Why supply chain security affects organizations everywhere
Supply chain security is becoming a priority for organizations everywhere. The pandemic exposed the need for more secure and resilient supply chain operations. As supply chain organizations are accelerating digital transformation, this also makes them more exposed to cyber-attacks.
Since a single attack has a ripple effect, potentially bringing down entire industries, supply chains have become a favorite victim for cyber attackers.
Why does a cyber attack on a supply chain affect the entire business ecosystem?
In December 2020, a massive cyberattack on the SolarWinds network compromised the supply chains of close to 20,000 organizations in the U.S. This included government offices, such as the Pentagon and the Department of Homeland Security.
Why are cybercriminals choosing to attack supply chains? Research, like the Identity Theft Resource Center (ITC) 2020 Data Breach Report, states it clearly: because it is a highly effective kind of attack.
"Supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor," according to the ITC report.
So supply chains offer to cybercriminals a single point of failure, and multiple attack paths to exploit. Often, attackers look for a smaller organization with fewer or laxer security measures that is part of the supply chain as an entry point. Through that point, they can then get access to the entire network -- and the ripple effect means catastrophic consequences.
An attack on a supply chain can bring an entire business down. Supply chains are, by nature, an interconnected network of manufacturers, suppliers, importers, etc. By gaining access to a single company, attackers can impact clients, providers, third-party associates, etc. The list is long.
What are the main security risks in a supply chain?
Supply chain companies are used to manage the risks associated with the trade. The thing is, risks are constantly changing. What was a top concern decades ago can be replaced by a more pressing threat, as new attack vectors arise.
In the rush to digital transformation, companies put pressure on the development cycle for new solutions, faster production and distribution. This can expose vulnerabilities, which attackers can exploit.
Since supply chains are deeply interconnected, there are many potential entry points like third-party providers, importers and manufacturers that cybercriminals can use to infiltrate the network and cause damage. Moreover, in a digital world, an attack on a software supply chain may affect thousands of customer companies.
Poor understanding and lax management of current hazards in your supply chain can cause financial loss, increase costs, and lower your brand value. Here are the top risks supply chain organizations usually face.
1) Third-party suppliers
Your organization may have a cybersecurity risk management strategy and tools in place, but maybe your key suppliers don't. Often, larger companies subcontract smaller suppliers, giving them access to their systems to improve operational efficiency. These niche companies are prime targets for cyber attackers, as they usually have access to the supply chain network, and their security posture is often immature.
Tier 2 suppliers present another risk. Let's say you and your suppliers have a tight security system in place, but do you know about your supplier's suppliers? Lower-tier suppliers with poor security practices can tank an entire organization's security strategy.
2) Lack of employee awareness
Strong security starts with people. Security education and training are critical for employees, both at your company and across the entire supply chain.
Common practices like bring your own device (BYOD) and the widespread usage of personal mobile devices can leave the tightest supply chain security strategy full of holes.
3) Software vulnerabilities
In the rush to transform digitally, many supply chain and manufacturing organizations are turning to open-source software solutions for their needs. Attacks on open-source code increased more than 400% between 2019 and 2020.
While not all these attacks were on supply chain organizations, many of these companies are related to supply chains. That's one of the reasons attacks on supply chain software rose 42% year-over-year in the first quarter of 2021.
What are the cybersecurity issues in supply chain management?
To face this situation, organizations need to beef up their supply chain security strategy, tools and practices. Still, before running to implement new security policies, it is important to understand which are the most common attack vectors through which bad actors can attempt gain access to your organization's systems and data:
- Stolen SSL: Most companies' websites are in HTTPS format, which requires SSL/TLS certificates. Attackers steal SSL's private keys to gain access to the website admin. This can compromise internal communications and, in the case of e-commerce or financial sites, steal personally identifiable data.
- Attacks on the CI/CD pipeline: attackers can infiltrate the CI/CD pipeline to carry on data exfiltration or altering the script to mine cryptocurrency.
- Stealing Git Credentials: Threat actors use social engineering and identity theft techniques to obtain Git credentials. Once they have access to private Git repositories, they can clone it or introduce malicious code.
- Social Engineering: Employees are usually the weakest link in a security strategy. Attackers prey on unsuspecting or overwhelmed staff to click on a malicious link. For example, an attack on the Linux Foundation recently used a University of Minnesota researcher's emails to introduce vulnerabilities in the Linux source code.
Once they access the supply chain network, attackers can conduct data exfiltration, inject malware, ransomware extortion, and other cyber threats, affecting thousands of companies from a single point of entry.
In short, supply chain attacks are intensifying as cybercriminals look to exploit the weakest links. Managing these risks involves implementing strong supply chain security strategy across all stakeholders.
This article was written by Angela Scott-Briggs from TechBullion and was legally licensed through the Industry Dive publisher network. Please direct all licensing questions to legal@industrydive.com.