5 Questions to Ask Critical Infrastructure Supply Chains

Digital transformation has made the critical infrastructure that powers our lives more connected and more vulnerable than ever before. The very connectivity that makes these systems more powerful and manageable also opens the door to risk of disruptive and malicious cyberattacks. This grave situation depends on a new era of experienced defenders, armed with proven technologies to keep our civilization secure and thriving.

In the context of critical infrastructure Security and Resilience Month in November 2024 the White House published a proclamation highlighting the importance [1] of reminding asset owners and operators to step up and focus on safeguarding these vital installations. The nationwide effort is focused on raising awareness and reaffirming the commitment to keeping the nation’s critical infrastructure secure and resilient.

So, what can critical infrastructure organizations do to protect themselves? Here are 5 questions you should ask supply chain partners to understand their risk profiles and develop effective strategies for threat mitigation:

Question 01. How are trusted networks protected?

A trusted network should be segmented from untrusted or low-trust networks within an organization. The internet and employee home networks are examples of low-trust networks that should not be directly connected to trusted networks. For organizations running industrial equipment or machinery, strictly enforcing a boundary between Information Technology (IT) and Operational Technology (OT) is critical to preventing digital attacks from manifesting in the physical space. But OT networks aren’t the only trusted networks that need protection. For example, suppliers of software used in OT networks should have similar safeguards erected around their development networks to prevent a software supply chain compromise.

Ask your vendors what technologies and strategies they use to protect their trusted networks.

Question 02. How do you prevent broad, network-level attacks?

The underpinnings of the internet are inherently insecure – it was not built for today’s level of societal reliance. Advanced services running via the internet now require increasingly complex protocols and software, and with complexity comes an increased risk of bugs, vulnerabilities, and zero-days ripe for exploitation by motivated threat actors.

Organizations in highly regulated industries, like those that handle industrial manufacturing or healthcare equipment, are often more targeted and more vulnerable to cyberattacks due to the complexity of maintaining and securing their digital infrastructure.

Review your cyber strategy and perimeter defenses to ensure that malformed and malicious protocol payloads don’t cause your defenses to “fail open.”

Question 03. How do you protect against novel malware and ransomware threats?

The democratization of hacking tools, both hardware and software, alongside a thriving market for exploits via both Commercial Surveillance Vendors (CSVs) and the Dark Web, created a more volatile cybersecurity landscape. Cyberattacks are more targeted and sophisticated every day. Legacy detection-based approaches to battling malware generally do not offer the most dependable frontline defenses organizations need to keep their data secure and, as a result, critical infrastructure organizations should be asking their vendors how they protect any novel threats.

Create prevention-based defenses against ransomware, ensure duplicative backups are in place for restoration. Confirm that your vendors are similarly equipped to handle ransomware incidents.

Question 04. How do you prevent data theft, leakage, and exfiltration?

Insider risk has many forms – from accidental to malicious, negligent to compromised – which is why a human-centric, risk-adaptive approach to securing organizations against internal threats is critical. Comprehensive insider risk solutions focus on Indicators of Behavior (IoB) that can alert on early warning signs of compromise. This allows analysts to apply risk-adaptive protections in real-time to prevent compromise, rather than respond to events after they’ve already occurred.

Data Loss Prevention (DLP) is now just one tool that can help keep your organizational data safe, but additional tools are necessary for higher levels of protection. When it comes to insider threat solutions, ask how chain of evidence is collected and maintained, how the tools protect personal privacy, and what mechanisms are in place to prevent abuse of authority.

Create a privacy oriented, evidentiarily robust Insider Risk program to ensure your workforce doesn’t intentionally or inadvertently compromise sensitive data.

Question 05. How do you go beyond software security?

As the cost of manufacturing continues to decrease and the availability of nation state-grade hacking tools increases, protecting data requires unique and ever-evolving solutions. Considering security implications outside of software by applying a Secure by Design approach to hardware will be critical to maintaining the security of any organization and will serve to strengthen the overall supply chain.

Any software is only as secure as the hardware it runs on. The same goes for any network. Hardware security (Hardsec) is already changing the way national security organizations defend against hackers, and highly regulated industries would be wise to follow suit. Hardsec can work in tandem with other security solutions to help enforce rigorous controls without impacting the usability of highly secured digital environments.

Examine your network topology and integrate hardsec technologies to rigorously segment the most sensitive parts of your IT and OT networks.

By asking these key questions of their supply chains, critical infrastructure organizations can start to build an effective strategy for protection and resilience in the face of an ever-increasing threat.

To read more detail on how to get the most out of your supply chain security, download our eBook here (opens a new window).

[1] Industrial Cyber - Biden Declares November as CI Security and Resilience Month (opens a new window)