Why organisations really should prioritise supply chain risk as part of their security strategy

New Zealand Security Magazine - Update

Supply chain
The nature and methods of supply chain attacks are constantly changing. Image: Photoshop generated.

According to cybersecurity provider Trustwave, organisations must develop strong programs to manage supply chain risks, both known and unknown, and prioritise their most critical assets.

Supply chain attacks exploit vulnerabilities in the network of suppliers, distributors, and other third-party partners to gain unauthorised access to sensitive data and systems. The complexity and opacity of modern supply chains often leaves businesses exposed to significant risks, ranging from operational disruptions to data breaches.

Protecting the soft underbelly

“Including supply chain security as a key component of an organisation’s overall security strategy is crucial,” said Craig Searle, director, consulting and professional services (Pacific), Trustwave. “This ensures that the most important parts of the organisation are protected, supporting the enterprise’s long-term stability and success.

Supply chain attacks target less secure elements in the supply network of an organisation. In software supply chains, for example, attackers can compromise software distributed by a legitimate vendor, impacting end users of that software.

“By understanding the latest trends and threats, and implementing best practices for supply chain security, organisations can better protect themselves against the potentially devastating impacts of a breach.”

This approach has been observed in various high-profile incidents, such as the SolarWinds attack discovered in December 2020, where malicious code was inserted into the company’s software updates, affecting thousands of customers, including government agencies and large corporations.

“The nature and methods of supply chain attacks are constantly changing, becoming more sophisticated over time, said Searle. “As attackers innovate, the methods to infiltrate supply chains become more accessible, lowering the barriers for potential attackers to execute such operations.

“The proliferation of malicious packages in open-source software repositories has made it easier for attackers to exploit vulnerabilities in widely used software components. This trend is exacerbated by the growing reliance on open-source software, which, while fostering innovation and collaboration, also introduces new risks.”

Critical infrastructure at risk

Organisations face a number of concentration risks within their supply chains, particularly in extended networks that include fourth-party and systemic dependencies.

These risks are amplified in sectors critical to national infrastructure—for example, healthcare, telecommunication, financial services, transportation, and energy—where a breach in a single supplier can have far-reaching impacts on operational resilience and systemic stability. This means it’s crucial for organisations to gain visibility into their entire supply chain and collaborate with industry peers and regulators to mitigate these risks.  

State-sponsored cyberattacks have evolved into a formidable threat, with the capacity to destabilise sectors and entire economies. These actors, backed by national interests, deploy increasingly advanced tactics.

Their strategies extend beyond targeting critical infrastructure; they now sophisticatedly exploit human vulnerabilities through social engineering. The current global geopolitical situation indicates a probable escalation in such attacks.  

The Australian Cyber Security Centre (ACSC), for example, acted against a series of state-sponsored cyber activities that targeted Australian institutions in 2020. These attacks were aimed at government agencies, industry, political organisations, educational institutions, health services, essential service providers, and operators of other critical infrastructure.

The ACSC identified the tactics, techniques, and procedures (TTPs) used in these attacks. These included spear-phishing to exploit human vulnerabilities and the deployment of sophisticated malware to infiltrate systems.

To combat these evolving threats, and protect their supply chains, Trustwave highlighted that organisations must:  

  • implement comprehensive security measures, including secure coding practices, thorough vetting of third-party vendors and deploying endpoint detection and response (EDR) solutions to protect against cyber threats
  • enhance supply chain transparency and security by leveraging technologies like blockchain for immutable transaction records and invest in artificial intelligence (AI) for improved predictive capabilities and operational efficiency
  • cultivate a strong security culture within the organisation and among supply chain partners through regular security awareness training, sharing of best practices, and collaborative security initiatives, making security a shared responsibility to reduce vulnerability to attacks.

“The security of supply chains is a complex issue that requires concerted efforts from all stakeholders,” said Searle.

“By understanding the latest trends and threats, and implementing best practices for supply chain security, organisations can better protect themselves against the potentially devastating impacts of a breach.”

The NZ PSR and supply chain security

Within the New Zealand Government’s Protective Security Requirements (PSR) the management of supply chain security is covered under the GOV5 mandatory requirement – manage risks when working with others.

Although only mandated government agencies are required to comply with the PSR, the PSR is nevertheless considered by government as suitable for both public and private sector organisations.

Part of the PSR’s Security Governance domain, GOV5 requires that organisations “Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.”

The requirement lists twelve principles that organisations should follow in order to gain and maintain control of their supply chain. These twelve principles are divided into four stages:

Understand the risks

1. Understand what needs to be protected and why

2. Know who your suppliers are and build an understanding of their security measures

3. Understand the security risks posed by your supply chain.

Establish control

4. Communicate your view of security needs to your suppliers

5. Set and communicate minimum security requirements for your suppliers

6. Build security considerations into your contracting process and require your suppliers to do the same

7. Meet your own security responsibilities as a supplier and consumer

8. Raise awareness of security within your supply chain

9. Provide support for security incidents.

Check your arrangements

10. Build assurance activities into your supply chain management.

Seek continuous improvement

11. Encourage the continuous improvement of security within your supply chain

12. Build trust with suppliers.

For more information on supply chain within the PSR, visit the New Zealand Government PSR website.