A little over 50 years ago, on July 20, 1969, humans first landed on the moon. Among the many amazing feats involved, it took just over eight years from the time President John F. Kennedy issued his famous challenge for the American space program to Neil Armstrong coming down the ladder with a small step and a giant leap. Critical to that success was a strong supply chain that could stand up to global scrutiny and extreme time pressure. Today, you can apply the same attitude to supply chain cybersecurity.

And, you can manage supply chain disruptions by putting supply chain cybersecurity best practices in place. But, planning ahead is key. And, working ahead to find out who are company decision-makers and how to get approval up the chain saves precious time and helps you remain calm under pressure.

How to Cut Down on Cybersecurity Supply Chain Risks

Whether your supply chain is directly targeted or a link in your chain is the target, the impact is usually the same. In both cases, resisting the attack is your shared goal. So, taking these prudent steps will give you confidence that your supply chain cybersecurity is solid, and you’ll know how to recover from a hit to one or more critical suppliers. 

1. Select Vendors With Care

The first step is selection and inventory. Inserting the supply chain cybersecurity function into the vendor selection process provides value in two ways. First, the security team can help surface critical issues as selection criteria. Second, the security team is aware of that vendor’s role from the beginning of the partnership. You need to extend the same awareness to your existing vendors. Therefore, building an inventory of your current vendors completes this essential first step.

2. Assess Your Own Readiness

Equipped with your inventory, it’s time to move on to assessment. In this step, apply the same cyber resilience criteria you use to evaluate your own readiness to evaluate your critical vendors’ readiness.

To do this well, or even to do this at all, requires establishing a collaborative relationship with your counterparts. Both groups need to establish mutual respect and leverage the strength of the business partnership. Don’t let your team be boxed into the ‘security cop’ role; build on the partnership that the business units should be fostering.

This partnership will help in the next step, too — remediation. The other reason you want to be a partner and not the security cop is that security cops are often relegated to conducting an assessment that mirrors a compliance framework or questionnaire. While these are essential tools, we all know being compliant does not mean being secure. Compliance on paper is only slightly effective in reducing the impact of supply chain cyber attacks. A true team effort will hopefully lead to frank discussions about strengths and weaknesses.

Ransomware, for instance, continues to run rampant. You can help suppliers emphasize encryption for private data crucial to your operation or might invest in a solid backup scheme. This will both improve their supply chain cybersecurity posture and blunt the impact of a ransomware attack.

Going further up the value chain with your supplier, you might need to help them with their software development life cycle (SDLC). You should know their SDLC is not vulnerable to known attacks targeting code sharing repositories, such as the Octopus Scanner malware. Octopus Scanner is open source supply chain malware that targets Apache NetBeans and infected multiple GitHub projects earlier this year.

3. Boost Cyber Resilience 

Having completed your assessment, the next step is remediation. In this step, it is vital to build on the frank discussions you had about strengths and weaknesses and use them to bolster security on both sides. Use the strengths of both organizations to shore up both sets of weaknesses. Don’t assume it’s a one-way street where you dictate a solution. This way, you increase cyber resilience. Together, you are stronger than each of you are alone. After all, that’s the premise for your companies working together in the first place.

4. Have a Run Book Handy

The fourth and final step is to create a run book for incident response. A run book is more than just a phone number to call when work with this supplier is disrupted. The best practice would be to run through tabletop exercises with examples of supply chain attacks and practice responding together. This way, both of your teams know what to do when real incidents occur.

Another approach, for the really deep partnerships, would be to red team each other. Fair warning, though, even if your contract with the supplier includes the right to perform vulnerability scanning or penetration testing, do not do this without defining the test parameters in advance. This could create a problem that could damage your partnership.

Now that you have done the hard work in your four-step supply chain cybersecurity process, stay calm. The incident response plan for your supply chain is ready.

more from Incident Response

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…