Supply Chain Attacks: An Evolving Battlefront in Cybersecu

Supply chain attacks – when hackers breach suppliers to laterally invade their client’s IT rather than targeting the client companies directly – are nothing new. In 2013, hackers breached the formidable cyber defenses of mega-retailer Target by first breaching a small HVAC provider, learning their login credentials to Target’s system, then bypassing the security measures en route to costing Target over $300 million. Supply chain attacks may be a familiar threat, but it’s one that’s evolving at a breakneck pace…with sinister implications for the entire cybersecurity community.

After increasing steadily for years, supply chain attacks tripled in 2021. The pandemic explains some of that uptick as hackers exploited the widespread disruption in any and every way possible. But supply chain attackers have also adopted a potent new tactic: breaching software developers and hiding malicious code in their products to infect anyone who uses them. Hackers used this technique (known as software supply chain attacks) in the now infamous SolarWinds attack, as well as Log4J, Kaseya, and others, all of which occurred in 2021. And they will continue to launch supply chain attacks of all kinds for the simple reason that these attacks have proven successful, lucrative, and extremely hard to stop.

Hard but not impossible. The UK’s National Cyber Security Centre (which I have highlighted previously for their impressive efforts) recently issued guidance to help organizations harden themselves against supply chain attacks. At this point, most organizations have at least basic cybersecurity protections in place, but too many ignore the protections their suppliers have in place and leave themselves vulnerable to attacks as a result. Consider that good news, though, because it means that supply chain attacks are neither impossible, expensive, nor especially complicated to prevent. It’s more about due diligence upfront than being on-guard 24/7, and the biggest investment is time rather than money. That’s not to say that defending against supply chain easy is easy but rather to emphasize that anyone has the means to get more resilient. Plus, a clear five-step roadmap to follow courtesy of the NCSC. Here’s a quick outline:

1. Preliminary Actions – Before doing anything else, it’s vital to understand (in-depth) the importance of supply chain security and all the potential consequences for failure. Equally important to understand is how the company quantifies, contextualizes, and manages risk more broadly. Lastly, identify the key stakeholders across departments and the roles that each will play in supply chain security (this isn’t a one-person job).
2. Develop an Approach – Start by identifying mission-critical assets and the level of security each takes to protect. Then, develop a framework to assess whether suppliers can deliver that same level of security (or above). Write up contractual clauses to include in every service contract mandating minimum security standards, and create a plan for non-compliance so that security issues can be resolved (or suppliers replaced) as seamlessly as possible.
3. Vet New Suppliers – Use the framework to asses if new suppliers have the required security, and insert the security clauses throughout the contract life-cycle. Key to this effort is educating all staff, especially everyone in procurement, on why and how to make cybersecurity a priority, both when selecting suppliers and when managing ongoing relationships. Supplier reps have lots of leverage. They should use it to insist that suppliers take cybersecurity seriously and hold them accountable when they don’t.
4. Vet Existing Suppliers – Use the framework to evaluate all existing supplier contracts, considering how each supplier creates risk and mitigates it with specific cyber protections and policies. Start with the biggest or most important suppliers. Negotiate with any supplier found to have inadequate security about resolving the situation. If they’re unwilling or unable to improve security, decide if walking away or making concessions is more appropriate. Vet each existing supplier at least once, but make this an ongoing process in order to understand how supplier security has improved or declined since the previous assessment.
5. Constantly Improve – Evaluate how well the framework is working on a continual basis, making adjustments as necessary. The assessment process can be made more efficient and ineffective over time. Furthermore, it must evolve as supply chains, production demands, and cyber threats evolve as well. Prepare to have an ongoing (and sometimes difficult) conversation with suppliers about where and why their security falls short of standards.

This all sounds sensible enough to me, and I would encourage literally every organization (and individuals too) to follow it in some form. Helpful as this advice may be, however, I feel like the fundamental challenge of stopping supply chain attacks remains: it’s hard to accurately evaluate another company’s cybersecurity. They could have problems they’re not aware of or others they know how to hide. More likely, though, is that suppliers are unwilling to be fully transparent, or else clients don’t have the resources to continually do a thorough assessment. And for that reason, trust will continue to play a big role in supply chains – and attacks, I’m afraid, will continue as well.

#cybersecurity #supplychainattacks #NCSC #Trust #SolarWinds #Log4J