Securing digital supply chains
Published 20 September 2021
Work with your suppliers to enhance security and quality
People may recall a disquieting episode from 1982 where seven people were adversely affected when they consumed tampered with Tylenol capsules. It was known as the Chicago Tylenol scare, and the perpetrator was never identified.1
Chicago police launched a major investigation, while the manufacturer – Johnson & Johnson – immediately recalled 31 million bottles from across the US. This prompt action uncovered a number of tainted capsules in other stores across Chicago, almost certainly saving several lives.
In the aftermath of this highly publicised event, safer and better processes and product standards were introduced, including caplets and tamper-evident packaging. Johnson & Johnson’s swift actions enabled it to restore trust in their product, and the episode came to be regarded as textbook example of corporate best practices.
As a Johnson & Johnson spokesperson later summarised:
“We concluded we were never going to be judged by what caused the problem… We were always going to be judged on how we responded to it.” 2
Digital health supply chain attacks
Cyber-attacks on digital health supply chains are like a modern digital equivalent of the Tylenol contamination scare. A product or service that you rely on may one day contain a kind of “poison pill” that can cause havoc on your business and the customers you serve.
In the digital world, as in the real world, a supply chain attack involves an attack on both a supplier and the supplier’s customers. This occurs by compromising the digital products or services used by customers, such as exploiting any ICT or managed service provider which has trusted access to its customer’s network. Effectively, the customer continues to trust their supplier not knowing that the trust relationship has been broken.
Access points to the customer’s network can be through many types of ICT platforms, via a supplier’s cloud file sharing appliances, network monitoring tools, clinical information software, a cloud (Software as a Service) accounting application, or any cloud hosted applications or infrastructure.3
These attacks can have a wide and cascading effect, impacting not just a particular business, but that business’s customers, their customers’ customers, and so on.
“Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year.” 4
Special mention should be made of “software supply chain attacks” that inject malicious code into third party software products to access the systems and data of the organisations using those products.5 The recent SolarWinds attack was a digital supply chain security wake-up call, where it has been reported up to 17,000 SolarWinds customers received the malicious code and hundreds were then further exploited with theft of sensitive information.6
A balanced approach to understanding these attacks and their mitigations is essential:
- The main defence against supply chain attacks is to develop a very clear understanding of your supply chain. (More about this below.) This may represent additional work for most organisations, but the resulting clarity about supplier relationships may have additional benefits in assuring the quality of your organisation’s products or services.
- Set up agreements with suppliers that highlight the need to provide visibility of cyber security maturity through assurance (like certification) by stipulating what you’d like to know in formal agreements; these include alerting customers of cyber incidents in order to better manage their impact and reach.
- Meet regularly with key suppliers to assess their performance and talk about any security concerns.
- As these revised business practices become more widespread, suppliers would likely proactively use their security as marketable “cyber security health check” marks, to assure customers of the safety and quality of the associated products and services. The Australian government is presently exploring a scheme of this nature.7
With supply chain attacks on the rise, Australian suppliers of software and digital products and services should consider how they can provide independent and verifiable assurance to their customers. This may incorporate implemented standards or effective cyber security controls and practices including notifying their customers of incidents and vulnerabilities in a timely manner, to help prevent a cascading supply chain event.
How to defend against supply chain attacks
The Australian Cyber Security Centre, advises the fundamental defence against supply chain attacks is to get to know your suppliers better; understand who they are, review their security posture, recognise the potential risks their products and services may present to your organisation, and regularly check the integrity of their development and production processes.8
A key part of this process will be to adopt a shared responsibility model with your suppliers.9
Regular risk assessments will be another key part of this process. These assessments should:
- Prioritise critical business processes that rely on ICT products or services;
- Be supported by monitoring and follow-up audits to confirm risk mitigation and improvements in processes; and
- Include tested incident response plans covering the scenario of a compromised third-party supplier.
In addition to the above, consider implementing a zero trust architecture if you haven’t already. The fundamental premise of zero trust (that any asset should be considered “untrusted” by default), is in principle ideal for mitigating many kinds of cyber-attacks, including those that target digital supply chains.10
Find out more
Detailed, actionable advice on managing the risks of digital supply chains is available from:
Comprehensive, up to date overviews of supply chain attacks and their management are available from:
- The National Institute of Standards and Technology (US), and
- The European Union Agency for Cybersecurity.
1 PBS News Hour. How the Tylenol murders of 1982 changed the way we consume medication. https://www.pbs.org/newshour/health/tylenol-murders-1982
2 NY Times. How an Unsolved Mystery Changed the Way We Take Pills. https://www.nytimes.com/2018/09/16/us/tylenol-acetaminophen-deaths.html
3 CISA catalogues an array of detailed scenarios in its Threat Scenarios report, available from https://www.cisa.gov/supply-chain
4 ENISA. Understanding the increase in Supply Chain Security Attacks. https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks
5 CSO Australia. Supply chain attacks show why you should be wary of third-party providers. https://www.csoonline.com/article/3191947/supply-chain-attacks-show-why-you-should-be-wary-of-third-party-providers.html
6 Microsoft. A moment of reckoning: the need for a strong and global cybersecurity response. https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/
7 Department of Home Affairs. Strengthening Australia’s cyber security regulations and incentives. Section 9. https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-regulations-incentives
8 Australian Cyber Security Centre. Cyber Supply Chain Guidance https://www.cyber.gov.au/acsc/government/cyber-supply-chain-guidance
9 Australian Cyber Security Centre. Information technology and cloud services. https://www.cyber.gov.au/acsc/view-all-content/guidance/information-technology-and-cloud-services
10 Collier ZA and Sarkis J. The zero trust supply chain: Managing supply chain risk in the absence of trust. https://www.tandfonline.com/doi/full/10.1080/00207543.2021.1884311