Supply chain security is becoming a priority for organizations everywhere. The pandemic exposed the need for more secure and resilient supply chain operations. As supply chain organizations are accelerating digital transformation, this also makes them more exposed to cyber-attacks.
Since a single attack has a ripple effect, potentially bringing down entire industries, supply chains have become a favourite victim for cyber attackers. Keep reading to learn why supply chain security is critical for organizations across industries and what are the main attacks to protect from.
Why does a cyber attack on a supply chain affect the entire business ecosystem?
In December 2020, a massive cyberattack on the SolarWinds network compromised the supply chains of close to 20,000 organizations in the U.S. This included government offices such as the Pentagon and the Department of Homeland Security.
Why are cybercriminals choosing supply chains to carry on attacks? Research, like the Identity Theft Resource Center (ITC) 2020 Data Breach Report states it clearly: because it is a highly effective attack.
“Supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor.” (ITC 2020 Data Breach Report)
So, supply chains offer to cybercriminals a single point of failure, and multiple attack paths to exploit. Often, attackers look for a smaller organization with fewer or laxer security measures that is part of the supply chain as an entry point. Then get access to the entire network, and the ripple effect means catastrophic consequences.
The chart below shows the rise in supply chain attacks in 2020.
An attack on a supply chain can bring an entire business down. Supply chains are, by nature, an interconnected network of manufacturers, suppliers, importers, etc. By gaining access to a single company, attackers can impact clients, providers, third-party associates, etc. The list is endless.
What are the main security risks in a supply chain?
Supply chain companies are used to manage the risks associated with the trade. The thing is, risks are constantly changing. What was a top concern decades ago can be replaced by a more pressing threat, as new attack vectors.
In the rush to digital transformation, companies adopting new solutions put pressure on the development cycle for faster production and distribution. This may leave vulnerabilities open attackers can exploit to infiltrate.
Since supply chains are deeply interconnected, there are many potential entry points like third-party providers, importers, manufacturers, etc, cybercriminals can use to infiltrate the network and cause damage. Moreover, in a digital world, an attack on a software supply chain may affect thousands of customer companies.
A poor understanding and management of current hazards in your supply chain can cause financial loss, increase costs, and lower your brand value. Here are the top risks supply chain organizations usually face.
1) Third-party suppliers
Your organizations may have a cybersecurity risk management strategy and tools in place, but maybe your key suppliers don’t. Often, larger companies subcontract smaller suppliers, giving them access to their systems to improve operational efficiency. These niche companies offer a great target for cyber attackers: they usually have access to the supply chain network, and their security posture is often immature.
Tier 2 suppliers present another risk. Let’s say you and your suppliers have a tight security system in place, but do you know about your supplier’s suppliers? Lower-tier suppliers with poor security practices can tank an entire organization’s security strategy.
2) Lack of employee awareness
Strong security starts with people. Security education and training are critical for employees, both at your company and across the entire supply chain.
Common practices like bring your own device (BYOD) and the widespread usage of personal mobile devices can leave the tightest supply chain security strategy full of holes if not properly secured.
3) Software vulnerabilities
In the rush to transform digitally, many supply chain and manufacturing organizations are turning to open-source software solutions for their needs. Attacks on open-source code increased over 400% between 2019 and 2020.
While not all these attacks were on supply chain organizations, many of these companies are related to supply chains. That’s one of the reasons software supply chain attacks increased 42% only in the first quarter of 2021 compared to the last quarter of 2020.
What are the cybersecurity issues in supply chain management?
To face this situation, organizations need to up their supply chain security strategy, tools and practices. Still, before running to implement new security policies, is important to understand which are the most common attack vectors you can face attempting to gain access to your organization’s systems and data:
- Stolen SSL: Most companies’ websites are in HTTPS format, which requires SSL/TLS certificates. Attackers steal SSL’s private keys to gain access to the website admin. This can compromise internal communications, and in the case of e-commerce or financial sites, steal personally identifiable data.
- Attacks on the CI/CD pipeline: attackers can infiltrate the CI/CD pipeline to carry on data exfiltration or altering the script to mine cryptocurrency.
- Stealing Git Credentials: Threat actors use social engineering and identity theft techniques to obtain Git credentials. Once they have access to private Git repositories, they can clone it or introduce malicious code.
- Social Engineering: Employees are usually the weakest link in a security strategy. Attackers prey on unsuspected, or overwhelmed staff to click on a malicious link. For example, an attack on the Linux Foundation recently used University of Minnesota researcher’s emails to introduce vulnerabilities in the Linux source code.
Once they access the supply chain network, attackers can conduct data exfiltration, inject malware, ransomware extortion, and other cyber threats, affecting thousands of companies from a single point of entry.
To summarize: supply chain attacks are intensifying as cybercriminals look to exploit the weakest links in supply chains. Managing these risks involves implementing a strong supply chain security strategy across all stakeholders.