Nicholas Evans, Research Analyst
5 mins read
We need a better way of talking about these risks, which describes them from an individual organization’s point of view, and which frames them in a way that they can be managed through practical steps. The idea of risk accumulation can do just that.
The first thing to note is that ‘supply chain risk’ in a cyber security context doesn’t actually describe a single risk or challenge. It is a label applied to all the security risks an organization exposes itself to when it establishes dependency and interconnectivity with other organizations and their technology. The same principles also apply to other instances of interconnectivity such as mergers, acquisitions, and strategic alliances. Organizations that are more interconnected, such as those at the top of long supply chains or with many subsidiaries, will naturally accumulate more risk exposure.
This raises the question of whether we can reasonably expect security teams to manage the security of their suppliers by proxy, with limited visibility and control. Perhaps there is a better way of thinking about supply chain risk, based on how risk is managed across other ‘chains’.
Consider for a moment another complex chain we try and manage: the food chain. Biologists often talk about bioaccumulation and biomagnification in the food chain. These processes describe how toxins get steadily concentrated as they move higher up a food chain. For example, in the ocean, small quantities of mercury will be found in the bodies of krill, which will get concentrated in the bodies of the fish who eat them, and then further concentrated in the bodies of the tuna who eat those fish. Ultimately these toxins are ingested by humans at the top of the food chain and can accumulate to a level that has the potential to cause us harm.
How does this apply to cyber supply chains? Much like the risk of mercury poisoning, cyber risks will also accumulate as they move up a supply chain—the organizations sitting towards the top of the chain can end up with the highest concentration of risk.
But this simple example only illustrates part of the challenge. It describes the accumulation of a single toxin (mercury) that results in a single risk (mercury poisoning). In reality, vulnerabilities introduced by different sources across the supply chain will vary in their nature and how they can be exploited by an attacker. This introduces a new dimension of risk: the sequential exploitation of vulnerabilities accumulated across the supply chain to form viable attack paths that allow adversaries to reach their objectives. Not only does the introduction of vulnerabilities create an accumulation of risk for those at the top, but it is also amplified because their resulting risk exposure is greater than the individual sum of its parts.
The following diagram shows how vulnerabilities and risk both accumulate and amplify as they move up the supply chain. The visibility and control of the organizations with the greatest level of exposure diminishes as they look down the supply chain:
Fig. 1. The ‘Krill chain’. Each dot represents an accumulated risk in this diagram. As we move up the supply chain, these risks are magnified in the ‘bodies’ of large enterprises.
A small number of enterprise superpowers are trying to use their sheer might to force transparency and standardization on others to try and gain a partial ‘bird’s-eye-view’ of their entire digital ecosystems and supply chains.
For example, some of the world’s biggest manufacturers are now attempting to draw a perimeter around their supply chain by testing every product that they integrate into their systems. Google is exploring how to create a closed ecosystem of secure code to cover its entire base of operations. While this gives them a degree of control over the introduction of risk, it will need to be carefully balanced to avoid creating barriers to entry that stifle innovation.
For most organizations, creating a closed ecosystem and controlling the introduction of risk is not achievable. They will need to find other ways to manage accumulated risks, and to put measures in place to prevent these risks from amplifying one another
Accumulated risks can be managed. The key is to understand 1) what types of vulnerabilities are accumulating in your estate, 2) where they are coming from, and 3) how they can be exploited by an attacker in a way that presents a risk to your organization? Spending should be prioritized in areas where your visibility of the full supply chain is most limited.
Here are some of the steps you can take to reduce susceptibility to risk accumulation:
This is by no means an exhaustive list. What’s more important is to focus on the individual factors that contribute towards your overall risk exposure and take steps to address them. The good news is that risk reduction is also amplified up the supply chain in exactly the same way risk exposure is. As individual vulnerabilities are identified and eliminated, the exploitable attack paths that relied on them also become invalidated.
There’s no magic bullet, but as soon as we stop thinking of ‘supply chain risk’ as a single problem requiring a single solution, and start to tackle its constituent parts, everything starts to become much more manageable.