Supply chain data exposure is a critical infrastructure issue


Rachael Bolton
Contributor

Local companies need to be more aware of their blind spots when it comes to supply chain risk – particularly in relation to the cybersecurity and critical infrastructure protections – global experts have warned.

Trustwave global head of strategy Nick Ellsmore told an Australia-Israel Chamber of Commerce event in Sydney on Wednesday that a lack of comprehensive understanding of an organisation’s supply chain data exposure was a major risk factor for Australian companies.

city data
Supply chains are key in critical infrastructure protection

He said supply chain cyber risk breaks down into “three different buckets”: Are you comfortable with where your products are being made? Do you know every entity in your supply chain with access to your data and which data, exactly, they have permissions for? And what happens if your tech provider is itself compromised?

Mr Ellsmore referenced the cyberattack on US tech giant SolarWinds by Russian state actors last year, which spread to its customers via “infected” code sent out as a regular update to their Orion IT management software.

“At the time, it was shocking that that happened,” he said. “It really shouldn’t have been because back in 2011, the exact same thing happened, which was when RSA was compromised.”

RSA made the SecurID tokens that people used to carry around as a proto-two-factor authentication device, generating authentication numbers referred to as “seeds”.

The 2011 hack, executed by Chinese spies, compromised the server where these seeds were stored and ultimately allowed the hackers access into the networks of RSA clients, including US defence giant Lockheed Martin.

The full details of the RSA attack really only made it into public view last year. And that’s one of the problems with cyberattacks in general – even more so with these kinds of supply chain hacks – is that companies are traditionally embarrassed about the violation and don’t like to talk about what happened. They won’t talk in public or even behind closed doors with industry partners and competitors.

Dispelling the culture of shame around cyberattacks is a core part of the government’s strategy around protecting critical infrastructure. This is illustrated by the new reporting requirements contained in the changes to the Critical Infrastructure Act that are expected to pass sooner rather than later.

Speaking at the same event, Lendlease head of podium services Colin Dominish said corporate Australia needs to work collaboratively to fight back against cybercrime.

“Last financial year, Australia had over 65,000 cyberattacks that were actually reported on,” he said. “They totalled to about $33 billion in economic detriment.

“I think there’s an opportunity there for us to fight back against the attack, by being able to share information openly in what is actually a difficult area to share information, because everyone has a stigma revolved around what it means to report on cybercrime.”

When it comes to managing data breach risk from your supply chain or from your technology suppliers, Mr Ellsmore said that it ultimately comes down to thorough risk assessment, full awareness and knowing you have processes in place to manage those exposures.

“If you have technology in your environment, and you have to put it in your environment, there is a chance that the people that make that technology themselves may be compromised, and you then may be attacked through that channel,” he said.

“We work with clients who have thirty thousand, sixty thousand suppliers in their supply base, all of whom have some level of access to data, some level of access to systems. And really, the question again, becomes primarily one of inventory, which is: do you know who they all are? Do you know, what they will do, and do you know what access they have?

“All you can do is try and protect it and that attack is used in your environment. Where there’s 30,000 or 60,000 suppliers, you really do need to know who they are and go through some process of assessing them.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories