Number, National ID number, etc.
7. Develop and enforce a critical patching process.
8. Design hardware integrity-checking mechanisms.

Detect

The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.

Key Supply Chain Questions for Detect

1. What techniques can identify incidents?

• Anomalies and events
• Cybersecurity continuous monitoring
• Detection processes

Key Supply Chain Actions for Detect

1. Develop supply chain cybersecurity baselines that can be used to detect anomalies.
2. Review your event data sources and sensors to ensure they provide supply chain cybersecurity-related information.
3. Participate jointly with critical suppliers on red teams, pen testing.
4. Establish and test escalation paths.

Respond

The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.

Key Supply Chain Questions for Respond

1. What techniques can contain impacts of incidents?

• Response planning
• Communications
• Analysis
• Mitigation
• Improvements

Key Supply Chain Actions for Respond

1. Design response plans with clear roles and responsibilities.
2. Design downtime procedures (for example, business without IT).
3. Design joint emergency communication systems with critical suppliers.
4. Design redundant suppliers.

Recover

The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.

Key Supply Chain Questions for Recover

1. What techniques can restore capabilities?

• Recovery planning
• Improvements
• Communications

Key Supply Chain Actions for Recover

1. Design recovery plan with clear roles and responsibilities.
2. Develop alternate sources of supply lists.
3. Invoke contract clauses.
4. Agree with critical suppliers on public relations services.

Honeywell's Pillars to a Foundation of Trust

Every day, around the world, businesses are at risk of cyberattacks. Honeywell acknowledges the risk and believes the best way to minimize attacks and the losses that result from them is to take a pervasive and holistic approach to security. Pervasive means Honeywell approaches security from multiple angles, which include gathering intelligence on cyber events in multiple industries, building protections directly into devices and software, and maintaining a 24/7 level of vigilance on the cyber climate. A holistic approach to security means that we need to pay attention to the entire picture and individual aspects of a product offering.

Honeywell aims to integrate all these elements designed to safeguard an organization to empower our customers to build a solution with security built in from the beginning. We focus on protecting you and our products (e.g., mobile computers, scanners and printers) against sophisticated attacks at all levels, from low-level opportunistic hackers to industrial espionage and cyber criminals. Honeywell is a founding member of the ISA Global Security Alliance, which means that all of our products go through ISA62433 security requirements from their inception.

Honeywell’s story begins 100+ years ago as a global leader in industrial manufacturing and advanced technology. We have used that expertise to drive cybersecurity innovation with over 15 years as a key leader in industrial cybersecurity solutions helping transform and protect the world’s most critical infrastructures. Our broad portfolio includes Operational Technology (OT) cybersecurity software products and services that allow customers to simplify, strengthen and scale industrial cybersecurity across an enterprise.

Our global team of 300+ Certified Cybersecurity Experts have successfully implemented 5,000+ cybersecurity projects, managed 400+ industrial cybersecurity sites, conducted hundreds of risk assessments and have the breadth of resources to help execute projects of every size and complexity across 70 industry sectors often involving critical infrastructure and national security. These include: supply chain, healthcare, oil and gas, refining, pulp and paper, industrial power generation, chemicals and petrochemicals, biofuels, life sciences, CPG, F&B, utilities, water/waste, metals, minerals and mining industries.

Honeywell’s large footprint in multiple industries gives us a broad view of emerging cybersecurity threats in their earliest stages in industries where the typical cybersecurity offerings are not usually present. This allows us to identify issues, develop countermeasures and deploy them to our customers earlier than our competition in this industry that usually does not receive attention. We also leverage relationships to receive pre-disclosures of vulnerabilities from industry councils and partners including Intel, Qualcomm and Google as well as from our participation and work with various organizations such as ICS-CERT (concentrated around Industrial Controls), NVD, DHS CISA and many more. Furthermore, Honeywell’s size, strength and global presence allows us to leverage the broad investment in security across our enterprise.

Cybersecurity is core to Honeywell. We design security into our products, policies and processes. Our baked-in-from-inception approach to cybersecurity, design-to-delivery process has a strong emphasis on building security into products to anticipate and mitigate risk before a breach can happen. We do this by embedding deep domain knowledge, product testing and security requirements of industry-leading security practices throughout our full design and development process to ensure our solutions are as secure as possible from the start.

We aim to make our solutions as free of vulnerabilities and attack surface as possible through such measures as continuous testing, authentication safeguards and adherence to best programming practices. We believe security must evolve with the product that our customers purchase. A group of dedicated white-hat penetration testers with industry-leading certifications such as OSCE/OSCP, completely independent from the engineering team, continuously test our solutions to ensure we have the highest standards for defense.

¹ Source: Gartner, Deploy Effective Supply Chain Strategies to Fortify Cybersecurity, Mark Atwood, Katell Thielemann, Kamala Raman, Published 30 July 2019
² Symantec ISTR, February 2019
https://img03.en25.com/Web/Symantec/%7B984e78e2-c9e5-43b8-a6ee-417a08608b60%7D_ISTR_24_2019_April_en.pdf?elqTrackId=3b60a2f23b38434c9ca9afa7ce30e0a8&elqaid=6820&elqat=2
³ Source: Gartner, Deploy Effective Supply Chain Strategies to Fortify Cybersecurity, Mark Atwood, Katell Thielemann, Kamala Raman, Published 30 July 2019
⁴ Source: Gartner, Deploy Effective Supply Chain Strategies to Fortify Cybersecurity, Mark Atwood, Katell Thielemann, Kamala Raman, Published 30 July 2019

Copyright © 2020 Honeywell International Inc. All rights reserved.