Abhisam will soon be adding a new Supply Chain Cyber Security Training module to its popular Industrial Cybersecurity training course.
This module will be part of the Advanced Modules 2 in the Certified Industrial Cybersecurity Professional training course (CICP) and will be available to learners who opt for the Professional version of the course.
What is supply chain cyber security? What are supply chain attacks?
Any system that uses hardware and software is rarely developed from scratch. It almost always uses pre-existing hardware and software components that are sourced from different vendors. For example, if a newly developed smart wireless pressure transmitter is made by an industrial automation manufacturer, it does not imply that all its components ( such as one or more microprocessors, firmware and other stuff that is used in it) has been made from scratch by the said manufacturer.
Rather, it probably uses pre-existing hardware and software from different vendors, which may mean that any unpatched vulnerabilities in these components can be exploited by adversaries to attack it.
Supply chain cyber security is ensuring that all the components that make up your supply chain are secure. Supply chain attacks target the components of your supply chain, so that your device or system that uses this supply chain also becomes compromised.
What is an ICS Supply Chain?
Industrial Control Systems (ICS or more appropriately referred to as IACS- Industrial Automation and Control Systems) supply chains can be complex, because there are different ways in which Industrial Automation projects are executed. The Asset owner who will be using the ICS may either order different components of the ICS themselves, or can appoint a lead vendor/contractor who does the design, engineering and procurement or have different vendors (who may have their own sub vendors) for different parts of the ICS. For example, the DCS (Distributed Control System) may be ordered directly and the field instrument procurement may be via lead EPC contractors, the Safety Instrumented System (SIS) may be ordered from a different vendor and a system integrator hired to program it.
In short there are several permutations that can happen and hence supply chain security for the IACS is not so simple to analyze from the security prespective.
What is a Software Supply Chain?
The same applies to software. A piece of software may use many pre-existing pieces of software from other vendors (or from open source communities), which themselves use software from others. It is like one of the famous Russian dolls in which one doll has another doll inside and so on, there may be 7-8 dolls inside a doll, although from the outside it appears to be just one doll.
What are other factors in supply chain attacks?
Other than targeting existing vulnerabilities in the components that are used in the supply chain or your device, system or software, there might be other ways that attackers can penetrate; one way is to target insecure counterfeit items, that may often not be noticed in regular OT Security audits or IT security audits.
For example, if a contractor or sub vendor uses counterfeit devices, then even though the original device may not have a vulnerability, the counterfeit device may have it. Perhaps it may even be purposely introduced into your supply chain, to have an “always on” backdoor into your system!
For instance, recently the authorities busted a racket that involved selling counterfeit CISCO branded devices to unsuspecting system integrators at cheap prices. One does not know whether these devices were simple counterfeits or had backdoors in them.
How to protect against supply chain attacks?
Being aware of this possibility is the first step, afterwards there are several other things that can be done. One of these is compiling a Software Bill of Materials (SBOM) for the software that is used in your system and then checking which of these have vulnerabilities that can be used.
Other steps include asking your vendors about what step they are taking to prevent such attacks and whether they have made an SBOM for their own components.
However, these are early days, standards are still being developed. There are some software vendors who have automated applications that can help you create an SBOM and warn you of unpatched vulnerabilities.
Where can I learn more? How do I get certified as an Industrial Cybersecurity Professional?
When you take the Abhisam Certified Industrial Cybersecurity Professional Course, you learn everything that you need to know about ICS Security, Industrial Security (OT Security) without breaking your budget. Comparable courses from other providers cost thousands of dollars as compared to the Abhisam CICP course.
This course covers everything, including the basics of industrial cybersecurity, demo of attacks on PLCs, as well as more advanced topics such as cyber risk assessment for industrial control systems, the MITRE ATT&CK matrix for ICS, as well as the IEC 62443 standard.
No wonder more and more companies and individuals are choosing this course to learn everything about Industrial Cybersecurity and get qualified as a CICP. So whether you are an Instrumentation & Control Systems engineer or manager, or a Plant Manager responsible for their plant’s assets or an IT security auditor wishing to expand their domain to include OT security audits, then this is the course for you.
Contact us at sales[at] abhisam.com for more details.
