You’re Only As Secure as Your Weakest Link
In 2021, the Kaseya VSA ransomware attack hit MSPs, demonstrating third-party relationships’ potential vulnerabilities and consequences and the critical importance of Vendor Risk Management (VRM).
About Kaseya VSA
Kaseya VSA is a cloud-based IT management and remote monitoring solution used by some managed service providers (MSPs) to manage and automate IT at multiple client sites.
In July 2021, hackers affiliated with the Russian-linked REvil ransomware group exploited vulnerabilities in Kaseya’s VSA software. The attackers delivered a ransomware payload through Kaseya’s software update mechanism, affecting not just Kaseya but also its MSP customers and, subsequently, the MSPs’ clients.
Impact and Relevance to VRM
- Widespread Disruption: The attack affected more than 1,500 businesses around the world, ranging from small businesses to large enterprises. The scope of this attack highlights how vulnerabilities in a single vendor’s product can have cascading effects across an entire supply chain.
- Financial and Operational Impact: Many of the affected businesses faced significant operational disruptions, financial losses due to downtime, and the costs associated with incident response and recovery. Some businesses also faced the dilemma of whether to pay the ransom to regain access to their data.
- Regulatory and Compliance Concerns: The incident raised substantial concerns regarding compliance with data protection regulations. Businesses affected by the ransomware had to consider the implications under various privacy laws, potentially facing penalties if it was found they had inadequate security measures in place.
Lessons for Vendor Risk Management
- Thorough Vendor Screening: It’s crucial for you to conduct comprehensive security assessments of your vendors, especially those providing critical IT management services or software. This includes evaluating the security measures the vendor has in place, their history of security incidents, and their policies for responding to and communicating about such incidents.
- Contractual Safeguards: You should ensure their contracts with vendors include terms that specify the vendor’s obligations in terms of cyber security, including requirements for regular security audits, immediate incident notification, and liability for breaches.
- Contingency and Incident Response Planning: Businesses must develop robust contingency plans that include procedures for quickly isolating affected systems and restoring operations with minimal disruption. Effective incident response planning is essential for rapidly recovering from such attacks.
The Kaseya VSA ransomware attack serves as a stark reminder of the risks associated with third-party vendors, particularly in the software and IT services domains.
This also emphasizes the necessity of implementing a comprehensive VRM program that includes rigorous security assessments, contractual protections, and preparedness planning to mitigate the risks posed by vendor relationships in an increasingly interconnected business environment.
Why VRM Is Important Today
While this happened in 2021, additional events are happening that demonstrate the importance of strong VRM.
- Cyber Security Incidents: Recent breaches involving third-party service providers have led to significant financial and reputational damage for companies. These incidents often reveal that the compromised party had inadequate security measures, which their clients did not identify or manage.
- Increasing Dependency on Third-Party Vendors: Canadian companies, like those globally, are increasingly relying on third-party vendors for critical services, including cloud computing, data processing, and IT infrastructure. This dependency extends the attack surface for cyber security threats, as vulnerabilities in a vendor’s system can potentially compromise the security of the contracting company.
- Supply Chain Disruptions: Recent global disruptions, from pandemics to geopolitical tensions, have exposed supply chain vulnerabilities. Companies have realized the importance of understanding their suppliers’ operational and financial stability. Effective VRM helps assess these aspects, ensuring that supply chain risks are minimized.
- Regulatory Changes: There have been movements towards tightening data privacy laws in Canada and globally. For instance, updates to PIPEDA and similar regulations in other jurisdictions are placing greater accountability on companies to manage the data handled by their vendors.
- Economic Uncertainty: The economic impacts of the COVID-19 pandemic and subsequent market fluctuations have highlighted the need for VRM to assess the financial health of vendors and foresee and prepare for potential supply chain disruptions.
In essence, Vendor Risk Management has become a critical pillar of operational integrity and strategic planning for Canadian companies in 2024. VRM enables companies to address these risks proactively, making it an essential component of modern corporate governance.
With that in mind, let’s look at why it’s important and how it can be effectively implemented:
Detailed Strategies for Effective VRM
In IIoT and cloud services, your security is only as strong as the weakest link.
Given that many components and services are outsourced to third-party vendors, any vulnerability in their systems can directly impact your own security.
Let’s explore a few effective VRM strategies.
1. Vendor Selection
- Compliance and Standards: Start by evaluating potential vendors’ compliance with relevant industry standards and regulations. For industries like energy or healthcare, this might include specific requirements like those mandated by NERC CIP or HIPAA. Vendors should also adhere to general cyber security standards such as ISO 27001 or NIST frameworks.
- Security Posture Assessment: Robustly assess the vendor’s cyber security practices and infrastructure. This includes their data encryption methods, authentication protocols, access controls, and overall security architecture. Tools like security rating services can provide an ongoing assessment of a vendor’s security posture.
2. Contractual Agreements
- Clear Roles and Responsibilities: Contracts with vendors should explicitly outline who is responsible for what in terms of security management. This includes specifying duties for regular security assessments, compliance audits, and handling of security breaches.
- Data Management Policies: Ensure the contract defines how data is to be handled, stored, and protected. This includes provisions for data encryption, secure data transfer mechanisms, and data retention and deletion policies.
- Incident Response: The contract must clearly define the incident response responsibilities. It should outline the process for notifying you during a breach, the expected time frames for such notifications, and the vendor’s role in remediation efforts.
- Right to Audit: Incorporate clauses that give you the right to conduct security audits on the vendor’s systems or to review third-party audit reports. This ensures transparency and allows you to verify compliance with the agreed-upon security standards.
3. Continuous Monitoring and Review
- Performance Monitoring: Regularly monitor the vendor’s performance against the set SLAs and KPIs to ensure they are meeting security and operational expectations.
- Risk Assessments: Conduct ongoing risk assessments to identify and address new or evolving risks associated with the vendor. This should be part of a broader risk management strategy that includes monitoring changes in the vendor’s business practices or financial health that might impact their security posture.
- Feedback and Improvement: Establish a feedback loop with the vendor to discuss performance and areas for improvement. This should be a collaborative process aimed at continuously enhancing security practices.
Implementing comprehensive Vendor Risk Management for IIoT and cloud services is essential for safeguarding your digital assets and operations. By carefully selecting vendors, crafting detailed contracts, and maintaining rigorous oversight, you can mitigate the risks that third-party engagements inherently bring. This proactive approach protects your operations, supports compliance, enhances reliability, and builds trust with your stakeholders.
Enhancing Your Vendor Security Protocols
If you’re considering enhancing security protocols, particularly for systems involving IIoT and cloud technologies, your focus will be primarily on two major areas: authentication and encryption, as well as regular updates and patch management.
Let’s explore each of these in more detail, outlining specific actions and best practices.
1. Enhanced Authentication and Encryption
Authentication:
- Multi-Factor Authentication (MFA): Implementing MFA is crucial for protecting your IIoT and cloud environments. This process requires users to provide two or more verification factors to gain access to a network or system, drastically reducing the likelihood of unauthorized access.
- Role-Based Access Control (RBAC): RBAC ensures that access rights are grouped by role, and access to systems is granted based on the specific role within the organization. This minimizes the risk of granting access beyond what is necessary for an individual’s duties.
- Biometric Authentication: For highly sensitive IIoT environments, biometric authentication methods like fingerprint or facial recognition can provide an additional layer of security.
Encryption:
- Data at Rest: Implement strong encryption protocols such as AES (Advanced Encryption Standard) 256-bit for data stored on devices and in the cloud. This ensures that even if the data is accessed unauthorizedly, it remains unreadable.
- Data in Transit: Use secure transmission protocols like TLS (Transport Layer Security) to transmit data between devices and networks. Ensuring that all data transmitted is encrypted reduces the risk of data being intercepted during transmission.
- End-to-end Encryption: For critical data, end-to-end encryption ensures that data is encrypted from the point of origin to the point of destination, accessible only by the sender and the intended recipient.
2. Regular Updates and Patch Management
Automated Patch Management:
- Regular Updates: IIoT devices should be programmed to receive and install updates automatically. This reduces the reliance on manual processes, which can be overlooked or delayed.
- Security Patches: As soon as a security patch becomes available, it should be tested and deployed immediately. Delays in patching known vulnerabilities are one of the most common ways through which cyber attackers exploit systems.
Vulnerability Scanning and Management:
- Continuous Scanning: Implement systems that continuously scan for vulnerabilities within the network. This includes the IIoT devices themselves, any connected infrastructure, and the cloud services in use.
- Risk Assessment: Use vulnerability scans to perform risk assessments regularly, prioritizing vulnerabilities based on the threat level and the affected system’s criticality.
- Incident Response Plan: Develop a robust incident response plan that includes procedures for responding to vulnerabilities. The plan should outline how to isolate affected systems, assess the impact, implement patches, and restore services with minimal downtime.
Vendor Collaboration:
- Firmware Updates: Work closely with your device vendors to ensure that all firmware is up-to-date with the latest security patches. This is especially important for IIoT devices that may have longer operational lifespans and might not be regularly replaced.
- End-of-Life Equipment: Establish policies for replacing or upgrading equipment that is no longer supported by the manufacturer with security updates.
Next Steps in Vendor Management
By implementing these enhanced security protocols and maintaining rigorous patch management procedures, businesses can significantly bolster their defences against the evolving landscape of cyber threats. These measures are essential for protecting sensitive data and ensuring the reliability and integrity of IIoT and cloud-based systems.
If you’re concerned about the security of either your internal or vendor IIoT systems, sign up for our Insider Series and learn how to Identify and Mitigate Hidden IIoT Security Risks.
Subscribe to the F12 IT Insights Newsletter