COVID-19 has changed virtually every aspect of how business is done – and the global supply chain has not been spared. Indeed, companies have been rapidly overhauling their manufacturing, warehousing and distribution operations to produce and deliver life-sustaining goods to meet high demands for food, drugs and medical supplies.
But eyes keenly focused on the coronavirus, another hidden enemies can easily sneak up: malicious cyber actors, who may try to exploit and attack supply chains while they are overwhelmed and vulnerable.
With that in mind, SC Media assembled a virtual panel of experts, asking them to address the current state of the COVID-19 supply chain, and what their recommended game plan would be to protect it.
Our virtual panelists:
- Mike Hamilton: co-founder and CISO of CI Security and former CISO of the city of Seattle
- Marty Edwards: VP of operational technology, Tenable and former ICS-CERT director
- Chris Scott: global remediation lead, IBM X-Force Incident Response and Intelligence Services
SC Media: Describe the supply chain challenges posed by the novel coronavirus. And explain why companies such as Dyson, Ford, GM and Dior may potentially have a target on their back after rapidly converting their facilities to produce critical COVID-19 supplies such as personal protective equipment and ventilators.
MH: It’s because of the conversion of operational technologies to a different manufacturing focus, the fact that it had to be done quickly rather than as a year-long managed project, and that those companies hold valuable intellectual property – a target for theft – and are now performing a critical manufacturing job for the U.S. – a prime target for ransomware/extortion.
ME: All eyes are on these companies right now. They’re producing the most in-demand, critical supplies the country needs during this crisis. Unfortunately, this type of interdependency is intriguing to cybercriminals who are looking to disrupt operations and monetize their efforts.”
What are some of the supply chain vulnerabilities of greatest concern under these circumstances?
CS: As the world reacts and adapts to operations amidst the COVID-19 pandemic, the many of threats we were seeing before the crisis remain the same. However, the way we access and monitor systems has changed, and this is where new risk are introduced.
From a supply chain perspective, manufacturers typically still have legacy components in their infrastructure that suddenly need to be accessible remotely. Now that these systems are being brought out of isolation and connected to the internet for remote management, it can potentially open them up to vulnerabilities and flaws if they haven’t been properly secured and/or patched. The question then becomes: If we connect this to the network so we can access it remotely, does it open up a new vulnerability? Is my SOC adequately prepared to remotely manage the new risk profile it creates? Are internal staff monitoring security alerts and responding to them remotely in the same fashion they would when on site?
ME: “By and large, cybercriminals go after the low-hanging fruit of a network. That means they’re likely looking for known, but unpatched, vulnerabilities on either the IT or OT side of the house. They might also capitalize on the surge of inbound emails by targeting employees with phishing attacks. But with scaled-down workforces, there’s the risk that some organizations’ security posture might slip simply because fewer people are available to maintain normal operations.”
MH: A mistake in the security architecture of operational technology – for example, default settings left in place and failure to segment new networks correctly – can be an entry point.
Threat vectors would be the supply chain as the capability is built out; wireless networks set up quickly to avoid stringing new wires; and potentially the fact that the engineers and architects are working remotely and susceptible to targeted messaging.”
SC Media: Now that we’ve laid out the challenges, what is your recommended supply chain game plan for CISOs and their security teams?
MH: Since the networks have been built quickly and likely without regular oversight, it’s important to conduct a security assessment of new architectures and develop a corrective action plan, prioritizing newly-created exposures that may be entry points into other areas of the corporate network. Evaluate preventive controls that are reasonable, focusing on segmentation and separation to the extent possible. Also, because the likelihood of a security event cannot be driven to zero, invest in detection technology for the manufacturing operation, specifically products that are capable of aberrational event detection and alerting in operational technology environments.
Messaging to employees: We’re a target for a number of reasons. Ensure all personal use of the Internet is on a personal device. Do not use services such as Facebook, Gmail, etc. on company systems, or those systems that are used to perform company work.”
CS: The first step is to clearly communicate the risks to business leaders, particularly the risks associated with having to do everything remotely and what procedures and processes need to be put in place in order manage them effectively. Start by taking inventory of critical systems and assessing the risks of having to manage them remotely. Identify which systems absolutely need to be online and how to secure them.
In many cases, a managed service option might make the most sense – like a managed detection and response solution that can provide monitoring services 24/7. If an organization wasn’t staffed to monitor all systems 24/7 remotely, it makes more sense to deploy a solution that can be scaled to meet these new needs, rather than temporarily staff up and then have to deal with potentially letting those new employees go once needs shift again.
ME: “I think, at times like this, you have to stick to the basics. With a higher than normal percentage of employees working remotely, obviously the security of those systems is paramount. But all of the remote connections into networks bring a broader attack surface. The first steps would be to practice basic cyber hygiene, ensuring that you know where all of your devices are with good asset inventory, and then identifying and prioritizing any that are vulnerable.”