Strategies for remediating supply chain attacks, ET CISO
In a world where code is the new currency, supply chain attacks are the heist of the digital age. Recent findings reveal a chilling trend: as open-source repositories become the playground for cybercriminals, the lack of oversight makes them particularly inviting targets. According to the 2024 Reversing Labs report, we witnessed a staggering 28% year-on-year surge in attacks on open-source libraries in 2023 alone. This alarming rise begs a serious reevaluation of our security strategies—let’s dive into what this means for our defenses moving forward.
With this context, the ETCISO Annual Conclave 2024 featured a trilogue chat titled “Remediating Supply Chain Cyber Attacks.” The participants included Uday Deshpande, Group CISO of Larsen & Toubro Group; Amal Krishna, CISO of ONGC; and Pankaj Kumar, CRO of Ceat, moderated by Shantheri Mallaya, Editor of ETCISO.
The discussion highlighted the critical challenges faced by Chief Information Security Officers (CISOs) in managing supply chain security, emphasizing the need for greater visibility and control over various digital environments. Uday Deshpande stated, “From a CISO perspective, the biggest challenge is the lack of visibility due to shadow IT. Various departments independently adopted SaaS platforms, and this fragmented approach made it difficult to understand where active interfaces with backend systems were occurring. We needed to build a comprehensive view to mitigate risks effectively.”Importance of developer awareness
Another significant concern was developer awareness. Many developers did not recognize the risks associated with downloading unsafe libraries from platforms like GitHub or sharing sensitive information, such as hard-coded credentials. This ignorance could lead to serious data compromises, highlighting the necessity for comprehensive security training and awareness programs within organizations. Uday Deshpande also emphasized that vulnerabilities extended beyond software. CISOs needed to be vigilant about hardware vulnerabilities, particularly in Internet of Things (IoT) deployments and Supervisory Control and Data Acquisition (SCADA) systems. These additional layers of complexity require a holistic approach to security that encompasses both software and hardware vulnerabilities.
Managing supplier risk and third-party relationships
Supplier risk was another critical factor that CISOs had to address. Organizations could inadvertently become entry points for attackers if their suppliers experienced compromised employee accounts. This underscored the importance of maintaining robust security measures across third-party relationships to mitigate potential risks to customers. To effectively manage third-party risks, organizations must extend their security frameworks to external partners. This includes ensuring that third parties maintain similar security controls, often formalized through legal agreements that include penalty clauses for non-compliance. Such measures help create a more secure supply chain environment.
Continuous monitoring and resilience
Geographical challenges further complicate supply chain security. Supply chains often span multiple regions, each with security protocols and regulations. This diversity could lead to delays in breach detection and response, as organizations found it challenging to monitor and protect against threats that occurred outside their immediate control. Moreover, the discussion underscored the importance of continuous surveillance and monitoring. While necessary, 1surveillance was not foolproof, and instances of unnoticed breaches could occur, emphasizing the complexities inherent in securing an expansive supply chain. As such, organizations need to strive to enhance their detection capabilities and response strategies to protect against evolving cyber threats.
Amal Krishna emphasized the increasing production costs in the oil and gas industry, particularly due to rising cybersecurity risks. He stated, “In the context of rising costs, it became mandatory to look at your cybersecurity risks, as these could add significantly to your cumulative costs. Globally, a figure indicated that there is a 15% cost advantage to be gained from managing these risks.” He highlighted the dual challenge of rising oil lifting costs while the market price for oil declined, which led to pressure on the industry. Despite these challenges, Krishna noted a positive trend: “Our organization adopted a top-down approach, with strong support from leadership for implementing cybersecurity measures.”
Legal agreements and code of conduct
Krishna discussed legal agreements with supply chain partners to ensure timely reporting of incidents, stating, “These agreements allowed us to react quickly, minimizing potential damage.” He underscored the importance of the zero trust model, particularly with smaller vendors lacking robust IT security. By using secure data transfer methods, he ensured, “Even if they were compromised, our sensitive data remained protected.” In addressing the legal aspects, he noted, “Indemnity from partners was challenging to secure, as it often involved multiple stakeholders.” Further, Deshpande emphasized the importance of establishing a comprehensive code of conduct for cybersecurity within the supply chain, aligning it with broader ethical and ESG standards. He stated, “To navigate these evolving challenges effectively, organizations need to extend their security frameworks to third parties, ensuring that these partners maintain the same level of controls.”
Recommendations for enhanced cybersecurity
Deshpande highlighted two key responsibilities: “First, there are aspects for which you are indirectly responsible, and second, those that are within your control.” He stressed the necessity of having third-party vendors adhere to the same security standards, suggesting that organizations should implement legal agreements that include penalty clauses to enforce compliance. Additionally, he advocated for robust third-party risk management, saying, “You need to have a strong framework in place that extends your risk controls to these vendors.” Deshpande also suggested monitoring the external landscape, noting, “It’s crucial to understand the attack surface of your vendors. If they are compromised or their systems are vulnerable, you need to be alerted immediately so that you can inform them to take action.” Acknowledging the inevitability of cyberattacks, he advised, “Diversify your environment and build resiliency. Don’t rely solely on your supply chain for everything. Having options in place will help reduce the impact of risks stemming from the supply chain.”
Pankaj Kumar addressed the complexities of managing supply chain risks and outlined key actions for organizations to improve their cybersecurity posture. He emphasized, “Supply chain risk frameworks can indeed be a daunting process,” and identified five critical steps for effectively assessing third-party vendors and minimizing risk. First, he stressed the importance of knowing your risk: “Organizations must understand which parties are connected to their systems. Often, onboarding is conducted by multiple stakeholders without a clear view of potential risks.” He noted the necessity of mapping these connections, as many organizations struggle to identify all the systems they interact with.
Cultivating a risk-aware culture
Second, Kumar highlighted the challenges associated with contractual agreements: “Indemnity enforcement in India can be very difficult. Many organizations sign contracts blindly without truly understanding the implications.” He advised that when dealing with risky vendors, organizations should avoid pulling data directly from them and instead rely on their own security measures. The third point focused on fostering a risk-aware culture within organizations. He stated, “It’s crucial to train and empower more risk officers or CISOs within the organization, enabling them to respond effectively to alerts and issues.”
Kumar also underscored the need for decisive action when facing vulnerabilities among third parties. “If we identify that a third-party vendor is consistently vulnerable, we must either bring them in line with our standards or seek alternatives,” he asserted. Finally, he emphasized the importance of validating customer-facing platforms: “When launching portals or platforms for customers, it’s vital to ensure that these systems are secure before they go live. This pre-validation is crucial to prevent issues from arising later.” Kumar stated, “While we cannot stop attacks entirely, we can significantly reduce their impact through prevention, early detection, and swift action.”
Additionally, Amal Krishna emphasized the importance of collaboration among companies in developing a unified cybersecurity framework. He states, “We have already started on this path, with all public sector oil companies coming together to create a common security framework. This will be applicable to all, including smaller companies, which often lack the budget for separate cybersecurity measures.” He believes that such collaboration, guided by the Ministry, will foster transparency and establish a standard for assessing cybersecurity maturity across the industry. By defining compliance requirements in contracts with vendors, the initiative aims to enhance resilience against external cyber threats, ultimately providing a competitive edge in addressing these challenges.