Zero Trust for Supply Chain: A Critical Aspect of the SCS 9001 Architecture

By Dave Sanicola, President of The DESARA Group, TIA Supply Chain Security Work Group Lead

The rise of cyberattacks by sophisticated criminals and foreign adversaries threaten to endanger national security, disrupt business continuity, and devastate consumer confidence—all with vast economic consequences. Recent ransomware attacks on the Colonial Pipeline and meat processing giant JBS have significantly escalated concern, creating what is now being referred to as a “cybercrime pandemic” and further pushing the issue to the forefront within the Biden Administration.

TIA’s upcoming release of the SCS 9001, the first ICT-specific standard for global supply chain security, will be integral to ensuring trust and integrity of the ICT supply chain where attacks have the capacity to distribute downstream across tens of thousands of networks and millions of users. SCS 9001 is built on several key factors, including a Zero Trust Architecture (ZTA) based on NIST (National Institute for Standards and Technology) recommendations. Sometimes referred to as “perimeterless security” and rooted in the concept that organizations should not trust anything inside or outside its perimeters, ZTA makes SCS 9001 unique by considering remote users, devices, and cloud-based assets beyond an enterprise local network.

Recently, I caught up with Scott Rose, a computer scientist at NIST with expertise in Internet infrastructure and protocol protection and who is currently working to bring zero trust security understanding to the U.S. Government, to ask him more about ZTA.

 

1. What is a Zero Trust Architecture (ZTA) and what are the main principles and benefits?

 

To understand ZTA, you first need to understand zero trust. Zero trust isn’t a single technology or network configuration but a set of cybersecurity principles that seeks to eliminate implicit trust between resources. Zero trust essentially entails authenticating and authorizing every communication session against enterprise policy before a session is created. In a zero trust approach, an enterprise monitors and maintains all network identities within the entire enterprise and the security posture of resources, and monitors data flows between resources. Zero trust also means that an enterprise needs to adjust its security posture in response to changing network conditions or newly discovered threats.

While there are different approaches an enterprise can use to implement a ZTA from micro-segmentation to software-defined networking based solutions, all ZTAs feature a robust identity and asset management and governance program, device health checks, and a continuous monitoring program. This approach considers that the internal enterprise network should not be trusted any more than the external Internet, resulting in the counterintuitive benefit of simplifying policies as there is only one set of policies to enforce across an enterprise.

The emphasis zero trust places on monitoring means that while not every attack can be prevented, it is more likely to be identified before considerable damage occurs. A ZTA should therefore be designed to limit unauthorized lateral movement through the enterprise and monitor traffic flows for anomalous behavior that may signal an attacker on the network. If an attacker can be quickly identified and isolated from accessing enterprise resources, enterprise cybersecurity staff can quickly recover from the attack—hopefully without long-term impact to the organization.

 

2. What is the difference between a legacy approach and Zero Trust Architecture?

 

In legacy architectures, defenses were places on the perimeter. The firewall was trusted to keep the internal network safe. That thinking was quickly dispelled as attackers found ways around firewalls and into corporate LANs. Once inside, attackers moved laterally through the network until they gained access to a valuable resource. Zero trust considers the internal network untrusted, so defenses move closer to individual resources instead of entire network segments.

This approach is especially critical in today’s modern architectures where enterprise assets and data may not be located on the corporate internal network—they could reside in the cloud, be accessed by remote workers, or involve other non-enterprise-owned network infrastructure that may not have adequate firewall protection. ZTA solutions take all of these resources into account, allowing enterprises to develop and enforce policies across disparate network infrastructures and locations.

 

3. How can Zero Trust help secure the ICT supply chain?

 

Zero trust applies to ICT supply chain security in two ways—to both the companies that provide the architecture and to the actual products and services themselves. Component producers and service providers should have a robust security program like ZTA that protects the integrity of the products being produced. We’ve seen examples of attacks against the supply chain, like the recent SUNBURST attack on SolarWinds’ products, where attackers targeted the supply to gain a foothold into their actual targets.

Component suppliers and service providers should also work to ensure their products will fit into customer’s zero trust strategies. It is impossible to have a product or service that can integrate in every possible ZTA implementation, but there are general design choices that could be made to help customers integrate a given component into their planned (or existing) architecture. Some of these design principles include:

 

• Having ways to uniquely identify a component. This helps an enterprise identify and maintain the devices it owns or that operate on its infrastructure. Fine grain policy based on individual devices can be developed and enforced, which can include the means to integrate this identity into common management and governance platforms (using standard protocols or available API).
• Providing information about the individual components that make up a product. This could include artifacts like a software bill-of-materials (SBOMs) and communication profiles that allow an enterprise to react to newly announced threats.
• Provide ways to integrate the component into common monitoring or security information and event management (SIEM) systems. For example, this could include having built-in tools that allow an enterprise to export event logs to any enterprise-wide system in use, providing a better view to the current state of components.

 

4. Which stakeholders within the ICT supply chain should be implementing Zero Trust as part of their strategy?

 

Ideally, every stakeholder in the supply chain should implement a Zero Trust Architecture. As target enterprises migrate to zero trust, attackers move their attention to other targets upstream of their intended targets that are still vulnerable to attack, such as component suppliers and service providers. Those that supply components or provide services also therefore need to protect the integrity of their products and service offerings by having a ZTA in place for their own operation and development processes. Even if an enterprise cannot implement a full ZTA, having some elements of a ZTA for some workflows improves the overall security posture.

 

5. What are the key challenges, considerations, and best practices for implementing an efficient ZTA among manufacturers, suppliers, and service providers involved in designing and deploying the global ICT infrastructure?

 

The first step in any zero trust journey is to collect the foundational information. This involves knowing what data, devices, and software components are in use in the enterprise and what data flows between them. This includes having a comprehensive monitoring program in place for network communication, as well as maintaining resource security posture. The enterprise will need tools and processes to parse this data to identify emerging threats or possible malicious behavior. But in reality, the biggest challenge is cultural rather than technical. Zero trust requires the cooperation of the entire enterprise. Development teams, system administrators, and even end users must understand the security policies that relate to them. Information sharing is essential and cybersecurity teams need to work with developers, administrators, and business process owners to understand how to analyze the risk to the enterprise and develop policies and procedures accordingly.

 

6. Can you provide some real-life examples of Zero Trust in the context of securing the ICT supply chain?

 

We haven’t seen many after-action reports of enterprises with ZTAs handling a supply chain attack, but we have seen supply chain attacks. One type of attack that has occurred multiple times over the years is the issuance of certificates to imposters. This allows an attacker to spoof the valid domain name or sign software updates that appear legitimate. Another is taking over abandoned repositories for common utilities like browser extensions and using built-in, legitimate update processes to inject malware.

In all of these scenarios, an enterprise making use of these products may not be able to stop an initial attack happening outside of their enterprise, but a ZTA can certainly help quickly identify and contain the attack and its impact. If the enterprise has a robust monitoring system in place, it could detect that devices or software components have changed their traffic behaviors that may violate ZTA access policies. One example would be an infected IoT device attempting to open connections to other resources that it does not need to communicate with to perform its function. A ZTA micro-segmented network may even contain and deny this connection before it is identified as malicious, simply because it is not allowed by policy.

One example of an incident we heard in a previous NIST technical exchange meeting on zero trust is similar to a supply chain attack. A hospital on the East Coast had recently migrated to a micro-segmented ZTA. A vendor technician working on site to repair a medical diagnostic device decided to replace the device’s hard drive with one taken from a similar machine from a different customer. Unbeknownst to the technician, that replacement hard drive was infected with NotPetya ransomware. When the device powered back on, the malware began its attack. Since the hospital had a micro-segmented network with strict traffic policies between segments, the security team was alerted, and the outbound connections were blocked. This prevented the malware from operating and allowed the security staff to immediately identify and isolate the infected system.

While Scott’s insight clearly indicates that zero trust is the right approach to supply chain security, especially in modern-day networking environments where IT assets reside in multiple global locations, implementing a ZTA is not a trivial endeavor. It is an approach that takes time to fully implement via a strategic step-by-step process.

To that end, SCS 9001 does not require organizations to have a complete and fully-functioning ZTA implementation in place on day one but rather to have a well-documented plan that clearly demonstrates the organization’s journey and commitment towards implementing full ZTA.

 

Learn more about SCS 9001, TIA’s measurable supply chain security standard.

Register for our Webinar on July 28: Securing the Global ICT Supply Chain