Supply Chain Security Gaps: ISACA Report
Cyber threats are rampant throughout the supply chain—as demonstrated by bad actors targeting food suppliers and cyber pirates with the potential to create havoc at sea.
In late April, the FBI’s Internet Crime Complaint Center (IC3) issued an industry alert about the potential for ransomware attacks on agricultural cooperatives targeting critical planting seasons.
In its summary, the FBI described the threat like this:
“The Federal Bureau of Investigation (FBI) is informing Food and Agriculture (FA) sector partners that ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain. The FBI noted ransomware attacks during these seasons against six grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer. Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production…”
As Supply Chain Dive reporter Matt Kapko noted in his coverage of the warning, “Potential points of entry span a sweeping supply chain, legacy equipment and systems that lack modern security tools. Threat actors are exploiting these weaknesses when companies are most vulnerable.”
A recent Bloomberg article by Brendan Murray cited another government agency urging increased vigilance: the U.S. Coast Guard.
“In February 2019, a large container ship sailing for New York identified a cyber intrusion on board that startled the US Coast Guard,” Murray wrote. “Though the malware attack never controlled the vessel’s movement, authorities concluded that weak defenses exposed critical functions to ‘significant vulnerabilities.’”
He said that event served as a “warning flare” regarding “an emerging threat to global trade: cyber piracy able to penetrate on-board technology that’s replacing old ways of steering, propulsion, navigation and other key operations.”
The ISACA Report: Supply Chain Security Gaps
Both Kapko and Murray take a deeper dive within their stories to demonstrate the growing cybersecurity risks for supply chain stakeholders that typically include third- and fourth-party risks.
In that light, it’s no wonder ISACA’s recently released Supply Chain Security Gaps: A 2022 Global Research Report revealed low levels of confidence among many technology professionals when it comes to supply chain security.
According to a press release announcing the report, of the more than 1,300 IT professionals “with supply chain insight” who weighed in about supply chain security dynamics at their organizations:
25%—said their organization’s supply chain had experienced an attack in the previous 12 months
30%—said the leaders of their organizations “do not have sufficient understanding of supply chain“
44%—indicated a “high confidence in the security of their organization’s supply chain”
44%—indicated a “high confidence in the access controls throughout their supply chain”
53%—said they “expect supply chain issues to stay the same or worsen over the next six months”
Key concerns cited by survey respondents included the following five:
Poor information security practices by suppliers (66%)
Software security vulnerabilities (65%)
Third-party data storage (61%)
Third-party service providers or vendors with physical or virtual access to information systems, software code or IP (55%)
“Our supply chains have always been vulnerable, but the COVID-19 pandemic further revealed the extent to which they are at risk from a number of factors, including security threats,” said Rob Clyde, past ISACA board chair, NACD Board Leadership Fellow, and executive chair of the board of directors for White Cloud Security. “It is crucial for enterprises to take the time to understand this evolving risk landscape, as well as to examine the security gaps that may exist within their organization that need to be prioritized and addressed.”
In terms of action, of those surveyed:
84%—said their organization’s supply chain “needs better governance than what is currently in place”
Nearly 20%—said their supplier assessment process “does not include cybersecurity and privacy assessments”
39%—said they "have not developed incident response plans with suppliers in case of a cybersecurity event”
60%—said they "have not coordinated and practiced supply chain-based incident response plans with their suppliers”
49%—said they “do not perform vulnerability scanning and penetration testing on the supply chain”
“Managing supply chain security risk requires a multi-pronged approach entailing regular cybersecurity and privacy assessments and the development and coordination of incident response plans, both in close collaboration with suppliers,” said John Pironti, president of IP Architects and a member of the ISACA Emerging Trends Working Group. “Building strong relationships with your organization’s suppliers and establishing ongoing channels of communication is a key part of ensuring that reviews, information sharing and remediations happen smoothly and effectively.”
5 Key Steps to Improve Supply Chain Security
The report announcement included a link to an article authored by Pironti, “Five Key Considerations for Improving IT Supply Chain Security.” In the intro, he describes the reality at too many organizations.
“In many cases, organizations either fail to consider their IT supply chains in security risk assessments or rank the risk associated with them low enough so that such risk is not effectively or actively monitored and mitigated,” Pironti writes. “Adversaries have become keenly aware of this and are shifting their focus from direct attacks on their intended targets to indirect ones through the vendors, services and capabilities on which organizations rely.”
As a result, he recommends the following five steps (please see the article for more comprehensive guidance):
“You cannot protect what you do not know. Develop and maintain an inventory of suppliers and the capabilities they provide.”
“Require disclosure of open-source software components.”
“Conduct a threat and vulnerability analysis of key third parties for your business.”
“Create a technical and organizational measures contract addendum for supply chain contracts.”
“Trust, but verify. Conduct evidence-based reviews of key third parties.”
As David Samuelson, ISACA CEO said in the press release announcing the organization’s report, “To advance digital trust, there needs to be a level of confidence in the security, integrity and availability of all systems and suppliers. As we have seen from previous incidents, customers do not differentiate between an attack on an element of your supply chain and an attack on your own systems. Now is the time to take swift and meaningful actions to improve supply chain security and governance.”
In the following July 21st ISACA presentation about managing supply chain risk, ISACA's risk expert Paul Phillips and Richard Hollis, CEO of Risk Factory and an ISACA Conference Europe speaker, discuss report findings and “examine top cyber risks impacting the supply chain, steps organizations need to take to manage supply chain risk, and important steps to take in the contract process.”
To read the full Supply Chain Security Gaps report and access additional resources, visit www.isaca.org/supply-chain-security.