Strengthening Cybersecurity: Strategies for Procurement
Cybercriminals are employing increasingly sophisticated methods to execute phishing schemes, with the recent 'Uncle Scam' campaign targeting contractors seeking work with the US government being a prime example.
This campaign, uncovered by researchers at Perception Point, utilises advanced technologies to bypass traditional security measures and deliver highly convincing phishing emails.
Researchers at Perception Point uncovered this scheme, which involves phishing emails that mimic legitimate US government agencies like the General Services Administration (GSA).
Meanwhile, as cyber threats like malware, ransomware and nation-state attacks become more prevalent, asset owners and operators are prioritising supply chain security.
Vendors are now expected to provide technological solutions and demonstrate a comprehensive understanding of cybersecurity best practices.
The 'Uncle Scam' emails invite recipients to bid on federal projects, but clicking the link redirects users to a counterfeit GSA website. This fake site closely resembles the authentic one, complete with navigation links and a search bar that directs users to real GSA pages.
Users are then prompted to register for a Request for Quotation (RFQ), enhancing the phishing attempt's credibility and evading detection.
A key factor in the effectiveness of this campaign is the misuse of Microsoft's Dynamics 365 Marketing platform. Attackers use the domain "dyn365mktg.com," associated with Dynamics 365, to send malicious emails.
This domain is pre-authenticated by Microsoft, allowing phishing emails to bypass spam filters and reach recipients' inboxes.
Additionally, the campaign leverages Large Language Models (LLMs) to craft high-quality phishing emails that mimic legitimate communications, making it challenging for victims to detect the scam. In response to such threats, cybersecurity strategies within Industrial Control Systems (ICS) procurement are undergoing significant transformation.
As Yair Attar, CTO and Co-Founder of OTORIO, notes: “The ICS supply chain involves various stakeholders, each with distinct cybersecurity responsibilities.
"Vendors are investing in secure development lifecycle practices, aligning with IEC 62443-4-1, which includes rigorous testing and vulnerability scanning for each release. Asset owners should demand these practices and utilise their tools to assess risks continuously."
Procurement professionals play a crucial role in enhancing cybersecurity by collaborating with IT departments to identify and address cyber risks in procurement operations. This involves ensuring that software and hardware are sourced from trusted suppliers and are scanned for security vulnerabilities.
Janet Bodenbach, Senior Director of Solutions Architecture at Finite State, stresses the importance of secure development, deployment, and continuous monitoring. She advocates for robust vulnerability management and supply chain security transparency, including providing Software Bills of Materials (SBOMs) and visibility into multi-layer OEM/ODM manufacturing relationships.
Janet asserts: “Vendors must meet specific standards, resulting in enhanced contractual obligations, including evidence-based compliance requirements, continuous security monitoring, and incident response collaboration."
Slava Bronfman, CEO and Co-Founder of Cybellum, highlights the need for secure by design product development and continuous vulnerability management. He states: “Security must be embedded into the development lifecycle as early as possible, with threat modelling, enforcement of coding standards, rigorous testing and vulnerability monitoring throughout the device lifecycle”.
Procurement strategies must also adapt to the unique challenges faced by the Banking, Financial Services and Insurance (BFSI) sector, which is a prime target for cyber threats.
The use of multiple third-party technology solutions adds to the risks. Procurement teams can mitigate these risks by driving discussions on cyberattacks and innovative ways to fight data leaks.
They should ensure that suppliers provide regular audit reports certifying their security levels and empower procurement to terminate contracts if security breaches occur.
Tom Alrich, an independent consultant specialising in supply chain security, points out the challenges posed by unreported vulnerabilities in software and intelligent devices. He advises that suppliers should report vulnerabilities as soon as they are discovered and have a patch available, stating: “As soon as a supplier learns of a vulnerability in one of their products, they should report it, both to CVE.org and directly to their customers in a security advisory”.
The evolving regulatory landscape is reshaping ICS procurement strategies, with a strong emphasis on compliance, secure development practices, and proactive collaboration between asset owners and vendors to enhance supply chain security and mitigate cybersecurity risks.
By adopting these strategies, organisations can effectively mitigate cybersecurity risks and ensure a secure and resilient ICS procurement process.
******
Make sure you check out the latest edition of Procurement Magazine and also sign up to our global conference series - Procurement & Supply Chain LIVE 2024
******
Procurement Magazine is a BizClik brand.