In the aftershock of the COVID-19 epidemic, we are experiencing large-scale disruption to the global supply chain. There are currently wide disparages in the availability of products. There are critical shortages of some raw materials and components—ranging from lumber and sheet metal to computer chips—which is also causing steeply inflating prices. Shipping and logistics businesses are dealing with a labor shortage that is making it difficult to get cargo transported. While ports across the world are significantly backlogged with full containers. Supply chains of all types are in jeopardy, especially as the holiday season approaches.
Delays and disruptions are affecting nearly every industry at the moment. This probably isn’t news to you. But what you may not realize is that these supply chain problems also further expose the entire chain to targeted security attacks.
Although this dangerous trend has been worsening in recent months, it was the Colonial Pipeline hacking attack that has really caused alarm for international authorities. Though it only disrupted fuel supply to a few states for about a week, the ransomware attack set off a chain reaction of panic buying, gas shortages, and price hikes. This is just one example of how a cyber threat can cause real-life disruptions. And we know that with the increasing digitization of processes in every field, that the global supply chain will only become more vulnerable.
What Is a Supply Chain?
Upstream supply chains provide products that enable business operations. Upstream connections include everything from materials and manufacturing supplies, to office supplies, software, and machinery. Yet, the supply chain does not stop with immediate suppliers. Each supplier may also have its own supply chains, creating multiple links in the chain before a product is delivered.
What Causes Supply Chain Delays & Disruptions?
At a high level, upstream supply chain risks include disruptions to the delivery of products and services, as well as cyber-attacks. Currently, we are experiencing disruptions caused by underlining changes in the economy. Last year, when people were locked down at home, there was a surge in consumer purchases—from furniture, to gym equipment, and electronics. This led to a wave of imports, particularly from China, which have clogged the shipping docks at the ports. It also caused a shortage of container ships and delays in ground transportation. Now, we’re actually seeing the biggest delays since people started measuring shipping delays.
But these factors aren’t the only ones impacting supply continuity. At an increasing rate, supply chain compromises are enabling attackers to insert malware in critical systems and implicit trust zones (ITZs) that enable them to bypass all controls and infect systems that are essential to business continuity.
Why Is This a Critical Time for Supply Chain Security?
Cybercrime, in general, has been on the rise since the beginning of the pandemic. Now, with log jamming drawing the attention of everyone in shipping, logistics, and consumer sales, cybercriminals are taking advantage of vulnerabilities all along the supply chain. Cyber attackers are predators who often strike when there is confusion or frenzied activity; in this case, their targeted attacks are could create even greater disruptions.
Since 2020, 93% of global enterprises have experienced at least an indirect data breach due to flaws in their supply chains, according to cybersecurity services provider BlueVoyant. It goes on to estimate that there has been a 37% increase in supply chain data breaches just in the past 12 months. Further, the number of entities admitting that they have no way of detecting a data breach in their supply chain is on the rise, says Yahoo Business.
Putting further stress on an industry that was already under pressure, transportation operators have experienced a swarm of ransomware attacks throughout 2021 affecting companies based and operating all over the world. Consequently, there has also been a dramatic increase in network access credentials of various shipping and logistics organizations for sale on the black market.
“Strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year.”– ENISA report, Threat Landscape for Supply Chain Attacks
Cyber-attacks that take advantage of an already disrupted supply chain environment have the potential to cause system downtime, monetary loss, and reputational damage.
What Are Supply Chain Attacks?
In addition to opportunistic threats, there are specialized cyber-attacks that aim to infiltrate a supply chain and cause damages and disruptions for multiple companies linked together. The chain of manufacturing that gets a product from the very beginning to the very end of its process includes the raw materials suppliers, manufacturers, and distributors. With all of these different points along the chain, there’s a good chance that a vulnerability exists somewhere which can be exploited and affect anybody else who might be downstream in that chain.
Attackers can break into the supply chain network of an organization operating in virtually any industry. As we are learning, companies in the financial sector, oil industry, and government sectors aren’t exempt from the threat of supply chain attack.
Supply chain attacks don’t just cause interruptions. They can also make their way into the supply chain and infect highly protected systems in customer networks. One of the reasons this works so well is that companies tend to trust what they receive from their suppliers in good faith, not realizing that somewhere up the chain there was an attack that has infected our network.
How Do Attackers Breach the Supply Chain Network?
They gain access by installing a rootkit or inserting malware somewhere in a software vendor supply chain. Sometimes they obtain credentials through vulnerabilities in remote access solutions like RDP, VPN, and others, according to Intel 471. Then, they may successfully compromise the vendor’s network to tamper with firmware, software products or their updates, or with product manufacturing processes.
Once this happens, customer businesses are at risk of installing infected software into highly secure network segments. Often, this is allowed to happen when software products are automatically updated at customer sites without any customer review. That’s why ensuring the software and firmware providers are using reasonable and appropriate controls is the first step in risk mitigation.
How Can a Company Manage the Risk of Supply Chain Attacks?
Because supply chain attacks will continue to be a feature of the threat landscape as we look toward the future, risk management is our most important defense. Here are some of the first-line recommendations for organizations:
- Identifying and documenting suppliers and service providers,
- Monitoring supply chain risks and threats,
- Managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components,
- Classifying assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them.
Managing supply chain risks requires understanding all the various risks faced by suppliers and how they are handled. This includes understanding:
- How (or if) governance activities are applied,
- Supplier risk management procedures and residual risk,
- Risk criteria for different types of suppliers and services, such as dependencies, critical software dependencies, single points of failure
- Whether or not a supplier has adopted and uses a compliance framework,
- If the supplier security is certified by a third party, and
- The extent of the supplier’s plan for disasters and business continuity events.
Not all of these considerations are needed for all suppliers and the depth of assessments depends on the associated risk to the customer organization.
Organizations must also maintain the security of their supply chain management systems. Additionally, they must do everything possible to safeguard the institution’s supply network in order to prevent potential damage from cybercriminals.
In addition to assessing supplier risk, customer organizations must also manage any supply chain malware that might get through. This begins with identifying critical mission or business processes and the trust zones supporting them. An up-to-date inventory is also needed to understand what applications are installed and may be receiving automatic or user-controlled updates. It’s also important to know where those applications reside.
An organization must also perform daily reviews of announced vulnerabilities or malware that may have entered the supply chain. This kind of incident must be included in incident response planning and training. Customer organizations must also know the correct IP addresses and URLs used by vendors for updates. This is because attackers sometimes redirect updates so they can come from malicious servers. All endpoints involved in updates must be monitored and related business function interruptions included in business continuity planning.
Various frameworks exist to assist organizations and managing supply chain risks. These SOC for Vendor Supply Chains, SCOR (Supply Chain Operations Reference) model, ISO 28000:2007, ISO 9001, and NIST IR 7622.
What Can Suppliers Do to Increase Security?
The following are recommendations for suppliers:
- Implement good practices for vulnerability and patch management,
- Ensure that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices;
- Track security vulnerabilities reported by internal and external sources such as third-party components.
Audit Your Supply Chain Security with I.S. Partners
Contact our team for more information.