No business is immune. CISA notes, “a supply chain is only as strong as its weakest link.” What can be done? These six strategies can help.
#1 Identify all external software and service vendors connected to the IT infrastructure.
Keep in mind that the more of these you have, the greater your risk of exposure.
#2 Perform due diligence.
Of course, you like to be in business with companies that you can trust. But your trust doesn’t mean that the software vendor or supplier is taking adequate precautions to protect themselves (and you) from hackers. The National Institute of Standards and Technology suggests the following questions to start:
- Is the vendor’s software / hardware design process documented? Repeatable? Measurable?
- Is the mitigation of security risks factored into product design (through product architecture, run-time protection techniques, code review?
- How does the vendor stay current on emerging vulnerabilities? What are vendor capabilities to address new “zero day” vulnerabilities?
- What controls are in place to manage and monitor production processes?
#3 Implement a third party hardware and software inventory on IT and OT networks.
Be able to quickly assess if any of your assets are impacted following news of a supply chain attack. Then, regularly review that inventory. It is no use to rely blindly on an outdated inventory only to find out when it’s needed that it no longer reflects reality.
#4 Ensure segmentation, even as it relates to vendor connections.
Network segmentation can limit potential damage by creating multiple, protected segments or subnets. This can be challenging when critical operational processes are interdependent. Nevertheless, taking steps to segment and reduce co-dependencies can enhance cyber security.
#5 Practice good cyber hygiene as it relates to vendor accounts and connections.
This includes limiting access through account use policies, user account control, and privileged account management as well as other strategies such as multi-factor authentication and encryption.
#6 Develop a response plan.
Being prepared for systems impact can help you to react more effectively. With advance planning if and/or when a component you rely on from a third party is impacted, you can bounce back quicker too.
Know Vendors You Can Count On
With the Kaseya hackers asking $70 million in ransom, this supply chain attack is big news. Or it will be until, regrettably, the next such attack. Industry-wide events like this one remind us of the importance of working with a vendor who will be proactive. They need to be aware of what’s happening, whether they were affected (and, by association, you were impacted), and help you in reacting to the attack if you were.
Our ISO 9001- and 27001-certified Digital Grid business unit answers the supply chain challenge with information security, privacy, and governance controls for the protection of GE confidential and customer information. GE Digital also leverages an extensive, enterprise-wide cyber security intelligence department to remain abreast of the latest threats. In case of the worst, GE Product security bulletins keep customer up-to-date on potential impacts. We also make supply chain information available in our information security and product compliance corner of the customer portal.
Accessing customer systems securely and remotely and managing customer information and data securely and responsibly are only part of answer to supply chain attack risk. With GE Digital, customers know they have a partner who provides in-depth security for applications, endpoints, network and business processes. Protect your industrial environment by putting your industrial data to work with GE Digital.
Read the next blog in the series: The Delicate Balancing Act in Meeting Cyber Security Challenges