In a survey of 285 security professionals working in critical infrastructure organizations, 26 percent of respondents said they are “very familiar” with supply chain security, the practice of extending risk management and information security best practices to external parties that provide IT equipment, services or business applications to an organization, the report states.
Not surprisingly, critical infrastructure companies are failing short when it comes to supply chain security, the survey found. Just 10 percent of respondents, for example, are following best practices when auditing the internal security processes of their IT vendors.
Most of the time, assessments are conducted “haphazardly” and are not thorough, according to the report. Sometimes security audits do not even have an impact on IT procurement.
Organizations are auditing their IT vendors more consistently than they audit professional services firms, resellers and distributors, according to the report. But this leaves IT systems and equipment potentially vulnerable to compromise while in transit or when being added to a production network.
“A professional services person could put a logic bomb in, misconfigure systems, insert a USB drive and inject malicious code,” Jon Oltsik, senior principal analyst at Enterprise Strategy Group, who authored the report, told SCMagazineUS.com on Tuesday.
In fact, there is evidence that the now-infamous Stuxnet worm was introduced in Siemens control systems through an infected USB drive, the report states.
Jeff Bardin, chief security strategist at security firm XA Systems said it is “scary” that some critical infrastructure organizations have no concept of cyber supply chain security.
Most hardware and software nowadays is developed outside of the United States, he told SCMagazineUS.com on Tuesday. The concern is that IT products built overseas could contain embedded backdoors and other advanced malware that could allow for espionage or damaging attacks.
“I don't think organizations are focused on looking for threats along the cyber supply chain,” Bardin said. “They are looking at it, but they have a long way to go. They are still fighting the battles at the perimeter. They are still deploying basic tools.”
The survey found that one-fifth of respondents believe their organization's security policies, procedures and technology safeguards are “fair” or “poor.”
“Because they are critical infrastructure, there is a civic duty to keep their systems and services up and running, but they are not doing the type of due diligence that you would expect,” Oltsik said. “My fear is [that] before we address these things, there will be a real serious attack, and we will learn the hard way.”
Most organizations surveyed have already experienced breaches, the survey found. Sixty-eight percent of respondents said their organization has suffered a breach in the past two years, and 13 percent said they have experienced more than three in that time, according to the report.
Interestingly, organizations with the strongest security policies, procedures and defenses reported the highest number of security breaches, Oltsik said. That is because less mature companies don't even realize they are being infiltrated.