Understand Supply chain cyber security to protect your Industrial Control System against supply chain attacks
In this short guide, let us understand Supply Chain cyber security. This is important to understand to protect your IACS against attacks that can happen via the different components used by your Industrial Control System and your Safety Instrumented System. This topic is covered in the latest version of the Abhisam Certified Industrial Cybersecurity Professional (CICP) course. When you take the Professional version of the course, you will understand how to guard against supply chain attacks.
What is Supply Chain Cyber Security?
Everybody who has worked in a business or in industry knows what is a supply chain. It is the entire chain of vendors and sub vendors, who supply you with various materials to make your product. Think of it as a kind of list of ingredients that go into making your recipe. Before trying to understand supply chain cyber security, let us understand what is a supply chain, by an example of a small mom and pop owned single Pizza store (not a huge chain).
Supply Chain for a Pizza Shop
A supply chain for a Pizza shop would include the baker who supplies the pizza bread, the grocer who supplies the cheese, vegetables, spices, etc that go into it, the cardboard box maker who supplies the boxes and so on. However the baker has to produce pizza bread from wheat flour, oil and salt, which in turn is supplied by various vendors. The flour is sourced from a factory that makes flour who in turn buys wheat from a farmer and so on.
Supply chains can be incredibly complex.
Supply chain for Software
Rarely is modern software developed from the ground up. Software application makers may use other pre-developed software components, libraries, compilers, browsers and other stuff. This in turn is sourced from other vendors or from open source communities, who themselves may source from other open source communities.
Supply Chain cyber security
A vulnerability in any component used in a software application can be exploited to attack the application itself, unless it is fixed. This is why supply chain cybersecurity is of prime importance today. You may have a Secure Software Development Lifecycle for your own code, but what of components that are sourced from outside? The art of ensuring that your own software is protected from such attacks is the domain of supply chain cybersecurity.
What is a Supply Chain attack?
A supply chain attack, is a type of attack that targets vulnerabilities in the components that make up the device or system to be attacked. So if your software application uses a particular component that has a vulnerability, this can be exploited by adversaries to attack your software application.
Have supply chain attacks happened in the past?
Recall the Solarwinds attack. Solarwinds is a company that provided a system & network monitoring tool called Orion, to several hundreds of thousands of organizations around the world. When a malware targeted an existing vulnerability in Orion, due to Orion being whitelisted as a safe application, this malware got automatically deployed to all customers who used Orion. This was a classic example of a Supply Chain attack.
What about ICS security? Are IACS vulnerable to Supply chain attacks?
You bet they are.
ICS Supply chain cyber security is more complex because a typical Industrial Control System (or a Safety Instrumented System-SIS for short) will have many hardware parts that have embedded software, that could have vulnerable components. IACS also uses lots of different software for making graphical user interfaces, PLC programming, Engineering Configuration software for DCS configuration, batch management software, process historians- just to name a few. These software applications could have vulnerable software components. See the video below to know more.
How to protect your IACS against supply chain attacks?
The first step is understanding supply chain attacks and how they could affect your IACS. This can be easily done by going through the Supply Chain cybersecurity module of the Abhisam CICP course.
Can I use certified components to be safe?
Yes and No. IEC 62443-4-1 does have some guidelines about guarding against compromised components, but a lot of IACS components in use today are legacy components. Certifying them to IEC 62443-4-1 or other schemes like ISA Secure or UL takes a lot of time and effort and most probably would require design modifications.
But a supply chain attack can happen today, before this process is over. So for newer projects, this COULD be an option but it may not be practically possible to implement today, because only a few certified products exist today.