The path to bolstering supply chain security in New Zealand
A significant amount of today's business and leisure activity relies on IT supply chains. From complex international freight trades to local small business distribution channels, any supply chain that involves IT infrastructure serves as a crucial tool in our daily lives.
A supply chain's efficiency and safety can often mean the difference between a successful or failed endeavour, so it's crucial that they are maintained with the highest degree of security. Supply chain also relates closely to critical infrastructure, often making issues and threats a matter of national security.
When a supply chain's technology is attacked or breached, it can lead to severe consequences for businesses and their customers. The 2020 attack on SolarWinds' supply chain and the 2019 ASUS Trojan attack impacted businesses around the world, a stark warning to those that were unprepared.
Aotearoa is a country that heavily markets itself on efficient trading and supply chains in various sectors, especially in our agricultural and dairy industries. Many companies in these sectors use IT infrastructure that, if not secure, has the potential to cause widespread damage in an operational and a reputational sense.
A 2021 global survey by machine identity management provider Venafi revealed that there is a widespread concern among businesses worldwide that supply chain security is not as prioritised as it should be. It revealed executives were concerned about their vulnerability to software supply chain attacks and aware that action should be taken.
97% of executives believed that software providers needed to improve the security of their software build and code signing processes for supply chains, while 96% of executives thought that software providers should be required to guarantee the integrity of the code in their software updates.
There were also conflicting thoughts on where responsibility lay when it came to protecting a supply chain, with 48% of respondents saying IT security teams are responsible and 46% saying development teams are responsible.
"Executives are right to be concerned about the impact of supply chain attacks," remarked Venafi vice president of security strategy and threat intelligence Kevin Bocek in a statement.
"These attacks present serious risks to every organisation that uses commercial software and are extremely difficult to defend against."
The SolarWinds attack was a game-changer
From as early as September 2019, threat actors could gain unauthorised access to SolarWinds network. Over a period of six months, they started to create malicious code known as SUNBURST and injected it into the company's Orion software, which was being rolled out in March. When the compromised software was unknowingly sent out, it was initially believed that 18,000 SolarWinds customers were affected, including nine US federal agencies. The company later announced the actual number of customers who were hacked through SUNBURST to be fewer than 100.
Many experts believed that this breach was a wake-up call for industries and stressed the importance of bolstering cybersecurity practices in all business aspects.
Bocek remarked that the Venafi research highlighted that, "the entire technology industry needs to change the way we build and buy software."
He said there needed to be a company-wide approach to addressing supply chain security, which sometimes requires significant structural change within an enterprise and its dealings.
"Executives can't treat this as just another technical problem - it's an existential threat. C-level executives and boards need to demand that security and development teams for software vendors provide clear assurance about the security of their software."
On the home front
Aotearoa has never been immune to supply chain attacks, and 2021 saw a worrying increase in the number and scale seen here.
In an August 2021 NCSC release, Director of the GCSB's National Cyber Security Centre Lisa Fong stressed the fact that many businesses in New Zealand had been affected.
"Major incidents like last year's global distributed denial of service (DDoS) campaign which significantly impacted a range of New Zealand organisations, and the compromise of file transfer software used by the Reserve Bank, reinforce the critical importance of supply chain cybersecurity."
In response to the increased threats, the NCSC released the "Supply Chain Cyber Security: In Safe Hands" report. This report details a number of key supply chain security issues and compromises to NZ enterprises and gives advice and recommendations to help prevent future compromises.
The report says that as organisations continue to focus on strengthening their own cyber security, their exposure to cyber threats in the supply chain is increasingly becoming the weakest point in their defences. The report highlights that there are three key steps businesses and personnel should take to bolster supply chain security:
Identify: This involves understanding critical suppliers in a business and also understanding which key assets and services are most vulnerable to threats in a supply chain.
Assess: This is where enterprises should look for vulnerabilities in supply chain infrastructure and allocate resources to increase the cyber security resilience of critical areas.
Manage: Companies should look to manage supply chain risk through a programme of monitoring, cyber security performance assessment, and integration of supply chain risk into organisational risk management frameworks.
Lisa Fong says NCSC research has shown that businesses in Aotearoa are struggling to implement and ensure secure systems for supply chains.
"When the NCSC surveyed 250 of New Zealand's nationally significant organisations we identified that while 72% of organisations used some type of managed service provider, 36% of those had no mechanisms in place to confirm whether their vendor is delivering on the agreed level of IT security."
She says that the NCSC plays a significant role in helping organisations by providing advice, support and assistance when dealing with matters of national security and compromised supply chains.
"Some of the most recent high profile supply chain security issues are the SolarWinds Orion compromise, which New Zealand and our international partners have attributed to Russian State actors, and the exploitation of vulnerabilities in Microsoft Exchange that has been attributed to Chinese state actors," she says.
"The NCSC provided direct support to New Zealand organisations that were affected by this malicious cyber activity. In these instances, the NCSC worked with international cyber security partners to publish advice to our customers alerting them to the issues and setting out a range of mitigations."
Fong says that earlier this month, the NCSC worked with partners on an advisory to highlight potential vulnerabilities associated with the use of Managed Service Providers (MSPs).
"The advisory focuses on enabling transparent discussions between MSPs and their customers on securing sensitive data. The advisory provides several actions that organisations can take to reduce their risk of becoming a victim to malicious cyber activity."
Fong also says it's important for businesses to gauge the full scale of risk and not just limit supply chain security to IT and procurement.
"Digital interactions with supply chain elements can occur across many aspects of an organisation's operation, not just IT or procurement teams. For example, a marketing department might use a third-party service to store a customer information database in the cloud."
The "In Safe Hands" report ends by recognising that human factors are vital in supply chain security, not just technology alone. It also says that constant, incremental improvements will efficiently strengthen security procedures and ultimately provide better outcomes for all involved.
Fong says the NCSC actively promote and assist with Aotearoa's supply chain security so that businesses can be at their best.
"Our engagement extends to hundreds of organisations across government, key economic generators, niche exporters, research institutions and operators of critical national infrastructure."