The Anatomy of a Zero Trust Supply Chain

665 Views

supply chain attack is a type of cyber attack against a supplier or trusted partner of the ultimate target company.

Rather than directly attack a well protected ‘primary’ target, the supply chain attack looks for weak links with the network of vendors who offer services or software that enables that primary company to function.

The scale of the supply chain problem

Statista reports that 2022 saw approximately 11 million customers affected by supply chain cyber attacks across the globe.  The good news is that was a drastic reduction from the 2019 peak of 263 million impacted customers of 2019. The bad news is that in the first quarter of 2023 alone, over 60 thousand customers reported supply chain attacks.

Elsewhere Gartner has predicted that by 2025, 45 percent of organisations worldwide will have experienced attacks on their software supply chains[1]. Researchers at Cybersecurity Ventures predict the global annual cost of these attacks to businesses will hit $138 billion by 2031, up from $46 billion in 2023, based on 15 percent annual growth.

In the UK, the problem is so acute that it has merited an especial focus from GCHQ’s National Cyber Security Centre (NCSC). 2022 research showed that just over 1 in 10 (13%) UK businesses review the risks posed by immediate suppliers[2] and in late 2023, the NCSC published a full guide for SMEs to address cyber risk in the supply chain[3].

The reason behind such exposure is simple.  Supply chain pressures have plagued businesses in recent years – one report cited that 77% of mid-sized businesses in the UK faced ‘persistent disruptions’ in their supply chains[4].  The response has been to take on more suppliers in an attempt to remain agile and able to deliver against increased customer demand. But a bigger supply chain means a bigger supply chain risk.

Consequently, many businesses now realise that the supply chain remains the weakest link of their cybersecurity. As these organisations have conducted stricter evaluations of their supply networks, there has been an inevitable shift towards “zero trust” models.

Defining zero trust

Zero trust is a modern security strategy based on a simple principle: never trust, always verify. The model assumes either a malicious intent or breach and verifies each request to access systems as though it originates from an unprotected, open resource.

Globally, the zero-trust market is estimated to reach $126bn by 2031, growing at a CAGR of 18.5% from 2022 to 2031.[5] Businesses have been quick to embrace this approach and eliminate the assumed, implicit trust across entire supply chains and networks, including non-direct suppliers.

Using zero trust in a supply chain

In creating a global chain of trust, the first step is to a comprehensive inventory of all suppliers – spanning any system that has access to infrastructure that may be a target. This can include accountants, time management platforms, vendor managed inventory software, EDI and so forth.

Once this list is established and verified, a business can impose zero trust by asking suppliers to meet a minimum number of prerequisites. Verifying this compliance can be complicated and requires technological maturity.

These requirements from suppliers typically revolve around guarantees that data will not be resold, the presence of good backups, compliance with the laws such as GDPR, best practice processes for monitoring vulnerability, and security assurance plans.

However, it is worth bearing in mind that there is no standardised checklist. Companies can request independent evaluations – and these are on the increase – but there is no legal mandate or standard.

The efficacy of evaluations depends upon customer budgets and the sensitivity of the data being processed. The important thing is that companies must be able to conduct these evaluations to offer customers a guarantee of the security of their data.

The changes of a zero-trust approach

One of the most common changes that then follows is the imposition of multi-factor authentication (MFA) for access to data. Many code repositories – including GitHub – now mandate MFA for the 100 million users that submit code. And the use of security tokens is also increasing.

Elsewhere, detection systems such as NDR are being implemented to provide visibility into this extended network. This offers 360° visibility of what a business does not know has hit its systems because of actions within the supply chain.

Whilst it is incredibly difficult to control all the aspects and elements across the supply chain itself, NDR sees everything as it enters the network of the primary target company and can – in line with zero trust – treat such behaviour with suspicion and act accordingly. NDR is zero-trust by definition.

The barriers to a zero-trust supply chain

It is worth noting that all this vigilance is not cheap – the growth in supply chain risk has increased the cost of cybersecurity, requiring substantial additional effort. Much of this effort arises because various hardware and software within a cybersecurity profile has its own protocols and there is a lack of interoperability.

At scale, there will be a need to automate authentication without impacting productivity. This is driving the development of single sign on (SSO) models and encryption methods to ensure suppliers decrypt only relevant data. And of course, the increased management burden of zero trust will see companies delegate the approach.

The evaluations and controls to ensure compliance across such networks will be costly and time-consuming. Some businesses will impose supply chain requirements on primary suppliers and hold them responsible for security regarding secondary and even tertiary suppliers. Successful models for this already exist within the banking and defence sectors.

Supply chain attacks have rapidly become a regular fixture of major news stories and expensive remediation – in a future of ever-expanding supply networks and increasingly sophisticated attacks, businesses need to adopt zero trust throughout global supply chains if they are to remain protected and able to function.

[1] See https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for-2022

[2] See NCSC issues fresh guidance following recent rise in supply… – NCSC.GOV.UK

[3] See Mastering your supply chain – NCSC.GOV.UK

[4] See Supply chain challenges continue to hold back business growth – BDO

[5] See Zero Trust Security Market Thriving Worldwide Growth & Trending Business Factors & Forecast to 2031 – CIO News