Where Are You In the Supply Chain?

When doing risk assessments we tend to think of ourselves as the centre of the threat model. Start with the important systems and data and model the threats out from there. But what if you aren’t the ultimate target? We expect large companies to have larger budgets and better security. Seems reasonable that the threat actors would go after the smaller partner on the way to the larger target. But it depends on what they are after.

There are many smaller companies that have very valuable intellectual property. They are doing the research & development to innovate new technologies and early access to those innovations can be worth a lot of money to someone. This is especially true in the operational technology space where products and services sell for much more than their IT counterparts.

OT vendors are motivated to keep their proprietary information secured. Their solutions generally come with a variety of dongles, awkward license keys and other methods to prevent unauthorized use. But this awkwardness leads customers to find workarounds and as always it is the workarounds and exceptions where risks are created.

Threat actors looking for information about a pipeline SCADA system may not be able to infiltrate one of the few vendors providing such systems, but they may be able to compromise one of the thousands of companies using such systems. Some of those companies may be small regional operators, others may be global energy providers. Unlike IT systems which are architected to support efficiency at scale, OT systems tend to be isolated systems without centralized logging or monitoring. The larger the operator, the more likely it is they are supporting a range of product versions, in a variety of configurations with many different service providers. This can be a fertile environment to go hunting for vulnerabilities — especially when the operators’ risk assessment focused on the value of their operations and not the configurations or proprietary information in those systems.

Your current vendor management risk assessments and supply chain threat models assume you are the target and the impacts are measured in operational losses. Do you also consider that you might be a step to another target and impacts may also include liabilities?

https://securelist.com/industrial-threat-predictions-2025/115327/

sbiswanger
11 Feb 2025
Comment 0
  • Categories
    •

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    News & Blog

    Related Posts

    It’s not about Security. It’s about Trust.

    Menu

    Solutions

    Menu

    Contact

    Copyright © 2024 Biswanger Consulting Group Inc. All Rights Reserved