Any company and organization is in some form or shape connected to suppliers and partners. They are also dependent on generic infrastructures like energy, network and logistics. Due to the high IT intensity in all sectors, this implies that a growing part of the attack surface of any organization now lies outside the organizational boundaries.
Regulations like NIS2 (security of Network and Information Systems 2) and DORA (Digital Operational Resiliency Act, applicable to the financial sector in Europe) are setting new obligations for organizations and their leaders to manage their supply chains and improve their third party risk management practices.
These two developments imply a further convergence of third party risk management (TPRM) and attack surface management (ASM). Managing these requires symmetry and transparency. And when incidents do happen in your supply chain, they often translate into unavailability of services. This requires high business resiliency and the ability to work in island mode.
Changing Geometry of Attack Surfaces
Changing business models, often driven by new technologies, are resulting in changing configurations of attack surfaces.
In the picture above, the top-right configuration depicts the situation of organizations whose attack surfaces are not intersecting. This is the situation in which a company is for example (almost) completely autonomous, operating like an island. This hardly ever happens nowadays. Business models have been pushing the geometry into one of the other four configurations. The top-left configuration shows an example of multiple organizations that share a common supplier which results in concentration risk. The top-middle can be the situation where two companies share a common supplier, for example a cloud supplier. The bottom-left picture is a special case and the bottom-right is the general case.
These new surface configurations have forced regulators to formulate liabilities for organizations about managing the increased complexity. NIS2 and DORA will be detailed further in 2024. The NIS2 regulation will be translated into local law and the regulatory technical standards for directive DORA will be published in their final form early 2024. But they have already triggered preparatory action in many organizations.
This time, the regulators are both right and on time. Incidents in supply chains are occurring every day and create serious risks to both public and private sectors. An excellent example and a very well written postmortem is the report of SektorCERT (Denmark): https://sektorcert.dk/wp-content/uploads/2023/11/SektorCERT-The-attack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf
When your attack surface intersects the surface of another company that is hit by a cyber-incident, this often results in unavailability: the victim will go into “island mode”, shutting down any connection with others. From an attack surface management perspective, this is helpful as it is reduces the risk of contamination or risk migration. But it will require high business resiliency to continue your own business objectives. At the same time, when you are hit by a cyber-incident, you should be able to go into island mode yourself. This is an example of an increased level of symmetry in the supply-chain: although the word “supply” suggests a direction from supplier to consumer, managing the geometry of the chain and the related attack surfaces has become bi-directional.
Technical Solutions? Maybe.
Managing risk in the current complex geometry of attack surfaces requires increasing transparency between the parties involved to enable security decision making. Research and implementations of Secure Multiparty Computation (SMC) are progressing. For example, fully-homomorphic encryption will be an ideal solution to securely operate in a highly interconnected multi-untrusted-party environment. But these technical solutions are not mature yet (for example due to performance requirements). They also do not protect you against the effects of partners switching to island mode. It would be interesting to study SMC algorithms that are resilient to parties becoming unavailable.
The increasing requirement of transparency by your partners in the network imposes expectations on yourself. Due to this increased symmetry, organizations should prepare for providing transparency and this will translate into the technical capability of situational awareness of the intersection of your surface with others. I have not seen many solutions offered by the ASM market yet that provide this capability.
Practical Next Steps
So we are in a complex situation. Our business models are pushing us into more generic attack surface configurations with high degrees of intersections. And regulators are justifiably responding with rules that force liability upon executives and organizations to be in control. And the security market is lagging. How this will play out is uncertain, but I propose the following six steps as a strategy.
- Navigate the complexity by stratifying your supplier landscape based on business criticallity and risk
- to cope with the increased scale of the network, automate as much as possible your work to assess the risks of your connections
- As everything has become symmetrical, reduce the amount of work you impose on your network by standardizing your in-control requirements as much as possible
- Outsource the work when you can
- Collaborate with others. The problem is shared with all players in your network.
- (Re-)use third party assessments as much as you can. Examples are SOC 2 type 2 and ISAE3000 type 2 assessments. Enforce and include them in your contracts and be willing to provide them to your consumers.
Examples of Moving Forward: Hellios and CCoT.
There are two examples I like to share that illustrate the approach I propose.
Hellios develops communities of buying organizations to provide third and fourth party risk management processes by collecting, validating and monitoring supplier information. Many financials already use Hellios and I think DORA is a best incentive for any supplier to the financial sector to join as well.
I founded and chair the foundation of the “dutch CISO Circle of Trust” in 2022, together with the CISO’s of ASML, AkzoNobel, Shell, Ahold, ING, Philips, KPN and Rabobank. We collaborate across industry vertical with the goal to increase security of the fabric of the society in the Netherlands. This circle of trust recognized third-party risk as a priority and worked on standardizing security requirements for suppliers.
We are now sharing the results and working with the dutch government to further standardize transparency in the symmetric supply chain.
Third party risk management and attack surface management are quickly developing and deserve high attention from any forward leaning CISO.