Supply chains are essential for the proper functioning of industrial systems and critical infrastructure. However, they’re also quite messy, in terms of security. Supply chains invariably connect users and systems from multiple entities, often in different countries. This setup exposes every company in the supply chain to cyber risk. Among countermeasures, Privileged Access Management (PAM) offers one of the best ways of minimizing supply chain vulnerabilities.
Supply chain security risks can be easily mitigated with a privileged access management (PAM) solution.
What is a Supply Chain?
The term “supply chain” is a fancy way of explaining the relationships between companies that work together in the creation of an end product. With cars, for example, the steel comes from a steel mill, which in turn gets its raw materials from an iron ore mine. The mine and the mill are two pieces of the car’s supply chain.
In today’s corporate and IT parlance, “supply chain” means a collection of connected systems, entities, and processes. The figure above, from a research paper on supply chain management, shows the main participants and their relationships. You have “upstream” suppliers, like the iron ore mine feeding into the inner rings of outsourced manufacturing and related suppliers. The supply chain continues through to customers and distributors. Supply Chain Management usually takes place on large, established platforms from giants like SAP and Oracle.
Supply chain management is also a concern for non-industrial organizations like those involved in electrical power generation and distribution. The North American Electric Reliability Corporation (NERC), for example, publishes guidance on supply chain risk mitigation in the power grid. Though the power grid doesn’t make anything physical, it ties together a number of independent systems and organizations and faces similar security challenges to supply chain elements in the commercial sector.
Security Issues in the Supply Chain
Supply chains create risk exposure. This is unavoidable. Whenever you stitch together a loosely connected group of separate corporate entities, some with system-to-system access, you will have risk exposure. Specifically, most supply chain management platforms enable API-based access between systems in the supply chain. That way, for example, a wholesaler can notify a retailer when an order has shipped via a JSON message sent to a RESTful API. There may be thousands of such integration points in a large industrial supply chain. In some cases, human users are authorized to log into other companies’ systems to update order and production data and so forth.
Supply chains create their own risk exposure. Everyone and no one is responsible for security across the entire supply chain.
The question is, who’s keeping an eye on security? The answer, it often seems, is everyone and no one. Of course, responsible organizations take security seriously and protect their supply chain data assets as well as they can. However, the sheer scope of a supply chain makes it hard to defend them thoroughly and consistently.
People come and go at various entities in the supply chain. They may share passwords. It’s more or less impossible for everyone to know what’s going on inside all the other companies involved. On top of that, there’s a demand for flexibility from the business. They want the supply chain to be agile, not locked down with burdensome security controls. The result is a weaker security posture than anyone really wants to accept, but that’s reality.
Role of Privileged Access in Supply Chain Security
Privileged users affect the level of security in the supply chain. A privileged, or administrative user, has the permission to log into the back ends of critical systems. They can update settings and configuration. They can modify or delete user accounts and access data. In some cases, they can even override security controls and erase any evidence that they were present in the system at all.
As a result, privileged users pose a number of potential security risks. A malicious actor, impersonating a privileged user, can sabotage a system or steal data from it. Insider threats abound, with privileged users (and former employees) exploiting privileged access for wrongful purposes.
Supply chains compound privileged user risk by opening up access to outsiders. While it’s generally true that a company in a supply chain will seldom deliberately assign privileged status to a third party’s employee, there is a risk of “privilege escalation.” In this scenario, a malicious actor uses stolen credentials to access a system and then assign himself or herself more powerful admin privileges. Privilege escalation attacks occur outside of the supply chain, but in the supply chain, it’s harder to detect when an unknown third party is trying to get access.
Malicious actors can utilize privilege escalation techniques to gain administrative access to critical data and system using stolen credentials.
Privileged users also expand the attack surface area in the supply chain. This risk can arise through errors and negligence in configurations. Attackers will exploit the results. For example, a privileged user might accidentally misconfigure ports and API access rules for an Enterprise Resource Planning (ERP) system. This exposes them to unauthorized access, but in the context of a large-scale, multi-player supply chain, the vulnerability may elude detection until it’s too late. Then, if there is an attack, it might be difficult to reconstruct what went wrong. This is where Privileged Access Management solutions can help.
Using a PAM Solution to Secure the Supply Chain
A Privileged Access Management (PAM) solution is software that enables supply chain managers to define and enforce privileged account access controls across the supply chain. It secures privileged accounts, for with login credentials to critical assets anywhere in the supply chain. The WALLIX Bastion, for example, provides a streamlined, centralized system for privileged account security in the supply chain.
It can apply the following functional modules to supply chain management systems, related applications and data sources:
- Access Manager—Governing access to privileged accounts across the supply chain with a single point of policy definition and policy enforcement. A super admin can add/modify/delete privileged user accounts. This way, an organization in a supply chain can keep careful tabs on its privileged accounts and make sure they are aligned with rules, roles, policies, and controls.
- Session Manager—Tracking and monitoring all actions taken during a privileged account session for future review and auditing. Session monitoring can even prevent malicious or unauthorized actions and/or alert Super Admins if suspicious activity is detected, in real time.
- Password Vault—Keeping passwords in a secure and certified “vault.” All system access is via the password vault. End users never have direct access to root passwords. This capability mitigates the risk of local overrides on physical devices