Supply Chain, Risk Management and Security Assessments of External Suppliers

 

Supply chains are networks of firms participating in the process of transforming inputs into final products that are delivered to consumers.[1]

The information security threats to the modern supply chain, across data, IT infrastructure, product, service, and operations components are real, complex and persistent. A major challenge with information risk is the variety of attack and threat types, which include the manipulation of information, abuse of authorisations, unauthorised installation of software, data breaches, phishing, and ransomware, to name a few.

While technology and global trade have made it easier to source goods and services, the benefits are countered by the complexity of supply chains which rely on inputs from across the globe. According to the Productivity Commission, Vulnerable Supply Chains, Interim Report, the Toyota supply chain, is estimated to consist of over 2100 suppliers.

For supply chain risks, awareness crystalised following ransomware attacks on Colonial Pipeline and the JBS meat processing company in May and June this year, emphasising the need for reform to critical infrastructure laws which require organisations to adopt and maintain a risk management program and to report serious cyber incidents.

 

Supply chain risk management and responsibility

Supply chain risk management balances the trade-off between the costs of a disruption to the supply, with the opportunity cost of investing in risk management.

Risk management is costly. To make an effective decision on the level of risk to manage, organisations need to understand the nature of the potential disruption (likelihood, size etc.), and its potential impact upon their supply chains. This is not simple because supply chains can be long, complex and opaque. Sometimes, simply obtaining information on an organisation’s supply chain can be difficult. Equally difficult is knowing what information can be shared and with whom, because wrongful disclosure of certain information can lead to criminal offences and even imprisonment.

Risks are best managed by those who have direct incentives to mitigate against them, like board directors and governments. Governments have the added responsibility for national security, which means justified government intervention in private sector risk management through critical infrastructure laws.

 

Security of Critical Infrastructure Act 2018

The object of the Security of Critical Infrastructure Act 2018 (Cth) (SCIA) is to provide a framework for managing risks to national security relating to critical infrastructure.

 

Security of Critical Infrastructure Rules 2018

The Security of Critical Infrastructure Rules 2018 (Rules) made under the SCIA define data sets of personal, sensitive, research, operational systems, risk management, business continuity, and consumption information, which bear the highest level of risk.

The Australian Government has taken steps to ensure that limitations on privacy imposed by SCIA are no more restrictive than necessary, but the complex rules mean that organisations will need to classify information in accordance with legal definitions and handle it accordingly.

 

Security Legislation Amendment (Critical Infrastructure) Bill 2020

Given increasing attacks on critical infrastructure, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (SLACIB) amends SCIA to enhance the existing framework under SCIA for managing risks relating to critical infrastructure and provides new definitions. The framework includes complying with a critical infrastructure risk management program, notifying cyber security incidents, providing information, and notifying events occurring in relation to assets.

An “asset” includes a system, network, facility, computer, computer device, computer program, computer data, premises, and “any other thing”, and “business critical data” includes information relating to risk management and business continuity.

 

Critical infrastructure risk management programs and company directors

Part 2A of SLACIB provides that the entity responsible for critical infrastructure assets must have and comply with a critical infrastructure risk management program.  The purpose is to identify each hazard that could have a material risk that could impact an asset and minimise or eliminate the risk of such hazard.

A responsible entity must give an annual report relating to its critical infrastructure risk management program, and where the entity has a board, the annual report must be approved by the board.

 

Industrial Control Systems and Operational Technology

Industrial Control Systems (ICS) are used in almost all infrastructures handling physical processes typically employed in critical infrastructure.  Applications include energy production and distribution, gas and water supply, industrial automation, traffic control systems and facility management.

Many attacks on Operational Technology (OT) systems target older devices running unpatched software. There is, however, a rise in purpose-built OT attacks designed to target Supervisory Control and Data Acquisition (SCADA)[2] and ICS.  SCADA systems are crucial for industrial organisations since they help to maintain efficiency, process data for smarter decision-making, and communicate system issues to help mitigate downtime.

While malware targeted specifically at ICS and SCADA systems has been developed and deployed for over a decade, attacks specifically designed for OT systems are on the rise, with safety systems increasingly the target.

For OT organisations responsible for critical infrastructure, any sort of compromise needs to be taken extremely seriously as it can be a matter of life and death.

 

What success looks like – integrated legal and cybersecurity compliance framework

Effective risk management is key to compliance with new critical infrastructure laws, and key to managing risks, is understanding the legal relationships and flow of information across supply chains.

As legal imperatives and cyber security increasingly coincide, we would also like to stress the importance of an integrated legal and cybersecurity compliance framework to support your risk management program.

We are here to assist in developing the right framework for you and to undertake security assessments of your external service providers as part of developing the required risk management programs.

 

 

Notes:

[1] Source: based on Productivity Commission, Vulnerable Supply Chains, Interim Report.

[2] SCADA is a system of software and hardware elements that allows industrial organisations to: control industrial processes locally or at remote locations; monitor, gather, and process real-time data; directly interact with devices such as sensors, valves, pumps, motors, and more through human-machine interface (HMI) software; and record events into a log file.