Global supply chains have been exposed to unprecedented risk in recent years. A host of issues, ranging from Brexit and the Suez Canal blockage to the Covid-19 crisis and, most recently, the war in Ukraine, have all caused huge disruption.
But supply chain risk is not limited to the physical sphere. As businesses have grown exponentially thanks to increased digitalisation and reliance on third-party digital products, they have left themselves exposed to a growing cyber threat.
Supply chain attacks are when a company’s data is compromised via the hacking of a third-party supplier with legitimate access to its customers’ systems. Hackers can insert malicious code into trusted hardware or software at the source, compromising the data of its customers – and their customers – in an onward chain.
One of the most devastating examples of a supply chain attack was the 2020 SolarWinds incident, referred to by Microsoft president Brad Smith as the “largest and most sophisticated attack ever”.
In late 2019 the major US IT firm was targeted by hackers – later identified as originating in Russia – who used malicious code to gain access to the sensitive data of many of SolarWinds’ clients, including technology giants Microsoft and Cisco, and the US Department of Homeland Security. In March 2020, SolarWinds began unwittingly sent out software updates to its customers that included the hacked code, which enabled the hackers to access their IT systems and data too.
The breach went undetected for months, with some victims not knowing whether they had been hacked at all. The full extent of the attack is yet to be determined, meaning it could take years to fully secure all of the systems affected.
As companies have accelerated their digitalisation strategies to continue operating and support their staff remotely during the pandemic, so they have become more dependent on third-party software and technology. This, in turn, has increased firms’ attack surface exposure and points of vulnerability.
Supply chain attacks often start due to a mismanagement of critical access points. Known weaknesses in IT management platforms are then exploited, as evidenced by Log4Shell, a critical vulnerability in the logging tool Log4j, which is used by millions of computers worldwide.
Hackers target victims through the key communication channels and software of third-party suppliers to gain access to their customers. A favoured attack method is through hijacked software updates – as in the SolarWinds case – accounting for 60% of software supply chain attacks and disclosures, according to US think tank The Atlantic Council.
“Over the past few years, there has been an increase in next-generation supply chain attacks,” says Ilkka Turunen, field chief technology officer at supply chain security firm Sonatype. “These types of direct attacks involve, for example, malicious actors injecting new vulnerabilities first-hand into open source projects.”
To combat the threat from supply chain attacks, companies should have full visibility of all their third-party relationships and dependencies. That means reducing the number of third-party providers they use, wherever possible, so there are fewer entities they have to monitor.
Of course, this does not guarantee the integrity of their products.
“Regardless of the vendor’s reputation, the product itself might have security gaps,” says Heinrich Smit, deputy chief information security officer at cybersecurity specialists Semperis.
“When working with newer companies, be sure that you can view the company’s product controls. Independent code reviews and application vulnerability reports are very helpful as well, because they evaluate a product both inside the code as well as in situ from a penetrability perspective.”
When assessing third-party suppliers, companies must ensure that they are thoroughly vetted and that their security practices meet the required standards. They also need to put in place a contract with the appropriate clauses to ensure they comply with the necessary regulatory and legislative privacy and security requirements.
Firms also need to analyse emerging third-party risks, as well as monitoring for suspicious activities on their systems and network. They should also only give network and systems access to those third-party vendors and applications that require it to perform their duties, and identify and monitor all access points.
Patching should be carried out on an ongoing basis, by ranking and scheduling updates in order of importance. In addition, organisations should regularly backup their systems to maintain their data. This is in addition to having all necessary cybersecurity protocols in place and complying with the relevant data protection laws and regulations, as well as implementing ongoing staff training and knowledge updates.
Should the worst happen and a breach occur, companies must have a robust incident response and risk management strategy in place, as well as a disaster recovery and business interruption plan to ensure they get back on their feet with minimal disruption to services.
Organisations also need to learn from previous cyber attacks and shore up their vulnerable areas by carrying out internal penetration tests.
One such company that has considered these issues at length is E.ON. The European utility provider, which serves 53 million customers across 30 countries, recognised the need to expand its processes and procedures to protect itself and its customers from potential data loss via its third-party online ecosystem.
“To tackle the issue, E.ON first had to understand the risks it was exposed to,” says Ran Nahmias, co-founder and chief business officer at Cyberpion, whose ecosystem security platform E.ON used to gain full visibility of its vulnerability to cyber attacks.
By discovering and carrying out an inventory of E.ON’s internet-facing assets and the third-party assets it relies on, as well as the chains of vendor relationships, the company was able to understand its total risk exposure and allocate resources accordingly, reducing its exposure to operational disruptions and data loss.
While the complex threat from supply chain attacks remains, businesses that focus on analysing their exposure profile and mitigating the risks they discover give themselves the best chance of outwitting the hackers.