Supply chain/third party breaches are highly damaging and costly
The recent reports on the SolarWinds breach are testimony to the impact of supply chain/third party breaches. Approximately 18,000 companies were impacted by the compromised SolarWinds Orion update.From: www.cybersecuritydive.com/news/cisa-initial-access-vectors-solarwinds-orion/592419 Further, the Cybersecurity and Infrastructure Security Agency (CISA) say malicious actors have access to more backdoors than just SolarWinds Orion. The agency found “evidence of additional initial access vectors and tactics, techniques, and procedures, but the new vectors are still under investigation.”From: www.cybersecuritydive.com/news/cisa-initial-access-vectors-solarwinds-orion/592419
A recent risk management report issued by Claroty stated that the SolarWinds attack “has again put defenders’ focus back on the supply chain.”From: www.cybersecuritydive.com/news/solarwinds-fallout-dragos-ceo/594633 The report said that organizations “need more scrutiny on their partners, contractors, vendors, and other entities with credentialed access to internal systems, or manufacturers of hardware and firmware they may be purchasing.” Claroty’s report concludes incidents like the SolarWinds attack “demonstrate the fragility of some perimeter-based defenses and the eventuality that these attacks will land on ICS and [supervisory control and data acquisition] equipment.”
Critical infrastructure entities will incur costs if they are breached and if they do not have an appropriate protection program. According to a Moody’s cyber risk outlook report,From: www.cybersecuritydive.com/news/supply-chain-attacks-could-open-up-vendor-competition-moodys-says/594354 cyberattacks on the software supply chain are raising the threat of damaging reputational trust. Moody’s also states “the continued rise of ransomware attacks against companies may force changes in cyber insurance policies and coverage, with insurers raising premiums and modifying coverage to make sure companies take preventative measures.”
So what do you do?
Incorporating your supply chain/third parties into your Enterprise Risk Management Program is a start. This risk area needs to be vetted and rated against other cyber risks to your organization such as insider risks, unpatched system risks, and work at home risks. In most of AESI’s risk management engagements, we find that supply chain/third party is in fact the most significant cyber risk that our client faces.
And then the following five-step plan should be implemented:
- Adopt the supply chain/third party controls from an authoritative standard e.g. NIST Cybersecurity Framework, NERC CIP
- Stack rank your supply chain/third parties from a risk perspective
- Apply the controls commensurate with the risk associated with the third party
- Manage your supply chain/third parties as if they are an internal group
- Monitor, exchange information with peer entities, improve continuously
AESI Can Help
AESI has developed a robust Supply Chain/Third Party Cyber Security Management Program based on authoritative standards. For Bulk Electric System entities AESI uses the NERC CIP-013 standard, and for all other critical infrastructure entities, AESI uses the NIST Cybersecurity Framework and the NIST SP800-37 Risk Management Framework. AESI has deep experience with these frameworks and has developed a proven methodology for risk management of supply chain/third parties.
AESI’s process starts with a discovery phase to gain insight into your supply chain/third party arrangements. We then move into a detailed analysis phase in which we analyze any contracts, documentation, and security programs of your third parties – plus we assess third party access to your environments. In the analysis phase we identify the gaps to the standards and then prioritize these gaps based on risk. The recommendations are discussed and finalized with you so that they are manageable and implementable. Our deliverables include a detailed report with the gap assessment, a long-term roadmap, and tools that you can use to self-manage your Supply Chain / Third Party Risk Program.
AESI’s services will provide you with the following benefits:
- One comprehensive framework encompassing your IT, Operational Technology (OT) and enterprise environments
- Effective management of your new #1 cyber security risk
- Standards-based approach for longevity and evolution of the program
- Increased cyber resiliency and maturity via a long-term action plan with clear roles and responsibilities and cross-functional buy-in
- Knowledge transfer and tools that will enable you to self-manage your own supply chain / third party program
- Documented proof of duty of care in the event of litigation claims or insurance claims
“G3 Canada engaged AESI as a co-source internal audit partner for a cyber security assessment based on the NIST Cybersecurity Framework. We were very pleased with the detail and thoroughness of their work, including their analysis of supply chain / third party cyber security risks.”
Jon Bray, CPA, CA, CIA
Vice-President, Audit & Risk Management, G3 Canada
“ElectriCities of North Carolina engaged AESI for a comprehensive cyber security assessment. AESI used the NIST Cybersecurity Framework as the authoritative set of controls and provided a detailed assessment of supply chain / third party cyber security risks including potential financial impacts. This assessment has provided us with a clear cyber security risk management plan going forward.”
Vice President, Information Technology, ElectriCities of North Carolina, Inc.
We are pleased to offer a 15% discount for those entities that sign up for AESI’s Supply Chain / Third Party services by June 30, 2021.
We would be pleased to discuss your specific requirements and our services with you. For a no-charge consultation with one of our cyber security specialists please provide your contact information below and one of our team members will contact you.