Bill O’Neill, VP, Public Sector, ThycoticCentrify
Some of the largest American and European businesses reported two to four trillion dollars in lost revenue last year due to pandemic-induced supply chain disruptions. Between resource shortages and prolonged shipping delays, many multinational organizations are still grappling with the effects of supply chain disruptions. It’s had a lasting impact on consumers’ perception of certain brands, too, according to a study by global supply chain company GEP and the Economic Intelligence Unit (EIU).
Instability and disruptions in a local or global supply chain can be attributed to a variety of factors: tariffs and trade wars, political turmoil, stricter regulations on certain natural resources, natural disasters and, as well now know, a global pandemic. But cyberthreats are increasingly inflicting worrisome disruption on business continuity, an inconvenient fact that has played out in several different industries within the last few months.
While organizations can’t control things like natural disasters and global pandemics, they can fortify their cybersecurity to minimize supply chain vulnerabilities.
Threats to American Resources Play Out in Real Time
Cyberattacks on our country’s supply chain and critical resources are increasingly making headlines. Supply chain-related attacks demonstrate the potential damage that can be carried out when bad actors target the “weakest links” within any given system – from food supply, oil & gas distribution, governmental operations, and high-tech goods and services.
In April 2021, Russian ransomware group REvil breached Quanta Computers, the world’s largest laptop manufacturer and supplier to tech companies like HP, Facebook and Google. When Quanta reportedly refused to pay the $50 million ransom, REvil began threatening to attack its high-profile customer Apple, later claiming it obtained stolen blueprints of its products that REvil has been using as blackmail every day the ransom goes unpaid.
The attack on U.S. government contractor SolarWinds is another recent example of supply chain vulnerabilities. In the largest and most sophisticated cyberattack orchestrated against U.S. government systems in recent years, at least nine federal agencies – including the Treasury and Commerce Departments – and other global entities were breached using compromised credentials of government employees to access email systems.
Lastly, one of the world’s largest meat processors, supplying 32 billion pounds of product each year to markets in the U.S., Mexico, Canada, Europe, the Middle East, Africa and Asia, fell victim to a ransomware attack in late May 2021, ultimately forking over a reported $11 million in ransom to its perpetrator. The White House said that JBS Meats was likely also attacked by REvil, and the Biden administration is engaging with Moscow to hold the suspected hackers accountable.
Fortifying the U.S. Supply Chain and Critical Infrastructure
With several recent supply chain-related attacks inflicting nationwide havoc, the White House is stepping in to assess ways it can improve on the nation’s cybersecurity.
The Biden-Harris Administration recently announced the formation of its Supply Chain Disruptions Task Force that will address critical cyber vulnerabilities to U.S. supply chains and critical infrastructure.
The Administration issued an Executive Order last month titled “Improving the Nation’s Cyber Security.” That E.O. specifically pointed out that all federal IT systems must meet or exceed certain requirements for cybersecurity and aimed to improve information sharing among the public and private sectors.
The White House is also making Cybersecurity Maturity Model Certification (CMMC) a big part of its White House Supply Chain Review process, which should help push for long-term success in navigating future supply chain threats. DFARS Clause 252.204-7012 and NIST 800-171 cybersecurity requirements for CMMC will require all companies conducting business with the DoD to be certified by a third party.
Preventing the Next Big Supply Chain Disruption
The ripple effect felt after the JBS Meats, Quantum and SolarWinds attacks demonstrates why protecting our nation’s supply chain must be a priority for both the private and public sector. Business continuity isn’t so much a right as it is a privilege, one that businesses must work hard to protect in order to meet consumer demand, maintain a healthy brand reputation and even ensure the safety of our nation’s defense.
Staying audit ready and meeting third party verified compliance standards of DFARS/NIST 800-171 will be a huge part of this preventative culture. In order to collaborate effectively with the federal government moving forward, businesses will be called upon to quickly and efficiently comply and pass any audit. This goes way beyond documentation, and requires companies to truly embed compliance in their approach to cybersecurity in order to stay competitive and relevant in the federal acquisition process.
A critical step to true compliance is being able to monitor and control privileged user access, as demonstrated so clearly in these recent supply chain breach examples. We know that privileged access abuse is the leading cause of breaches, and according to Forrester, 80% of all hacking-related data breaches involve privileged access credentials. This means that a healthy supply chain is most effectively secured if organizations implement a cloud-ready approach based on Zero Trust principles. This is proven to minimize the attack surface and improves audit and compliance visibility.
Using modern Privileged Access Management (PAM) solutions leverages the cloud to secure networks and stop access abuse, which we see so clearly missed in the SolarWinds, JBS Meats and Quantum events.
By framing existing security infrastructure around identity-based protection, organizations can more effectively address the root causes of privileged access abuse and put themselves in a much stronger position to comply with federal procurement standards and resist the wave of sophisticated cyberattacks currently challenging the integrity of vital state and federal government infrastructure.