March 1, 2023
Vendors, suppliers, and subcontractors all contribute to your organization’s risk profile.
Manufacturing success relies on robust supply chains. As operational technology embeds itself deeper into every link on those chains, productivity increases – alongside cybersecurity risks.
Managing supply chain risk is core to the value that manufacturing leaders offer their organizations. Losing access to raw materials and specialist talent can severely test a manufacturer’s capabilities. For experienced manufacturing leaders, planning for natural disasters, geopolitical events, and macroeconomic uncertainties is part of the job.
Now, manufacturing leaders are adding cybersecurity risks to that list.
Modern manufacturers can’t optimize their supply chains without relying on third-party vendors. Even the most vertically integrated operation sources raw materials, valuable components, and specialist talent from third parties before acquiring them.
In fact, both horizontal and vertical growth strategies are subject to supply chain risks. Only leaders who take a proactive approach to third-party vendor risk management are prepared to address those risks effectively.
Third-Party Vendors Expand Operational Risk
57% of respondents to CRA Business Intelligence's 2023 third-party risk survey reported IT security incidents related to third-party partners in the last two years. Some reported that the digital supply chain has become the primary source of attacks during that time.
These findings have clear implications for manufacturers that rely on a complex web of third-party vendors to generate value. Vendors, suppliers, and subcontractors rarely provide their clients with deep visibility into security operations – and may not even have that level of visibility for themselves.
As organizations harness the power of data to optimize operations, they also expand the security risks that come with collecting and analyzing that data. Manufacturers with global operations, cloud-enabled technology stacks, and vast data collections are valuable targets for sophisticated and persistent cybercriminals.
Manufacturing organizations are more likely to depend on a large number of third-party partners. In CRA Business Intelligence’s survey, the average number of third-party vendors, service providers, distributors, agents, and resellers among all respondents was 88.
Larger enterprises had nearly twice the number of active partnerships with third parties.
Every single third-party partner is a potential source of malicious activity:
- Trusted connections between third-party partners and in-house systems can bypass otherwise robust perimeter security solutions.
- Privileged third-party user accounts may be subject to insider threats outside the control of the organization’s in-house security team.
- Partners with poor visibility into their own security operations may expose manufacturers to risks without being aware of them.
- Uncertainty about third-party vendor risks makes it nearly impossible to craft effective operating technology access policies.
API Vulnerabilities Increase Alongside Digital Transformation
Enterprise organizations are increasingly relying on API-powered automation to optimize core processes, and manufacturers are no different. According to a 2022 report, the average enterprise has more than 15,000 APIs active today.
Manufacturers are uniquely susceptible to API security incidents because of their reliance on automation to optimize IT and OT processes. For manufacturers undergoing digital transformation, APIs do much of the heavy lifting – enabling organizations to digitize, connect, and automate legacy systems without supporting the costs of rip-and-replace alternatives.
Maintaining an inventory of every API used in a complex manufacturing environment is no easy task. Security leaders must also know which of these APIs works with sensitive data. But few organizations have the visibility necessary to see who accesses sensitive data through APIs.
On top of these challenges, conducting API security testing is difficult in an always-on manufacturing environment. Manufacturers’ API dependencies continue to grow, but their visibility and control into API processes are shrinking over time.
Complex Supply Chains Make Insider Threats Difficult to Detect
In the past, a single group of people shared responsibility for overseeing IT and OT processes. This system favored administrative simplicity over operational efficiency, and there were few alternative options available.
Advances in optimization and efficiencies of scale have changed that. Now, manufacturers’ IT departments lack the authority and visibility necessary to manage security across complex supply chains. Outsourced business processes and IT services create a complex attack surface that is especially vulnerable to insider threats.
A typical IT environment has multiple layers of security systems monitoring network traffic and alerting security teams when suspicious activity occurs. This is not always the case in OT environments. It’s even rarer in distributed IT/OT infrastructures that depend on multiple third-party vendors securing their own systems independently.
In a highly distributed environment, attackers can compromise privileged third-party account credentials and use them to target partner systems and data. If a trusted contact from a software vendor has their account compromised, threat actors may access your systems without encountering your security controls at all.
Few Organizations Enjoy Deep Visibility into Security Operations
Security visibility isn’t just a problem for manufacturers operating complex OT deployments. It’s a problem for all organizations, including suppliers and third-party vendors that don’t directly interact with OT at all.
The issue here is that manufacturers must trust that their vendors are following best security practices but can’t expect any verification of that fact. Beyond integrating compliance into third-party vendor assessment and running internal audits, there is not much that a manufacturer can do to ensure the security of its partners.
But compliance guidelines don’t necessarily translate to best-in-class security performance. A vendor can check all the boxes without having great visibility into its security posture. It may even have its own security outsourced to a third-party “mystery box” vendor.
If an organization’s trusted partners don’t have visibility into their security operations, it won’t be able to achieve visibility either. Operational risk will settle on the weakest link in the supply chain.
Operational Technology is Vulnerable to Third-Party Vendor Risk
Most information security professionals in the manufacturing industry understand the need to restrict third-party access to operational technology. Most industrial control systems do not feature built-in cyber resilience in their design.
Considering how much of today’s industrial infrastructure was designed more than twenty years ago, it makes sense that advanced cybersecurity implementations are largely absent. Upgrading OT systems to achieve best-in-class security performance is much harder and more expensive than updating actively managed IT infrastructure.
Without the ability to patch security vulnerabilities in a cost-effective way, security leaders in the manufacturing industry need to protect access to OT systems. The problem is determining what kind of access policies will achieve that goal.
Read More
Securing the Future of Manufacturing and Industry: IT/OT Integration
Without clear visibility into how traffic moves across OT infrastructure, putting practical policies in place is an extraordinary challenge. In order to implement the principle of least privileged access, security leaders must first understand who accesses these systems and why.
In a typical OT environment, access permissions may have been governed on a pragmatic, ad-hoc basis for years. To define and segment user groups by access requirements, security leaders must first unravel this complicated tangle of policies. Otherwise, they risk doing unintentional damage to core productivity.
As a result, third-party vendor risk remains a significant factor in OT security. Cybercriminals who compromise third-party vendors may easily find their way into critical OT infrastructure. Securing operational technology requires a proactive, visibility-enhanced approach to third-party vendor risk management.
Secure Third-party Vendor Risk Management with Unlimited Visibility
Manufacturers need to manage cyber risk by adopting an operationally viable approach to vendor risk assessment. This assessment process must then be scaled to fit the needs of a complex supply chain.
That means establishing visibility into core processes both inside the organization and through its network of third-party partners. Managed detection and response providers like Castra play an important role in granting organizations the visibility they need to secure their third-party partnerships.
Manufacturers need to see and verify the actions of third-party users on their network. A properly configured security information and event management (SIEM) platform is vital to this task.
One of your MDR vendor’s primary responsibilities is helping you configure, deploy, and manage your organization’s SIEM platform effectively.
Read More
5 Values to Demand From Your Exabeam MDR Service Provider
Having a scalable, transparent SIEM solution in place dramatically changes your organization’s vendor management capabilities. You can now manage third-party risk, maintain compliance, and address vulnerabilities throughout the digital supply chain.
This gives your security team the visibility it needs to successfully address operational risk originating from third parties. Only then can you implement solutions that protect sensitive systems and data from compromise.
Your SIEM collects log data from every corner of your organization and converts it into useful insight analysts can use to detect threats early. However, with the right implementation, you can also use your SIEM to detect malicious insiders and orchestrate complex incident response playbooks.
What Does Unlimited Visibility into Third-Party Risk Look Like in Practice?
Complex supply chains are not readily transparent or easy to analyze. Your SIEM needs to collect relevant log data from your organization, its partners, and vendors.
Your SIEM implementation is a critical step in this process. To provide visibility into partner systems, your SIEM must be configured to capture data from third-party sources and observe transactions occurring on third-party networks.
This isn’t possible with a default SIEM configuration. Only custom implementation can introduce these data sources appropriately, allowing analysts to detect and respond to threats that would otherwise go unnoticed. Once third-party data sources are connected, analysts can use the full range of high-powered security technologies to detect suspicious behaviors throughout the entire environment.
Identify Insider Threats With UEBA-enhanced Insight
Exabeam is a SIEM platform that leverages machine learning to detect threats that other SIEM technologies can’t. User Entity and Behavioral Analytics (UEBA) technology assigns risk thresholds to users who engage in suspicious activities, allowing analysts to investigate potential risks stemming from compromised credentials.
This allows Exabeam to detect malicious behavior that traditional SIEM platforms would overlook. A rules-based SIEM cannot differentiate between a legitimate authorized user and a malicious insider with compromised credentials. All it can see is an authorized account doing whatever it’s authorized to do.
Exabeam observes active user accounts in action and establishes a risk baseline based on their behaviors. It then uses machine learning to model these behaviors and assigns risk scores to accounts that deviate from their routine.
This allows analysts to prioritize the investigation of high-risk users, assets, and systems. For example, imagine a trusted third-party vendor account starts exfiltrating files it has never accessed before, in a database not related to its primary activity.
Exabeam may prompt an investigation because this activity, though authorized according to the vendor’s permissions, is unusual enough to merit a closer look. A rules-based SIEM may not notice this activity at all since the vendor account has the appropriate permissions.
Automate Incident Response with XDR Technology
Extended detection and response (XDR) technology gives additional firepower to security analysts protecting manufacturers against sophisticated threats.
For organizations with complex infrastructure, responding to urgent security incidents often requires manually coordinating the use of many different tools. A single security analyst may find themselves actively configuring dozens of different security technologies throughout the tech stack.
Manually executing incident response actions takes time. In an active cyberattack scenario, every second counts.
XDR solutions like SentinelOne Singularity allow manufacturers to automate incident response and address security incidents the moment they occur. This simplifies the incident response process and allows analysts to be proactive about neutralizing threats they encounter during an investigation.
In a manufacturing environment with a complex web of third-party vendors in place, this kind of solution can define the effectiveness of your overall security posture. Analysts must be equipped to respond decisively to cyberattack and data breach risks, whether they originate from outside or inside your network.
Crucially, an XDR-powered SIEM implementation can ingest data from third-party platforms and web application services, including API calls. This allows you to log API transaction data directly or integrate alerts from a third-party web application firewall (WAF) into your detection and response workflow.
SentinelOne Singularity XDR empowers analysts to restrict user access, block executions, and isolate endpoints in response to suspicious activity. It centralizes incident response, allowing analysts to conduct these operations across the enterprise from a single, unified interface.
Expand Third-Party Vendor Risk Management with Castra MDR
Effective third-party risk management is a core value to manufacturers that need to secure complex IT/OT infrastructure and orchestrate incident response across the entire environment. Castra has the tools and expertise manufacturers need to gain visibility into their security posture, detect hidden insider threats, and respond decisively to security incidents before catastrophic damage can be done.
Our team of product experts can help you audit your security posture, identify vulnerabilities in third-party partnerships, and go beyond compliance to deliver reliable, scalable security performance. Schedule a demo to find out how your manufacturing organization can optimize its third-party vendor risk management strategy.