The SANS Institute provides information security training and security certification for security professionals. They hold an ICS (Industrial Control System) Security Summit each year.
At the 2019 ICS Security Summit, Emerson’s David Foose presented Practical Solutions to Supply Chain Attacks. The focus of his talk was on the supply chain in terms of software and networks.
David explored various attacks on supply chains in industrial control systems and other industries that have occurred over the last few years and how Emerson and other suppliers can work with end users.
David shares several examples of supply chain attacks in the recent years. One is where cyber attackers broke into a supplier’s website editor and replaced download files and their associated security hashes with files that compromised programmable logic controllers (PLCs). Having the hash as a security measure to verify that the file had not been tampered with, didn’t work because hashes were also created for the compromised files.
Another example was around trusted remote connections. Phishing emails can often uncover login credentials to be able to get in an add exploits into the systems. In one case, a supplier had all the security monitoring tools in place to spot these intrusions but did not have organization focus to actually check the monitoring tools to identify incidents.
It’s not enough to ask your suppliers to provide cyber-secure systems and components over their useful lifecycle. It needs to be an ongoing program with security assessments, updates, and security practice improvements.
Some tips David shared included avoid just saying no or adding hurdles. Instead empower users with solutions and recommended work practice changes. Users are not perfect in their security practices so the role of “cyber janitors” is needed to correct practices and cleanup issues.
Things you can do to harden your supply chain security defenses include:
- Ask your suppliers for compliance/testing results or certifications that are being complied to
- Ask for security/employee policies
- Verify software and firmware updates with the hashes provided
- Have a secure process in place for digital signing of firmware and software
- For remote connections such as remote monitoring applications, use secure forms of encryption and two-factor authentication
- Judiciously segment your networks
- Monitor. Monitor. Monitor. The technology is only as good as the right work practices to continuously use it.
- Partner with your suppliers over the lifecycle of use
Watch the video for more on the practical solutions that David shares to improve the robustness of your supply chains. Also, visit the Cybersecurity section on Emerson.com for more on the solutions and practices harden your cyber-defenses.