Cyber Supply Chain Security

More and more companies are taking a serious look at the security of the supply chain for the raw materials that they need for their production, insuring that the suppliers maintain quality standards, will reliably deliver those materials, and can be trusted to do what they say they are going to do. The same attention needs to be paid to the suppliers of cyber hardware, software and services that are becoming an increasingly critical resource for manufacturers.

An interesting article over at SCMagazineUS.com looks at the issue of cyber supply chain security. It looks at a recent survey of security professionals at a number of critical infrastructure organizations, looking at their security practices related to their cyber supply chain. The results of the survey are disturbing, a solid majority of the respondents report inadequate procedures and processes to review cyber supply chain security.

Supply Chain Security

As a long-time process chemist for a manufacturer of industrial chemicals, a large part of my job was to provide information to customers that was used to assure them that we were following the necessary procedures to provide them consistently high-quality product that met all specifications and was manufactured by agreed upon processes. It was not enough to demonstrate that shipped products passed specific testing requirements, but manufacturing processes, key reaction parameters, quality assurance testing procedures, facility quality, safety and security programs were increasingly being evaluated before establishing, and audited during, our supplier relationship.

All of this was done because these customers realized that the materials that we produced for them were an integral part of the products that they sold. They held us, as a supplier, to the same high standards that they held their own manufacturing people, because the consistency of our production was an integral key to the quality of their production.

It goes without saying that industrial control systems are also an integral part of the quality chemical production process in most chemical manufacturing facilities. If one thinks seriously about that, it follows that the processes that bring the components of those ICS systems to the facility floor are as important as the processes that bring raw materials to the same location. But, how many companies apply the same high standards to the suppliers of their ICS components as they do to their raw material suppliers.

Cyber Supply Chain Security

Actually, I think that it can be successfully argued that the supply chain for our ICS components, including hardware, software and technical support personnel, may be more important to our modern chemical production processes. Particularly as it is becoming more evident every day that flaws in those cyber systems provide an opportunity for outsiders to gain access to those systems. That access could allow them to steal process information, adversely affect product quality or profitability, even to shut down the facility.

Chemical professionals are becoming increasingly aware that subtle differences in the manufacturing process may be as important a measure of the quality of a manufactured chemical as the specification testing done on the product. A similar awareness is becoming increasingly a concern for cyber security professionals. Small changes in component design or fabrication, substitution of counterfeit materials, and programming flaws can all have an adverse impact on cyber security. Proper examination of the manufacturing and programming processes to ensure that they are protected against manipulation, by outsiders as well as corrupted insiders, will help to ensure that the equipment and software installed at the manufacturing facility presents the minimum exposure to outsider attack.

Since ICS suppliers are not completely vertically integrated in their design, manufacturing and software processes, part of the vetting process must be the assurance that the ICS supplier is requiring the same sort of examination of their component and software suppliers. A single component that allows an unauthorized person access to the system potentially compromises the entire ICS system. This can include access through deliberate back doors as well as via inadequately documented communications protocols or the use of default passwords.

Personnel Surety

Another potential cyber supply chain security hole is the outsiders we routinely allow to access our control system equipment. Most chemical manufacturing sites do not have the on-site expertise necessary to install, update and maintain the control system hardware and software components. Only the biggest chemical companies can have a large enough staff of process control professionals to handle these requirements. Most facilities will have to rely on equipment/software producers, 3rd party venders, or consultants to handle these responsibilities.

Cyber security professionals need to be concerned about allowing these outsiders unfettered access to their industrial control systems. The cyber supply chain review process for the organizations providing these services needs to include adequate assurances that the people sent to the facility have been rigorously vetted and adequately trained on cyber security techniques. And procedures need to be in-place to verify that the vetting is current, each time one of these outsiders enters the facility.

High-risk chemical facilities covered under the CFATS program are required to ensure that background investigations of all personnel with unaccompanied access to critical or restricted areas have been conducted. It can certainly be argued that a vendor representative sitting at an ICS control computer has unaccompanied access to that system unless closely watched by someone with a detailed and comprehensive knowledge of that system. Anyone with this kind of access, or even just physical access to an unprotected USB port on any device connected to the system, needs to be appropriately vetted.

ICS Cyber Security

All facilities using industrial control systems have a responsibility to the owners and customers to ensure that those systems are protected against attack. Intellectual property protection and protection against directed process upsets are clearly of importance to all organizations. This is part of the fiduciary responsibility and contractual obligations of facility management.

High-risk chemical companies have an even higher duty to protect their industrial control system against attack. They have the same responsibility to customers and owners, but they also have a responsibility to protect their neighbors and communities from the potential affects of a terrorist attack via those control systems. The control systems could conceivably be used to turn the chemicals stored, used or produced at the facility, in some cases the very facility, into a weapon of mass destruction.

Close attention needs to be paid to industrial control system security by all using organizations. This security awareness needs to be applied to the whole cyber security supply chain.