Vendors as Attack Vectors – The Risk You Take with Partner Services
About the Author: Mr. Albach is theIoT Security and joined Cisco in 2010 when he defined and delivered three network security solutions with the most recent – Cisco’s first Industrial Security Appliance.
Did you know you can be contractually obligated to let people you don’t know access your critical infrastructure from outside your network? A simple line (taken from a very real remote operations contract) such as “XXXXX will advise the customer what is required at the time of installation” can leave you vulnerable. Isn’t the time of installation a bit late to figure out security? Let’s talk about this growing phenomena and how it could impact your organization’s security state.
First consider the following:
- The first five victims of the Stuxnet infection were partners to the centrifuge effort
- Point to point VPNs and remote access tools were key to the Ukrainian electricity outage
- The last major Target breach was through a trusted HVAC contractor
- The largest data breach in US Government history came through an outsourced partner
Perhaps now would be a good time to think about your own outsourcing, partnering, and dependencies – especially those that reach down to the shop floor. Chances are you won’t get grilled by a Congressional committee (OPM), but a mistaken command or a hijacked remote access station might cause some serious harm to something or somebody.
The challenge at play is the paradox of taking advantage of digitization, improving operational efficiencies, and reducing costs all at once. Throw in the fact that the industrial work force is aging much faster than the rest of the broader work force and you have a particularly wicked problem.
Let’s begin with what is typically the first step in a security maturity model – Discovery.
Find out who outside your company has access to what and under what conditions. In this case the discovery process is not about network topology or connected assets.
First look at your major integrators and system providers. Understand what equipment you are heavily dependent on, who set it up, and what your current practices are with regards to their access. That access question should be about their remote access into your systems and their access when physically present at your site. Once you have an understanding of what is happening, go back and review the contract to see what was agreed to. Make sure you have a grip on what is contractually obligated and the actual practices, and if there’s a difference make sure you get a quick write up. Then look into your smaller providers and repeat.
Now let’s broaden the discussion a bit – look at your production environments outside the major equipment.
What kind of access do your parts suppliers and others have?
Are all the buildings your own?
Who maintains them and the grounds?
Who cleans up and hauls away the refuse?
Who maintains the printers, the coffee machines, etc.?
Does the vending machine link back to some other network?
Then look internally:
Are you dependent on your IT department for services?
Have they outsourced some of that work to other agencies or temporary workers?
Think through these answers and where their “touch” extends into your industrial space.
Now consider any new agreements in the making. After all, if you did not like what you found in the earlier agreements then you need to address the new ones. Best to get involved before a contract is signed and you should also consider adding amendments to earlier agreements.
While you trust and rely on some pretty good partners, they are unfortunately legitimate vectors for a breach. Preventing a breach happens to be your responsibility and if they are good partners, they will be more than happy to work towards secure remote access.
In our next blog we will talk about the actions you can take to make remote access more secure.
Subscribe to get the next blog emailed straight to your inbox: