In recent years, the supply chain has become a prime target for cyber attackers. Cyber-attacks on the supply chain seek to hit a company by targeting one of its suppliers or subcontractors. These attacks, which exploit the relationships of trust and technological interdependence that exist between different entities, are increasingly feared.
What are the main IT risks affecting the supply chain? How can supply chain security be improved through better risk management? What are the current recommendations for supply chain cybersecurity? Let's explore one of the major trends in cybersecurity.
Why is cybersecurity so important for the supply chain?
Digitization of the supply chain and the rise of IT risks
Already well underway, the digitization of the supply chain has accelerated with the Covid-19 crisis. The aim of this digital transformation is to optimize the entire supply chain, in particular by streamlining the flow of information. For example, interconnection between the various players in the supply chain means that data can be shared in real time, enabling production and inventories to be adjusted as closely as possible to demand.
This digitalization and interconnection between different players brings to the forefront issues of IT risk management and data protection. In this context of interconnected systems, the exploitation of a single vulnerability in one of the players can affect the other links in the supply chain, with serious consequences (financial losses, loss of confidence, etc.).
Inadequacy of traditional cybersecurity measures
While traditional IT security measures (antivirus, firewall, intrusion detection systems, etc.) remain essential, they are not sufficient to deal with the cyber risks inherent in modern supply chains, which are highly digitized and have many points of entry.
On the other hand, these security measures generally focus on known threats, as part of a reactive rather than proactive approach. As a result, they are not very effective against sophisticated attacks such as "Zero-Day" attacks , fileless malware or polymorphic malware. Securing the supply chain will require new approaches.
Supply chain data protection issues
Data is at the heart of the supply chain. In particular, it ensures that activities run smoothly, meet deadlines, optimize costs and improve productivity. Cyber threats to the supply chain can cause different types of data breaches:
- Inaccessibility of certain data that can disrupt or interrupt business operations
- Data corruption affecting forecasts and production volumes
- Theft of sensitive data as part of an industrial espionage operation
- Theft of customer data affecting the company's reputation
Threats and vulnerabilities facing the supply chain
IT risks linked to technological interdependence and third-party suppliers
While this digitization of the supply chain offers companies interesting results in terms of process optimization and customer satisfaction, it also has its downsides when it comes to cybersecurity. This situation is forcing IT teams to integrate more and more third-party components and interconnect parts of their information systems with other supply chain players (and thus provide them with access, for example). This multiplies vulnerabilities and makes the information system more difficult to control.
Supply chains often involve several third-party suppliers whose technological approaches and cyber maturity levels can be very heterogeneous. It becomes very difficult to provide a common level of security to the various players when each third-party supplier has its own security tools and processes.
Software supply chain risks
Attacks on software are particularly attractive to cybercriminals. All they need to do is exploit a vulnerability to potentially affect hundreds or even thousands of customers using the software in question. By gaining access to areas that are usually difficult to access, attackers can carry out more advanced operations: spreading malware, stealing data, and so on. According to Gartner, by 2025, 45% of organizations worldwide will have suffered an attack on their software supply chain (a figure that will be 3 times higher than in 2021).
Examples of cyber attacks on the supply chain
SolarWinds (2020): data breach by exploiting a software update
During their operation, the attackers injected malicious code (a piece of malware called "Sunburst") into a legitimate update of the Orion IT management software, developed by the SolarWinds company. The malware provided a backdoor for the attackers, enabling them to access the IS and data of organizations that had downloaded the legitimate update (over 18,000 customers). Orion users included major corporations (including Microsoft) and several US State Departments.
Kaseya (2021): ransomware exploiting a "Zero-Day" flaw
In July 2021, a group of cyber attackers targeted the VSA software. Published by Kaseya, VSA is a remote IT asset management software. The cyber attackers exploited a Zero-Day vulnerability to infect the VSA software with ransomware. The ransomware then spread to the machines of Kaseya customers. More than 1,000 companies were affected.
Best practices and recommendations for supply chain cybersecurity
Adopt the principle of least privilege
Supply chain vulnerabilities are strongly linked to the number of entry points into information systems (remote access, cloud platforms, delegated management of IT infrastructures, etc.), and to the difficulty of clearly identifying and listing all these entry points. Mapping your information systems can help.
On the other hand, some organizations assign too many access and authorization rights to their employees, partners and suppliers. This situation facilitates attacks on the supply chain. On the contrary, a policy of least privilege is highly recommended. Everyone has only the authorizations they need to carry out their tasks.
Network security: opt for segmentation
The various players in a supply chain do not necessarily need access to a partner organization's entire network. To limit risk, one best practice is to segment the network, dividing it into different zones, each reserved for different activities. In this way, if one part of the network is compromised in a cyber attack, the rest of the network remains adequately protected.
Risk management: thinking about interdependencies between systems
Traditional risk management identifies individual critical assets and protects them in isolation. This approach is no longer satisfactory, given the many layers and interconnections within information systems. This is particularly true in the case of supply chain information systems, which integrate numerous interrelated technological solutions, connected to the solutions of suppliers, service providers and subcontractors. This is a point highlighted by Wavestone in its white paper "Supply chain x Cybersecurity", published in February 2022.
Instead, we need to list the relationships between the various assets and identify the risks arising from these interdependencies. Here again, IS mapping can help to better identify interdependencies, risks and cascading failures. Setting up a business continuity plan and planning the response in the event of an incident will enable organizations to be better prepared for possible security incidents, and to know how to respond to them so as to better cope with them.
Developing human-centered cybersecurity
While a supply chain cybersecurity strategy is based on the right technological choices, it must also take human behavior into account. As users, humans interact with systems and can contribute to the robustness and resilience of infrastructures. Behavioral analysis, for example, makes it easier to identify risks in a given context, before they become real security incidents.
Making supply chain teams aware of cyber risks (when choosing business equipment, for example) and training them in good IS usage practices is also crucial to making supply chain security a shared responsibility.
What impact do cyber attacks have on the supply chain?
Today, cyber-attacks affecting the supply chain can cause lasting disruption to a company's operations. In a context of growing interdependence between the various players in the supply chain, supply chain cybersecurity is set to become a strategic priority. Better identification of threats and their potential impact, better knowledge of the security level of the various supply chain players, and preparation to detect and react to potential incidents are all actions that contribute to improving the resilience of systems. The implementation of the NIS 2 directive will also contribute to improving supply chain security.
Would you like to know how OverSOC can help you secure your IS? Contact us.
