The pandemic has exposed the volatility and cracks of global supply chains, putting pressures on new space age companies to address cyber supply chain risk. Recent incidents remind us that cyber supply chain vulnerabilities can compromise data quality and integrity, undermine systems, and more. This article seeks to raise awareness of the exceeding complexity of the problem and provide discussion points for launching, or re-invigorating, your organization’s approach to cyber supply chain risk management incidents.
Current Global Supply Chain Environment Puts Unique Pressures on New Space Age Companies
The pandemic has exposed the volatility and cracks of every supply chain around the world, from food to healthcare. Global shortages, from PPE to food, have highlighted supply chain failures and some organizations have been forced to close following virus outbreaks among their employees.
Supply chain instability has led to shortages of products in every vertical, resulting in increasing costs and lagging timelines. This may pressure some companies, including the space community, to relax cyber supplier due diligence.
Further, we know that the Pentagon is concerned about the current supply chain environment for the space industrial base, especially smaller suppliers, commercial start-ups, and non-traditional defense contractors. ‘Space wins’ like the recent SpaceX astronaut launch for NASA can potentially help decrease the cost of space advancements supporting the US military and national security. However, it is unclear how investors and suppliers will respond to the pandemic in the coming months.
Growing Cyber Risks in the Space Community
These supply chain challenges are happening at a time of growing cyber risk in the space vendor environment. Satellite systems are very attractive targets to hackers because they involve various manufacturers, integrators, and special technologies that when combined together, expand the attack surface.
Well-established space-based asset organizations may have in-depth cybersecurity and supply chain frameworks in place, while some small to medium organizations lack adequate resources or rely on potentially vulnerable sources for product development. For example, some CubeSats integrate COTS products such as open source software which could introduce vulnerabilities into inter-connected military and government environments.
A recent FBI alert warned U.S. companies of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to infect upstream companies—particularly those in the energy sector. Additionally, Government agencies in the US and France have recently issued alerts about Chinese malicious cyber activity targeting cybersecurity providers. Other incidents include:
- Recent breach of a NASA managed IT and cyber-security services provider involving the hackers exfiltrating and posting NASA-related files on their blog to pressure the provider company into paying a ransom.
- Recent breaches in the U.S. aeronautics and automotive industries, with documents stolen by a ransomware gang that included details on Lockheed Martin military equipment, documents pertaining to SpaceX’s manufacturing partners, and more.
- Over the last three years, supply chain attacks exploited the software distribution channels of at least six different companies.
Prioritize Cyber Supply Chain Risk by Probability and Impact
To minimize harmful effects of a cyber supply chain incident, we recommend that organizations decide on a risk management approach before an incident occurs. Each organization is unique and must determine their cyber supply chain risk tolerance and subsequent approach and acknowledge whether it will be more proactive or reactive.
One way to do this is to first prioritize your cyber supply chain risk areas. To avoid boiling the ocean, weigh your organization’s unique cyber supply chain risks by probability, or likelihood that they could happen. Then, determine the impact, whether financial or brand harm, for each risk area. This allows you to focus on implementing risk mitigations for the most likely and highest impact scenarios.
Prevent Compromised Software/Hardware Purchases from Suppliers
Firmware, software, or hardware could be manipulated by a downstream partner in your supply chain. If you are using multiple suppliers, your security tools may not be able to detect a harmful manipulation.
One way to help prevent acquisition of compromised software/hardware purchases from suppliers is to remain with trusted suppliers, conduct due diligence on both old and new suppliers, and validate code by asking the supplier for the original hash and double-checking it before you install it. If dealing with a space-based asset, look for ways to whitelist software before deliver and run integrity checks on the code against the whitelist post-delivery to provide some degree of assurance. Also, some API security tools can help solve for this.
Prevent Payload Tampering
One unique area to the satellite and space-based community that we see with our clients is that not only do they have to worry about the security of their products up to the point of final development, they also have to worry about chain of custody once they pass the payload to a launch provider—which could affect their cyber supply chain from a hardware or software perspective. For example, if another company or country takes control of your payload prior to launch it could allow them to interfere with satellites that have already been launched.
A few ways to help manage this risk include building a good relationship with your launch providers, building tamper resistant materials, or having your equipment do a self-check to report back whether or not it has been manipulated.
More Resources on Cyber Supply Chain Risk Management
A few other areas for managing cyber supply chain risk include mapping cyber threats to your cyber supply chain priorities, facilitating tabletop exercises to determine whether the right stakeholders will be included during incident response, and determining your organization’s criteria for selecting suppliers and vendors.
For example, have you built security requirements into your master service agreements to encourage your suppliers to improve their security? Does your organization or CISO message your cyber supply chain risk approach and process expectations to your suppliers and vendors? Does your organization have insights into security for how vendors develop Printed Circuit Boards (PCBs) or software code for a given component?
These actionable recommendations alone will not solve all of your potential cyber supply chain issues. However, they can serve as a starting point to help your organization more informed decisions for managing cyber supply chain risk.
Here are a few initiatives and resources supporting supply chain risk management:
- Cyberspace Solarium Commission, March 2020 Report
- U.S. Department of Homeland Security (DHS), Cybersecurity & Infrastructure Security Agency, ICT Supply Chain Risk Management
- National Institute of Standards and Technology, Best Practices in Supply Chain Risk Management
- Supply Chain Best Practices for Federal Information Systems and Organizations
- National Telecommunication and Information Administration, Software Component Transparency
Contact GPSG at cyberteam@gpsg.co for a free consultation on identifying, prioritizing, and managing cyber supply chain risk.
Disclaimer: This website provides ever changing content, conversations, and insights on cyber threats and trending solutions that is accurate to the best of our knowledge. Although we are cybersecurity experts, we provide information which we hope is helpful, and do not endorse any specific products, tools, or solutions referenced herein. Consult with your cybersecurity team before taking any action.