SolarWinds: A Wake-Up Call and Opportunity to Assess Supply Chain Risk Management

The recent SolarWinds incident served as a wake-up call: Having separate cybersecurity, supply chain, and enterprise risk management (ERM) disciplines and units within an organization is increasingly untenable. Today's reality is that these are all intrinsically linked, interwoven and, as a result, interdependent.

A robust cybersecurity posture requires a foundation built on trusted, validated supply chain systems, with effective ERM capabilities and practices supported by relevant business activities, governance and culture. At a minimum, these important components that should be evaluated are training, standard operating procedures and governance. These core capabilities must be melded and merged, not just treated as add-ons or separate units, with direction to “collaborate” with the hope that this approach could save an agency or private company from the sorts of supply chain attacks that are felling others.

Several key lessons are emerging as investigations by government and cybersecurity experts continue into the SolarWinds intrusion. Some are, unfortunately, the same lessons learned from previous cyber exploitations and attacks. Many of these have their origins in weak cyber hygiene and the lack of effective IT process controls. Other lessons, for many, are newer and, significantly, reflect that the intrusion occurred through a supply chain access point, an increasingly targeted vector into public and private entities' operations.

Entity-wide Vulnerabilities

These types of intrusions, like other cyber and supply chain attacks, can not only prevent or obstruct mission-execution and business-operation successes, but they can also damage the brand and reputation of government organizations and companies, along with the protection these entities seek to provide to their customers, employees, data and systems.

The sophistication of the SolarWinds attack demonstrates the need for an effective, integrated security program that addresses risk specific to your organizational strategies and objectives. Organizations should take an integrated view of these opportunities through the lens of ERM, cybersecurity and supply chain risk management.

• Double down on basic cyber hygiene. Basic cyber hygiene needs to remain a top priority. In the SolarWinds case, it appears as though the extent and depth of the exploit may have been exacerbated by poor access management, insecure password settings, and ineffective configuration management, such as related to software code and keys.
• Understand third-party digital connections. Third parties can present a significant risk. SolarWinds is just the latest example of a compromise through a vendor or a commercial off-the-shelf product and a supply chain attack. Managing your organization's potential vulnerabilities is a must, but so too is knowing those linked to you as suppliers of goods, products, components, software and services. Similarly, it is vital to know your customers' potential vulnerabilities, particularly if you are linked to them digitally. Truly knowing those to which you are digitally connected is important, because they are potential vectors into your organization for threat actors.
• Identify and protect critical systems and data. It is vital to ensure your organization genuinely understands what data and systems are most critical to execution of the mission, business and operations of a given department or company. Having a thorough inventory of the most critical assets and data is key. Increasingly, understanding how your organization shares its data, with whom, how secure the data is in transit and at rest, and how that data will then be protected by downstream users - as well as where that data resides within your organization's network environment - is paramount.
• Enable yourself and your partners with tools to validate and secure your supply chain. Bring additional supply chain software-integrity tools and measures to bear. As an example, there has been a growing movement for software sellers to map out each stage of the processes they use as they write or assemble computer code. That electronic record or ledger can be verified forensically to demonstrate that no unauthorized person or party has inserted or altered the code. Then, just before the software is provided for downloading by a customer, a tool runs a last check to ensure the software being delivered is the same as the product that the software company generated. This is one way to validate that the product was not manipulated or otherwise changed before being downloaded.
• Use the SolarWinds incident as an opportunity. Prepare for contingencies and undertake tabletop exercises and discussions highlighting possible scenarios where your cybersecurity, supply chain, or other elements of your operations are compromised. An effective response plan should include “training” for a supply chain threat-actor intrusion or other large-scale disruption. It is important to have rehearsed what to do, how to do it, and attempt to minimize adverse impacts. Tabletop exercises also need to include disciplines such as communication and governance to address all aspects of a potential event. Effective and transparent communications can enable a coordinated and successful approach to the threat - with the opposite, unfortunately, being possible as well.
• Integrate cybersecurity and supply chain risk management into your ERM capability and reporting. There is an opportunity to integrate the three disciplines within the risk management environment to provide more information and show the interconnectedness of the risks and opportunities you face as an organization in the context of your objectives. Integrating these three risk disciplines, rather than running them strictly in silos, provides an opportunity to see the impact on organizational strategies and potential strategies more clearly, which could result in decisions that are more effective and have a different risk profile than if they were made with siloed information.

Finally, it cannot be stressed enough that paying heed to the automated warning systems that have been set up and any suspicious oddities reported by humans is a fundamental control that underpins effective cybersecurity, supply chain and enterprise risk management. The reason that SolarWinds was discovered when it was, related to double-checking that a request to register a new phone, laptop or other device was legitimate. It was not, which triggered an investigation and everything else that followed. If not for that system warning and its being heeded, SolarWinds could still be undiscovered. Therefore, the little things - warning signs, anomalies, and double-checks - can make a big difference.

As unfortunate as SolarWinds is, it continues to serve as an urgent wake-up call and opportunity to assess or reassess supply chain risk management and cybersecurity practices, including how they are integrated and fit within broader ERM capabilities.

On a specific level, this includes assessing current cyber practices against appropriate standards, such as those of the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS) and International Organization for Standardization (ISO), and ensuring that best practices are being followed in areas such as Vulnerability/Patch Management, Identity and Access Management, Least Privilege, and Configuration Management. When it comes to supply chains, it means having a risk management program to illuminate and identify risks in products, tools, and vendors, including vendors' controlling parties, operations in high-risk environments, foreign government touch points, adverse information, and financials, so that the risks are understood and can be managed appropriately.

Marianne Bailey (mbailey@guidehousefederal.com) is a partner and Cybersecurity Solutions leader, Jason Dury (jdury@guidehouse.com) is a director in Open Source Solutions, and Kate Sylvis (ksylvis@guidehouse.com) is a director and Enterprise Risk Management Solutions leader at Guidehouse. To learn more about the firm's expertise and experience on supply chain issues, cybersecurity and resilience, and enterprise risk management, visit www.Guidehouse.com.