Securing the Links:Zero Trust as the New Standard in Supply Chain Defense

Introduction

Over the past two decades, organizations have greatly benefited from global, interconnected supply chains, which have tripled the value of traded intermediate goods to over $10 trillion and improved supply-chain efficiencies. These modern supply chains involve multiple parties, from manufacturers to logistics providers and retailers, often spread across the globe. This complexity and interconnectivity make maintaining visibility and control over every aspect of the supply chain challenging (Alicke et al., 2020). 

Supply chain management increasingly relies on digital technologies and platforms, expanding the attack surface and exposing these networks to various cyber threats. These threats can be exploited to steal sensitive data, disrupt operations, or insert malicious code that compromises products and infrastructure. 

Zero Trust (ZT) is not just a buzzword in cybersecurity. It's a strategic approach that could be the game-changer in securing our modern, complex supply chains. ZT operates on the principle of 'never trust, always verify.' Unlike traditional security models that might operate under the assumption that everything inside an organization's network can be trusted, ZT assumes that trust is a vulnerability. This means that no device, user, or application is automatically trusted, regardless of whether it is inside or outside the organization's network (NIST, 2020; Harding et al., 2022). With ZT, you can take a proactive stance in securing your supply chain, ensuring that every element is thoroughly vetted and verified. 

Understanding Supply Chain Vulnerabilities

Supply chain vulnerabilities are not just a theoretical concept. They have real-world implications that can disrupt entire sectors and even threaten national security. Major exploitations of supply chain vulnerabilities have resulted in significant societal impacts in the past several years, underscoring the urgent need for robust security measures. 

For example, hackers, using a sophisticated cyber-attack, inserted a backdoor into the software updates of a widely used program by SolarWinds (Orion). It was unknowingly distributed to around 18,000 organizations globally, including key US government departments. This breach, known as Sunburst, allowed the perpetrators to spy on and extract data from various networks across the government, technology, and telecommunications sectors worldwide. The attack's complexity and scale, leveraging a supply-chain vulnerability, highlight significant concerns about national security and the reliability of external software dependencies. The breach posed immediate data security risks and had far-reaching implications for international relations and cyber-rivalries, potentially escalating tensions and leading to geopolitical conflicts (Tidy, 2020).

In another case, a tiny microchip was covertly implanted in the server of an Ethernet connector, allowing attackers to access the network. This incident mirrored previous reports of China's intelligence services planting malicious chips in Supermicro server motherboards. This incident underscored the broader risk of supply chain attacks, where the extensive manufacturing networks in China offer multiple opportunities for introducing manipulative devices during their production processes (Robertson & Riley, 2018). 

Both incidents underscore the complexities and risks associated with modern, globally interconnected supply chains and serve as a wake-up call for organizations to adopt new security strategies; the ZT security model shows much promise. If ZT strategies had been in place, these incidents could have been significantly mitigated or prevented. In the case of the SolarWinds Orion breach, ZT principles would include monitoring and validating every software update before deployment. This approach could have identified and isolated the malicious code in the update process, preventing its distribution to thousands of organizations. Similarly, ZT mandates rigorous inspection and control of hardware and software at all stages of the supply chain. By enforcing strict access controls and continually validating the integrity of hardware components, such as microchips in servers, any anomalies could have been detected before they were integrated into critical infrastructure. 

The Zero Trust Model: A Paradigm Shift

The ZT supply chain model evolved from ZT architecture and was initially developed for information technology networks. At its core, zero trust is a security strategy focused on maintaining a defensive stance by assuming that no entity, user, device, or service within or outside the network is to be trusted by default; verification is required from everyone and everything attempting to connect to systems before access is granted. This assumption fundamentally eliminates implicit trust in any network component. The approach sets forth fundamental principles and policies requiring authentication and authorization for each request. These access decisions are then made using ongoing, detailed data gathering and continuous monitoring. (NIST, 2020; Collier and Sarkis, 2021). 

Organizations use several different strategies beyond authentication to move to ZT. For example, other approaches include using multi-factor authentication (MFA), encrypting data (at rest and in transit), micro-segmentation, dividing the network into small, secure zones to maintain separate access for different parts of the network, and extending the ZT model to third-party vendors and service providers involved in the supply chain. Finally, there is the concept of Just-In-Time and Just-Enough Access (JIT/JEA). The JIT/JEA approach to access control has been popularized by advanced security and IT management paradigms to limit the user's access during a session to only the resources needed to perform the task at hand (Belal Ali et al., 2022). 

The Future of Zero Trust Supply Chains

Implementing a ZT supply chain presents challenges, including the need for continuous, fine-grained monitoring and making access decisions based on quantifiable, risk-based assurance metrics. It will require meticulous, ongoing surveillance and decision-making based on scrutinizing every access request minutely and making decisions grounded in data that quantifies risk (Levine and Tucker, 2022). Although this strategy can be implemented through policy and strict enforcement, several emerging and maturing technologies will help to implement ZT supply chains more efficiently. 

Technologies such as RFID, NFC, and GPS are being combined with IoT platforms to improve the traceability of products from origin to consumer. These systems help continuously monitor the condition and location of goods, ensuring that any unauthorized attempts to tamper with or divert items can be detected and addressed immediately. While these IoT technologies offer significant logistics and product management advantages, they may also become a source of new vulnerabilities. Therefore, robust security measures must be implemented when they are employed to ensure these new risks are effectively mitigated. 

Decentralized ledger technology (commonly called Blockchain) will also enhance transparency and security in supply chains by creating immutable records of transactions and recording the movement of goods. When implemented, blockchain technology can ensure that records cannot be altered retroactively without the network's consensus. As a result, it is an ideal approach to enforce ZT principles by providing an accurate, tamper-proof record of every transaction within the supply chain. 

Finally, Artificial Intelligence and Machine Learning can be used for predictive analytics, risk assessment, and decision support in ZT supply chains. AI/ML can analyze large amounts of data to identify patterns that might indicate a threat or vulnerability, automate responses to security incidents, and optimize supply chain processes to mitigate risks dynamically.

Conclusion

As organizations increasingly rely on complex, globally interconnected supply chains, the risks from cyber threats and vulnerabilities have also heightened dramatically. The ZT model offers a promising framework for enhancing security across these networks by adopting a rigorous "never trust, always verify" approach. By requiring continuous and detailed monitoring, ZT will help defend against breaches that could have severe economic and geopolitical consequences. As the digital landscape continues to evolve, so must our strategies for maintaining secure and resilient supply chains; ZT will be an essential paradigm for the future.

References

Alicke, K., E. Barriball, S. Lund, and D. Swan (2020). Is your supply chain risk blind—or risk resilient? McKinsey. May 14, 2020. Available at: https://www.mckinsey.com/capabilities/operations/our-insights/is-your-supply-chain-risk-blind-or-risk-resilient#/

Belal Ali, S. H., L. H. Campbell, M. A. Gregory, and Shuo L. (2022). A Maturity Framework for Zero-Trust Security in Multiaccess Edge Computing. Security and Communication Networks, vol. 2022, Article ID 3178760, 14 pages, 2022. https://doi.org/10.1155/2022/3178760

Harding, E., J. A. Lewis, S. Spaulding, R. Butchart, J. Harrington, D. Nair, H. Ghoorhoo, and P. Reynal. (2022). "Never Trust, Always Verify": Federal Migration to ZTA and Endpoint Security. CSIS Brief. June 16, 2022. Available at: https://www.csis.org/analysis/never-trust-always-verify-federal-migration-zta-and-endpoint-security

Levine, A. and B. Tucker (2022). Zero Trust Architecture: Risk Discussion. Carnegie Melon University. 2022. Available at: https://apps.dtic.mil/sti/pdfs/AD1161224.pdf

Lowdermilk, J. and S. Sethumadhavan. (2021). Towards Zero Trust: An Experience Report. 2021 IEEE Secure Development Conference (SecDev), Atlanta, GA, USA, 2021, pp. 79-85. 

NIST. 2020. Zero Trust Architecture. NIST Special Publication 800-207. Gaithersburg, MD: National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-207.

Robertson, J., & M. Riley. (2018). Hacked Supermicro hardware is found in a US telecom company's server. LA Times. October 9, 2018. Available at: https://www.latimes.com/business/la-fi-tn-china-microchip-20181009-story.html

Tidy, J. (2020). SolarWinds: Why the Sunburst hack is so serious. BBC. December 15, 2020. Available at: https://www.bbc.com/news/technology-55321643 

William Lucyshyn

Research professor and the director of research at the Center for Governance of Technology and Systems, in the School of Public Policy, at the University of Maryland.

Read Bill’s Bio

Previous
Previous

Taking the Highest High Ground: Strategic Prepositioning of Counter Space Weapons and Impacts to Critical Infrastructure

Next
Next

Privacy Luxury?