Securing the “Krill Chain”: another way to think about supply chain risk

Nicholas Evans, Research Analyst
March, 2021
5 mins read

Security teams everywhere now face enormous pressure to manage—even nullify—supply chain risk. If this seems like an impossible task it is because, in a sense, it is. ‘Supply Chain Risk’ describes the problem from the point of view of an economist or an outside observer looking in upon an industry. It does not describe the problem from the situated point of view of the organization and its security team attempting to manage the risk.

We need a better way of talking about these risks, which describes them from an individual organization’s point of view, and which frames them in a way that they can be managed through practical steps. The idea of risk accumulation can do just that. 

Is supply chain risk anything new? 

The first thing to note is that ‘supply chain risk’ in a cyber security context doesn’t actually describe a single risk or challenge. It is a label applied to all the security risks an organization exposes itself to when it establishes dependency and interconnectivity with other organizations and their technology. The same principles also apply to other instances of interconnectivity such as mergers, acquisitions, and strategic alliances. Organizations that are more interconnected, such as those at the top of long supply chains or with many subsidiaries, will naturally accumulate more risk exposure. 

This raises the question of whether we can reasonably expect security teams to manage the security of their suppliers by proxy, with limited visibility and control. Perhaps there is a better way of thinking about supply chain risk, based on how risk is managed across other ‘chains’. 

Risk accumulation and amplification in the ‘krill chain’ 

Consider for a moment another complex chain we try and manage: the food chain. Biologists often talk about bioaccumulation and biomagnification in the food chain. These processes describe how toxins get steadily concentrated as they move higher up a food chain. For example, in the ocean, small quantities of mercury will be found in the bodies of krill, which will get concentrated in the bodies of the fish who eat them, and then further concentrated in the bodies of the tuna who eat those fish. Ultimately these toxins are ingested by humans at the top of the food chain and can accumulate to a level that has the potential to cause us harm.  

How does this apply to cyber supply chains? Much like the risk of mercury poisoning, cyber risks will also accumulate as they move up a supply chain—the organizations sitting towards the top of the chain can end up with the highest concentration of risk. 

But this simple example only illustrates part of the challenge. It describes the accumulation of a single toxin (mercury) that results in a single risk (mercury poisoning). In reality, vulnerabilities introduced by different sources across the supply chain will vary in their nature and how they can be exploited by an attacker. This introduces a new dimension of risk: the sequential exploitation of vulnerabilities accumulated across the supply chain to form viable attack paths that allow adversaries to reach their objectives. Not only does the introduction of vulnerabilities create an accumulation of risk for those at the top, but it is also amplified because their resulting risk exposure is greater than the individual sum of its parts.  

The following diagram shows how vulnerabilities and risk both accumulate and amplify as they move up the supply chain. The visibility and control of the organizations with the greatest level of exposure diminishes as they look down the supply chain: 

The ‘Krill chain’. Each dot represents an accumulated risk in this diagram. As we move up the supply chain, these risks are magnified in the ‘bodies’ of large enterprises.

Fig. 1. The ‘Krill chain’. Each dot represents an accumulated risk in this diagram. As we move up the supply chain, these risks are magnified in the ‘bodies’ of large enterprises.

But wait—aren’t some organizations attempting to manage their supply chain risk?

A small number of enterprise superpowers are trying to use their sheer might to force transparency and standardization on others to try and gain a partial ‘bird’s-eye-view’ of their entire digital ecosystems and supply chains. 

For example, some of the world’s biggest manufacturers are now attempting to draw a perimeter around their supply chain by testing every product that they integrate into their systems. Google is exploring how to create a closed ecosystem of secure code to cover its entire base of operations. While this gives them a degree of control over the introduction of risk, it will need to be carefully balanced to avoid creating barriers to entry that stifle innovation.

For most organizations, creating a closed ecosystem and controlling the introduction of risk is not achievable. They will need to find other ways to manage accumulated risks, and to put measures in place to prevent these risks from amplifying one another

What practical steps can all organizations take to manage accumulated risk?

Accumulated risks can be managed. The key is to understand 1) what types of vulnerabilities are accumulating in your estate, 2) where they are coming from, and 3) how they can be exploited by an attacker in a way that presents a risk to your organization? Spending should be prioritized in areas where your visibility of the full supply chain is most limited. 

Here are some of the steps you can take to reduce susceptibility to risk accumulation:

  • Conduct Security assurance testing on third-party technologies that support the delivery of your business-critical operations
  • Conduct rigorous due diligence to understand the cyber resilience of organizations on which you are reliant. Do the same for potential acquisitions to reduce your chances of inheriting heavy risk burdens.
  • Enumerate all externally-facing assets that form the perimeter of subsidiary organizations and take proactive steps to identify and mitigate vulnerabilities.
  • Map and technically validate attack paths that might originate in another organization but lead to your organization’s assets. Implement prevention and detection controls across those paths and assure their efficacy. 
  • Plan for the compromise of connected organizations, and prepare for how you will respond if they are breached. Understand your use of third-party technologies so that you can react when vulnerabilities get disclosed.

This is by no means an exhaustive list. What’s more important is to focus on the individual factors that contribute towards your overall risk exposure and take steps to address them. The good news is that risk reduction is also amplified up the supply chain in exactly the same way risk exposure is. As individual vulnerabilities are identified and eliminated, the exploitable attack paths that relied on them also become invalidated.

There’s no magic bullet, but as soon as we stop thinking of ‘supply chain risk’ as a single problem requiring a single solution, and start to tackle its constituent parts, everything starts to become much more manageable. 

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs