Managing Provider Risk as a Priority
(This entry is cross-posted in CERTSI_ blog)
The outsourcing of processes is not something we can consider new. In fact, the contrary is true. And in particular, in terms of how it applies to ICT (Information and Communication Technology), it is common for at least part of our systems to be accessed by third parties or managed directly by third parties. The range of options is broad, encompassing maintenance of equipment, remote operation-administration, on-site and remote support, maintenance of applications and all of this without taking into account other types of third parties (whom we could refer to as unrelated) who, without access to our information systems, do store and/or process information on their own systems (consultants, auditors, general consultants etc., etc.).
Even critical operators are not alien to this phenomenon, considering that, moreover, many industrial environments are affected by maintenance agreed with manufacturers or with very disperse geographic environments where it is essential to rely on third parties with the territorial reach for the work carried out in the field. Particularly important are the possible consequences of any incident given the critical nature of this type of system. In any type of environment, the possible impacts include:
- Loss of valuable information and of intellectual property
- Theft of personal or financial information
- Theft of funds
In critical operations, the impact can affect a large swathe of the population or spark a cascade effect due to dependency relations (for example, in the energy sector).
In this situation, the providers of the value chain of the operators become another attack vector for those targeting the operator. Over recent years, we have become aware of many examples of this kind of attack (e.g. Target or T-Mobile), but most worrying of all is that according to several studies the mechanisms of companies to familiarise themselves with the risks to which they are exposed in this area do not offer the results one would hope for:
- 92% of companies do not implement any type of provider risk management.
- 70% contract with providers and perform no form of verification of prior security (moreover, 60% provide access to their systems)
- 63% of security breaches originate with providers
Given this scenario, INCIBE has decided to develop the C4V model, “Construction of Cybersecurity Capacities for the Value Chain” with the objective of assisting operators to avail of a model to evaluate the security level of third party services that might affect systems and that it is objective, homogeneous and adapted to the industrial control systems.
In forthcoming blog entries we'll explain in detail how to use the C4V model to ensure the security level of the value chain and how to carry out self-evaluation in the area.