Resource Center

Background image

Securing the Supply Chain from Identity Risk

Growing Supply Chains Require Careful Identity Governance

Introduction

The Amazon Effect is the realization that optimizing supply chains increases customer satisfaction. Buyers want what they want, and they want it now. In retail, while consumers were once used to waiting two weeks for an item they paid full price for, they now expect to receive competitively-priced physical items in as little as one hour – and many digital items immediately. This pressure to accelerate delivery and meet expectations is present for all organizations that rely on supply chains, from government entities to nuclear power plants, which is resulting in ongoing decentralization to support various aspects of product and service design, production, and delivery.

As the supply chain grows, so does the attack surface and supply chain access risk, the risk that access granted for supply chain purposes may compromise systems, expose confidential information to unauthorized disclosure, or jeopardize physical assets. As organizations have become better at preventing direct cybersecurity attacks, “attackers have moved on to indirect targets—such as third parties in the supply chain—and costs are becoming unsustainable,” according to consulting firm Accenture. Which supply chain users require access? Contractors, vendors, suppliers, partners, and non-human workers (robotic process automation (RPA), internet of things (IoT) devices, bots, and service accounts).

In fact, “indirect attacks against weak links in the supply chain now account for 40 percent of security breaches,” according to Accenture’s State of Cybersecurity Report.

Misuse of company information can impact any aspect of the supply chain. For instance, supply chain risks could compromise:

  • Product and software design and development
  • Intellectual property
  • The procurement of raw materials
  • Production/product delivery
  • Operations, inventory management, and order fulfillment
  • The movement and storage of raw materials, parts, and the finished product
  • Software downloads and updates
  • Product maintenance and retirement

At worst, supply chain access can become a launch pad for nefarious activities. But not all supply chain access risk is malicious. A supply chain worker can simply fail to protect login credentials or lose confidential information in their possession. Better managing access limits the amount of information or systems affected.

Organizations need to build resilient and responsive supply chains by appropriately managing supplier access, with controls that provide scalability and frequent identity proofing to prove that the person accessing data, systems, or facilities is the person who authorized.

Supply Chain Access Challenges by Sector

Let’s consider the access challenges for a few core sectors that rely heavily on robust supply chains:

  • Government
  • Industry
  • Retail and restaurants

Although an access challenge may be more prevalent in one sector than another, all challenges likely affect all sectors and extend into additional sectors such as mining, construction, software development, and agriculture.

After all, all sectors rely to an extent on vendors and suppliers to deliver product and services. Such organizations can have two or three supply chain workers for every employee, but that volume doesn’t mean an organization is good at managing the supply chain workers. Most onboarding systems and processes are designed around regular employees and retrofitted to handle third-party workers.

In this paper, we consider two main categories of supply chain access risk for each featured sector: insider threats and access-based external threats.

Insider Threats

An insider threat is an authorized party (in this case, a supply chain worker) which deliberately or accidentally impacts the confidentiality, integrity, or availability of an organization’s sensitive information or systems. This type of threat, malicious or not, is difficult to detect because monitoring simply shows an insider using authorized access.

Access-Based External Threats

An external threat is an unauthorized party who acquires access to an organization’s resources, often by obtaining access to the credentials of an authorized user, in this case a supply chain worker. Access-based external threats include ransomware, where a user with administrative access downloads malicious software that locks the laptop until a ransom is paid.

Large organizations are also subject to more complex external attacks called Advanced Persistent Threats (APTs), characterized as being slow moving, low volume, and high value. Attackers gain a foothold using an authorized user’s credentials, attempts to escalate privileges and expand access across an organization’s network. They sometimes use legitimate penetration testing tools to identify weakness that can be exploited. Attackers may pose as a user and interact with insiders using carefully crafted scripts that mimic a user’s normal communication style. The low speed of the attack makes detection unlikely, so attackers focused on espionage linger for as long as 8 years, exporting information in small packets that looks like normal network traffic. Financially motivated organizational attacks, though still not fast moving, tend to take months instead of years, for instance completing multiple money transfers totaling up to $50 million before finally getting caught and losing the foothold. Sophisticated attackers are willing to exercise patience for large paydays or huge caches of secret information.

Advanced ransomware attacks are one type of APT. Like any ransomware attack, an advanced attack starts when an insider clicks a link or opens an attachment in a targeted phishing email. Then like any other APT, the attacker leverages a user’s access, attempts to escalate privileges, and moves slowly across the network.

Clearly, limiting supply chain access effectively limits the starting access of any attacker who acquires those credentials.

Government

Insider Threats

Government serves a diverse set of functions at the local, state, and federal levels, for instance, law enforcement, international diplomacy, and managing resources including water, the environment, traffic, real estate, security, and more. The broader the mission, the more diverse the challenges of managing supply chain access.

Government struggles with its inability to identify to a user who returns to the identity ecosystem in a different role. This allows someone who is fired from a role with an agency to return in a similar role, possibly as a contractor without the agency’s knowledge. A contractor with specialized expertise may even get the job based on their prior agency experience. Mature supply chain identity management systems allow the agency to run at least a basic search using the contractor’s first name, last name, and country and feature an involuntary termination flag to identify personnel terminated for cause. If the federal government used such a system in 2009, they could have prevented one of the largest intelligence leaks in military history. The National Security Agency would have known that the CIA had terminated an employee for cause and would have blocked his return as a contractor, preventing his access to the millions of documents about spy operations which he later posted on the internet.

External Threats

The prime external threat that government faces is spying by foreign adversaries, a pastime probably as old as man. In fact, The Art of War, a book written by Chinese military strategist Sun Tzu in about 500 BC, dedicates a chapter to The Use of Spies. In that chapter, we hear: “What enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is foreknowledge.”

In the years since that was written, only the tactics have changed. The ability to remotely tap into the enemy’s internal communications is a highly-convenient method of spying—yielding accurate information with no risk of losing an operative. Cyber espionage goals in government remain consistent: targeting government security secrets such as the movement of troops, intellectual property such as nuclear secrets, information about government employees and potentially disruption of operations.

A current trend in government espionage is incorporating malware into legitimate software downloads and updates. That is the story behind one of the largest supply chain breaches ever, a 2020 breach impacting 18,000 organizations including the Census Bureau, and U.S. Departments of Commerce, Treasury, and Justice.

The 2020 breach started when customers installed a software update for a network monitoring system. The update, although electronically signed by the vendor, was infested with malware which created backdoor access into customer environments. The attack was especially difficult to detect because any impact it had on network traffic was presumed to be due to the legitimate function of network monitoring. The attack was directed remotely and proceeded with the normal APT playbook of taking over an account, escalating privileges, sometimes creating new accounts in case the attacker lost control of the original account, and moving laterally in the network looking for secrets which were then presumably exfiltrated in small packets to avoid detection. From there, the attack spread to state and local government organizations as well as the European Parliament and Britain’s National Health Service. The U.S. Energy Department, National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, and national energy labs conducting atomic research also reported “highly malicious activity” affecting business systems including email (but not mission-critical systems).

In keeping with the goal of espionage, the attack was long lived, reportedly lasting from July to December 2020 for some customers. Others have discovered evidence that attacks might have begun in March. Upon discovery, the federal government took the rare step of issuing an Emergency Directive instructing all affected agencies to, in part, collect forensic evidence and power down the network devices. The reach of this breach may never be truly understood.

Industry

Insider Threats

Manufacturers and utilities rely increasingly on non-human workers for monitoring, process automation, and Industry 4.0 which is the use of the industrial Internet of Things and cyber-physical systems. In the same way a human worker is provided access appropriate to a role and that access has a sponsor, a non-human worker needs to be provided appropriate access and have a relationship with an access sponsor. Non-human workers rely on service accounts to interact with sensors and other operational technology, IoT devices, RPA, and other digital transformation initiatives. For instance, power companies use non-human workers for grid modernization and to monitor smart meters, while oil companies use sensors, sometimes numbering into the hundreds of thousands, on pipes to detect flow and environmental conditions. Industry must apply the same care in managing non-human workers as they do with human workers to ensure service accounts are not orphaned, unmanaged, or outdated. A non-human worker doesn’t have the ability to seek out a new sponsor if a sponsor leaves an organization; modern third-party identity systems make sure sponsorship is reassigned when a sponsor’s employment is terminated.

Additional supply chain access challenges faced by industry are exemplified by Airbus. In a recent webinar with SecZetta, Head of Identity Management, Julien Jaouën, revealed that the prior Airbus identity governance solution simply did not have the capabilities to smoothly handle Airbus’s 200,000 supply chain identities each of which provided access to a portion of Airbus’s 5,000 internal applications. Airbus has more supply chain identities than employees. In addition, the environment has separate military and civil perimeters. Because many members of the Airbus supply chain also have contracts with Airbus competitors, protecting intellectual property from disclosure to competitors is a major motivation in better managing supply chain access.

Airbus also needs to identify downstream access (also called fourth-party or Nth-party access), which is access by supply chain subcontractors. Many organizations consider fourth-party users an identity blind spot. “The longer your supply chain, the higher the risk for attack, because of all the supply sources in play,” according to a Microsoft blog post. The typical vendor vetting process assesses the vendor’s security but not the security of any subcontractors to whom the vendor may provide access and fails to identify whether any of the vendor’s users are actually subcontractors. This is a great use case for a system that provides identity proofing, step-up authentication, and the prevention of credential sharing.

Organizations that rely on supply chain partners for product design and development assistance should have processes and systems that prevent identify credential sharing and protect intellectual property. If credentials are shared, the organization has no ability to attribute events and activities to a single user.

In addition, while access conversations often focus on access to databases and systems, industry must also be concerned with physical access and safety. Supply chain workers must have appropriate certifications and training to be present on the manufacturing floor and working in utilities such as power, oil, and telecommunications. In addition, proximity to equipment can be used to launch physical attacks in an attempt to disrupt service.

Organizations also need to guard against insider threats caused by negligence, which, although half as expensive per incident as criminal insiders, still weigh in at more $300k+ average per incident, according to a 2020 report on insider threats costs.

External Threats

Utilities must be aware that saboteurs, particularly malicious nation states, can potentially take over supplier access and launch physical attacks. Attackers with access to legitimate credentials are effectively malicious insiders and can potentially leverage user access to reap physical destruction from a remote location, for instance causing a transformer fire or disrupting services. In fact, in 2020, the U.S. declared a national emergency, calling for additional measures to protect the bulk power system from foreign attackers.

A 2017 Verizon report found that 94% of the manufacturing breaches were classified as espionage – designed to obtain company secrets such as product design documents. Whether a manufacturer produces semiconductors, cars, or industrial windmills, it is likely to have a significant investment in research.

The Verizon report noted that state-sponsored actors are frequently behind such attacks, but it’s important to acknowledge that an increasing share of espionage cases involve non-state actors taking advantage of cost- effective ransomware as a service. Privileged misuse, typically involving malicious insiders, came in a distant second place.

Industry is also prone to advanced phishing attacks that target the CEO, CFO, or someone else with high budget authority. Called whaling, an attacker typically poses as an executive and uses internal communication channels to ask Finance staff to set up payments for a new supplier or vendor in another country. Such requests do not

seem out of the ordinary for the requester’s role. In some cases, the attacker takes over an executive’s email account but doesn’t change the password; instead, the attacker sends an email to the Finance staff and deletes the email from the Sent folder so the executive doesn’t find it; then the attacker monitors the Inbox for a response. Attackers may study standard Finance procedures, insert references to travel schedules gleaned from social media, and mimic the executive’s style of communication.

Retailers and Restaurants

Insider Threats

Today’s retailers share their manufacturing partners’ concerns about cyber-physical attacks since they are using contract manufacturing to create their own product lines, rely on transportation partners to move goods, and provide suppliers with physical access to office buildings and storefronts.

Retail and restaurant websites face additional threats created by automated website customer service. About 80% of retail and restaurant websites use automated chatbots to answers simple customer questions. A chatbot is another example of a non-human worker that requires system access. As we know, with access comes risk. When taken over, chatbots can turn malicious insiders using two primary avenues: “internal or manipulation attacks that modify the system behavior” and “external or extraction attacks that discreetly detect hidden information and attack system weaknesses.”

For the retail industry, decentralization translates into globalization. Retailers should stay aware of supply chain worker geographic location to remain compliant with local privacy regulations. For instance, GDPR provides the worker with the right to be forgotten and restricts the types of information that an employer can retain. Any identity solution used to manage supply chain access should assist in identifying the worker’s geographic location.

External Threats

Retailers and restaurants face access-based external attacks against their point-of-sale systems. The first indication of trouble may be a call from their bank noting that multiple credit cards used for fraudulent activity have been tracked back to the store. Such attacks may leverage remote access that a vendor left in place for troubleshooting. Other times, an attacker may call a store and impersonate the help desk, asking the retail worker to reveal their password over the phone. Sometimes the goal of the attack is less clear. For instance, a 2020 vulnerability in a popular point of sale system gathers and decrypts database passwords but is unable to access cardholder data; the attackers are probably collecting passwords to use in password stuffing attacks.

However, let’s keep in mind that many external threats that impact retailers and restaurants are not actually from supply chain users but rather from a different type of external user: customers. Massive account takeover schemes launched against retailers are on the rise. The challenge with customer identities is the same as with supply chain identities: detect and block fraudulent activity while allowing legitimate traffic. “Online merchants struggle to verify customer identities in near-real time without creating unnecessary friction for legitimate customers. The problem is exacerbated when transaction speed and volume is high,” according to the 2020 LexisNexis True Cost of Fraud Study.

Supply Chain Access Leads to Breaches

Security issues resulting from supply chain access:

Supply Chain Access Management Challenges

As supply chains have decentralized, organizations have used existing systems to manage supply chain workers, which means their relationship with an internal sponsor or their connection to the supply chain partner is not always clear. This has heightened certain risks such as orphaned accounts and excess privileges accumulated as a worker’s role evolves over time. The inefficiencies can also be costly, in some cases requiring up to 40 hours of staff time to onboard each third-party worker.

Typical challenges in managing supply chain access include:

  • An incomplete inventory of human supply chain workers and
  • Duplicated identities and orphaned accounts for supply chain
  • Lack of identity sponsorship to ensure that ongoing access is still
  • Inability to risk rate each identity and implement appropriate controls for the risk
  • Lack of capabilities to prove that the person logging in is matched to an
  • Reliance on quarterly access reviews and inactivity reports to identify supply chain workers who no longer need access.
  • Manual onboarding and offboarding processes that rely excessively on human
  • Expensive customizations of existing HR or Identity and Access Management systems that are not well suited for third-party identity management.
  • Inability to fluidly involve a third-party administrator who is a representative from the vendor, partner, or affiliated organization familiar with a worker’s current employment status and access.

SecZetta’s Third-Party Management Solution for Supply Chains

Ten years ago secure organizations were focused on guarding the network perimeter but perimeters these days are porous, not only because of the large volume of third-party users but also because of the use of cloud and smart technologies. That is what makes identity-centric risk management so necessary. A vendor or supplier security assessment that does not also consider access risks is a compliance driven exercise of little value in actually reducing risk. Using identity as a perimeter allows organizations to better integrate access risk identification into risk management.

SecZetta helps organizations better manage supply chain risk, improve transparency into third-party relationships, and automate, well-informed decisions about provisioning, verifying, and deprovisioning supply chain access. Our Third-Party Identity Risk Solution is collaborative and robust.

SecZetta’s solution helps organizations efficiently manage supply chain identities with:

  • Automated onboarding and offboarding of third-party workers (human and non-human) through consistent, shared processes.
  • Streamlined, self-service onboarding
  • Auditable internal sponsor authorization during onboarding and
  • The involvement of a supply chain partner administrator (delegated administrator) to eliminate data entry bottlenecks and confirm on an ongoing basis that a supply chain worker is still employed, as described in the SecZetta webinar with Airbus’s Head of Identity.
  • Ensuring that the worker has appropriate certifications and/or has taken training required for facility
  • Risk evaluation, risk rating, and appropriate controls for individual external
  • Timely deprovisioning of access for terminations and role
  • Integrated identity proofing implemented during onboarding or as part of step-up
  • Ability to make identity changes at scale due to confidence in an authoritative identity source, for instance pivoting onsite third-party workers to remote access and removing access to sensitive areas if certain operations are suspended.

Conclusion

The key challenges with supply chain access are clear:

  • Most identity programs are not designed for third-party workers and particularly non-human supply chain workers which are used in large quantities for automation.
  • Large supply chains have dynamic access
  • Nation-state attacks and espionage seem increasingly common across business
  • Privileged access within the supply chain is of deep

The solution is equally clear: An identity solution that is purpose-built for all supply chain workers, eliminates bottlenecks by sharing the administrative burden with suppliers via automated workflows, and integrates with your privileged access management system, vendor management system, and Identity Governance and Administration (IGA) solutions.

——–

If you’d like to keep a copy of this white paper for yourself, please enter the information below.