Hardening Supply Chain Cybersecurity

by | Feb 17, 2020 | Cybersecurity

Jim Cahill

Chief Blogger, Editor

The SANS Institute provides information security training and security certification for security professionals. They hold an ICS (Industrial Control System) Security Summit each year.

At the 2019 ICS Security Summit, Emerson’s David Foose presented Practical Solutions to Supply Chain Attacks. The focus of his talk was on the supply chain in terms of software and networks.

David explored various attacks on supply chains in industrial control systems and other industries that have occurred over the last few years and how Emerson and other suppliers can work with end users.

David shares several examples of supply chain attacks in the recent years. One is where cyber attackers broke into a supplier’s website editor and replaced download files and their associated security hashes with files that compromised programmable logic controllers (PLCs). Having the hash as a security measure to verify that the file had not been tampered with, didn’t work because hashes were also created for the compromised files.

Another example was around trusted remote connections. Phishing emails can often uncover login credentials to be able to get in an add exploits into the systems. In one case, a supplier had all the security monitoring tools in place to spot these intrusions but did not have organization focus to actually check the monitoring tools to identify incidents.

It’s not enough to ask your suppliers to provide cyber-secure systems and components over their useful lifecycle. It needs to be an ongoing program with security assessments, updates, and security practice improvements.

Some tips David shared included avoid just saying no or adding hurdles. Instead empower users with solutions and recommended work practice changes. Users are not perfect in their security practices so the role of “cyber janitors” is needed to correct practices and cleanup issues.

Things you can do to harden your supply chain security defenses include:

  • Ask your suppliers for compliance/testing results or certifications that are being complied to
  • Ask for security/employee policies
  • Verify software and firmware updates with the hashes provided
  • Have a secure process in place for digital signing of firmware and software
  • For remote connections such as remote monitoring applications, use secure forms of encryption and two-factor authentication
  • Judiciously segment your networks
  • Monitor. Monitor. Monitor. The technology is only as good as the right work practices to continuously use it.
  • Partner with your suppliers over the lifecycle of use

Watch the video for more on the practical solutions that David shares to improve the robustness of your supply chains. Also, visit the Cybersecurity section on Emerson.com for more on the solutions and practices harden your cyber-defenses.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe for Updates

Follow Us

We invite you to follow us on Facebook, LinkedIn, Twitter and YouTube to keep up to date on all the latest news, events and innovations to help you take on and solve your toughest challenges.

Want to re-purpose, reuse or translate content?

Please do, Just link back to the post and send us a quick note so we can share your work. Thanks!

Our Global Community

Emerson Exchange 365

The opinions expressed here are the personal opinions of the authors. Content published here is not read or approved by Emerson before it is posted and does not necessarily represent the views and opinions of Emerson.