3 principles to reinforce digital trust in supply chains

Jul 5, 2021

The recent Keseya VSA and SolarWinds attacks showed the growing risk to digital supply chains. Image: Adi Goldstein/Unsplash

Georges De Moura

Head of Industry Solutions, Centre for Cybersecurity, World Economic Forum Geneva

Christophe Blassiau

Senior Vice-President, Cybersecurity and Global CISO, Schneider-Electric

Our Impact

What's the World Economic Forum doing to accelerate action on Cybersecurity?

The Big Picture

Explore and monitor how Cybersecurity is affecting economies, industries and global issues

A hand holding a looking glass by a lake

Crowdsource Innovation

Get involved with our crowdsourced digital platform to deliver impact at scale

Stay up to date:

Cybersecurity

Another wave of Ransomware attacks is crippling the operations of many small- and medium-size businesses including grocery chains.
Cybercriminal organizations are exploiting vulnerabilities in digital supply chains to perpetrate large and disastrous cyber-attacks
Cyber-threats are increasing with the transformation of digital life in the wake of the pandemic.
A risk-based approach is needed to safeguard the software and systems that underlie digital supply chains.

Over the 4^th of July US holiday week-end, a vulnerability of the popular IT management software, Keseya VSA, used by more than 36,000 customers globally, was exploited by a criminal gang to perpetrate one of the largest supply chain ransomware attacks in history. While the scale and impact of this attack is still unknown, government and law enforcement agencies worldwide are advising all customers to shut down this product while a patch and response plan is developed.

This new wave of supply chain attack further echoes of Solarwinds and MS Exchange attacks that occurred at the end of 2020, when hackers rushed in to exploit organizations exposed in the supply chain with motives ranging from espionage to financially motived criminal activities.

Have you read?

The ongoing digital transformation has opened up a whole new way of living and working. As deeper performance insights and new levels of connectivity allow businesses to reap the benefits of breakthrough technologies, the world is becoming faster, more flexible and more efficient. This shift is creating a global ecosystem where physical and digital things are increasingly connected, from critical infrastructure assets to people and data.

A study by Gartner finds that in 2019, 60% of organizations worked with more than 1,000 third parties, and those networks are only expected to grow. Other research by Deloitte shows that 40% of manufacturers had their operations affected by a cyber-incident during 2019. And in 2018, the average financial impact of a data breach in the manufacturing industry was $7.5 million.

Moreover, global technology supply chains are increasingly diverse and complex, resulting in changes in the overall risk for critical systems that support national defence, vital emergency services and critical infrastructure.

Have you read?

In December 2020, a global cyber-intrusion campaign was uncovered by a leading cybersecurity firm that compromised first the source code and then subsequently updates to SolarWinds’ Orion Platform, a widely deployed IT management software product. The corrupted update was downloaded by thousands of SolarWinds customers and spanned US government agencies, critical infrastructure entities and private-sector organizations. Though this cyberattack may be unprecedented in scale and sophistication, it is consistent with a number of persistent trends in using supply chain vectors.

This incident further reinforced the threat to global digital supply chains and the strategic imperative for public and private sector stakeholders to ensure trust in the digital ecosystem. It is critical that the software that drives the digital ecosystem is both trusted and secured. By reducing the risks and protecting the digital economy, our society will be able to realize the digital dividends of the Fourth Industrial Revolution.

Possible risk-management approaches across the supply chain Image: Schneider Electric

The following core principles will contribute to a more secure and resilient supply chain and help move the needle on mitigating this complex and multifaceted challenge:

1. Embed security and privacy in the procurement process and life cycle

Having a mature third-party risk-management policy and practice will ensure cybersecurity and privacy are constantly considered and addressed with mature, consistent, repeatable and effective measures. These three precepts will embed them in every phase of the life cycle:

Cybersecurity and privacy are built-in requirements of the procurement processes from sourcing to off-boarding
All procurement contracts shall stipulate and contain clear and precise clauses that enforce continual compliance with cybersecurity and privacy requirements.
Security and privacy obligations shall be continuously reviewed and optimized to keep up with the evolving threats.

2. Take a risk-based approach in assessments of third parties

A risk-based approach will help guide the third-party acceptance/rejection decision-making process, and helps efficiently and accurately mitigate cybersecurity threats third parties pose to the broader ecosystem.

A risk-based approach improves the assessment of third parties’ security posture. By applying risk measurement and ratings tools and other trusted methodologies, organizations can better identify and rank third-party relationships by risk criticality.
It ensures an accurate appreciation of risk, helps establish the measures third parties must take to mitigate their risks before entering an agreement with an entity and enable regular and/or continuous security performance monitoring.
It contributes to a collaborative and valuable outcome for an organization and its broader ecosystem.
It helps tailor mitigation plans and scale efforts and resources that ensure trustworthy, secure, privacy-protective and resilient products, systems and services. But it also helps third parties better understand gaps in their own security posture and, ultimately, demonstrate their cybersecurity maturity to their customers and stakeholders.

3. Implement a source code policy and secure-by-design development

Such a policy aims to reduce the risks around the development, management and distribution of software and software source code, which must go beyond defending intellectual property and address customer impact. It will help protect and strengthen trust in the digital ecosystem so businesses, governments and individuals can all have trust in, contribute to and benefit from the digital economy.

Such a policy should apply to all source code written by or on behalf of an organization and must ensure that any source code is not tampered with, does not contain any known unmitigated security vulnerabilities and contains a licenxe that is compatible with the company’s other policies. It also prevents source code from being dynamically linked to third-party hosted source repositories. When third-party code is used as part of a software/firmware solution, the organization is responsible for change management as part of a secure development process.
The policy also controls and governs all aspects of how the source code is stored and transmitted, including, but not limited to authorization and access, residency, protection at rest and protection in transit. Ensuring compliance to this policy will help reduce the threat of source code leakage, improves secure access and enables the traceability of any third-party code. Additionally, source-code development must include security and privacy in the design phase, and evidence of threat modelling must be documented.
The policy should be based on widely recognized frameworks such as the NIST framework to establish secure-by-design development practices, covering four areas:

1. Ensure that the organization’s people, processes and technology are prepared to perform secure software development at the organization level and, in some cases, for each individual project.

2. Protect all components of the product from tampering and unauthorized access

3. Produce well-secured products that have minimal security vulnerabilities in its releases.

4. Identify vulnerabilities in product releases and respond appropriately to address them and prevent similar vulnerabilities from occurring in the future.

By regularly assessing the security posture of third parties, from early sourcing stages, to security due diligence and periodically throughout the duration of a collaborative relationship, an organization will be able to maintain trust with its customers and business partners across the supply and value chains.

Discover

How is the Forum tackling global cybersecurity challenges?

The World Economic Forum's Centre for Cybersecurity at the forefront of addressing global cybersecurity challenges and making the digital world safer for everyone.

Our goal is to enable secure and resilient digital and technological advancements for both individuals and organizations. As an independent and impartial platform, the Centre brings together a diverse range of experts from public and private sectors. We focus on elevating cybersecurity as a key strategic priority and drive collaborative initiatives worldwide to respond effectively to the most pressing security threats in the digital realm.

Learn more about our impact:

Cybersecurity training: In collaboration with Salesforce, Fortinet and the Global Cyber Alliance, we are providing free training to the next generation of cybersecurity experts. To date, we have trained more than 122,000 people worldwide.
Cyber resilience: Working with more than 170 partners, our centre is playing a pivotal role in enhancing cyber resilience across multiple industries: oil and gas, electricity, manufacturing and aviation.

Want to know more about our centre’s impact or get involved? Contact us.

A common understanding and approach to existing and emerging threats will enable industry and government actors to implement appropriate countermeasures to mitigate supply chain security risks. In the fallout of the SolarWinds incident, it is crucial all stakeholders in the supply and value chains embrace a risk-informed cybersecurity approach to ensure a secure and resilient ecosystem.

An earlier version of this article was published 24 February 2021.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.