A research study by Skybox Security found that 40% percent of OT security decision makers said that supply chain/third party access to the network is one of their top three highest security risks. Yet, less than half said their organization as a third-party access policy that applied to OT.
Baffling, right? But the explanation for this contradiction comes down to a more fundamental problem: organizations do not know the effectiveness of their existing access policies. Additionally, organizations do not have clear visibility on the traffic traversing across the infrastructure, so implementing practical micro-segmentation principles to provide the least privileged access is a significant challenge.
Because of this inability to provide segmentation and lack of visibility across the network, subsystems in the OT environment are even more vulnerable to malware from third parties; lateral movements of malware from third-party to the OT environment happen because these partners have weaker security defenses. For instance, these third-parties could be behind on their security updates, or their employees might be more likely to fall for phishing schemes. Another reason is that attacking a supplier would net the gang more victims because a supply chain attack would affect all the supplier’s customers.
Problems with third parties are underestimated
Bad actors increasingly are sneaking in through third-party access. There’s no doubt about that. So, the obvious question is, what keeps companies from better securing third-party security risks?
In most cases, it’s a case of organizations underestimating the potential risks caused by third-party vendors. Unfortunately, this makes organizations easy targets for a sucker punch by cyber-attacks because they didn’t have a security posture platform with network modeling and path analysis across the entire network. Unfortunately, a long list of security problems caused by third parties can be devastating. For instance, there is a potential threat to employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties accessing privileged systems.
Today, companies deal with hundreds of vendors, who, in turn, have their agents and subcontractors. As a result, third-party risks can arise at any time in this extensive network. The report supports this: 78% of OT security decision makers said complexity due to multivendor technologies pose a challenge to gaining complete visibility across their attack surface.
Gap in security expectations with third parties
Many companies cannot track vendor risks against their internal policies and certifications in part due to a failure to communicate its policies to third parties. In that case, there may be a gap in expectations between both parties, thereby affecting a third party’s ability to assure compliance. The challenge is that vendors don’t assume ultimate responsibility for the risk of the service they offer. If third party vendors weren’t problematic enough, many companies actually farm out the management of their OT systems to third parties, introducing another layer of risk.
Need for security posture platform that enables policy optimization
For me, a significant takeaway from this report is this: get a security posture platform that accounts for security policies for connected third parties. Firewall rules and network segmentation need to define where third-party access is allowed on your network. A modern platform enables policy optimization, attack simulation, compliance, and visibility that allow you to see all entry and access points and perform path and exposure analysis.