Increasing reliance on technology and outsourcing has increased supply chain cyber risks in the cyber security sphere. One recent example of a devastating supply chain cyberattack is the SolarWinds breach, which affected numerous US government agencies and corporations. It serves as a wake-up call for organisations to assess and improve their third-party vendor risk management practices in light of this incident.
What is a supply chain?
A supply chain is an extensive network encompassing an organisation’s processes, from the production stage to delivering the final product to the client.
A supply chain network involves individuals, teams, departments, third-party vendors, companies, and information essential to the smooth operation of an organisation.
What is Supply Chain Cyber Risk?
Supply Chain Cyber risk refers to vulnerabilities found in any of the services from supply to delivery, which could result in exploiting the flaw, compromising an organisation’s supply chain data and disrupting its functioning.
Major Supply Chain Security Risks
External Vendor Security Risks
A third party is an integral part of your interconnected supply chain that directly provides a service or product to your customers or an entity vital in sustaining the organisation’s daily operations.
Third-party vendors within your supply chain could make your organisation an easy target if risk monitoring is not done continuously and in real time.
In the long run, this can lead to the penetration of the targeted organisation.
As per Gartner, digital supply chain risk is classified as a new security threat and falls in the top seven security and risk management trends for 2022.
In the digital transformation age, you can encounter many loopholes in this interconnected ecosystem. With the growing connectivity, we are adding more and more entry points for threat actors, which a software vulnerability or ignored configuration errors could cause.
If the vulnerabilities are not promptly mitigated, digital risks may lead to:
- Security Breaches
- Ransomware attacks
- Intellectual property theft
- Malware infection
Supplier fraud occurs when attackers use social engineering attacks like vishing or smishing to disguise themselves as vendors.
Once the attackers have successfully tricked the user into believing their authenticity, they may fabricate false billing information and convince the user to make payment, falsely claiming it to be a revised bill.
Upon successful payment, the user may become a victim of supplier fraud and incur data loss and huge associated charges.
Major Cyber Attacks on Supply Chain
SolarWinds attack was first detected in December 2021. The threat actor was traced back to September 2019, when the attackers installed a digital backdoor ‘Sunburst’ into as many as 18,000 solar wind customers.
The attack was found out by security experts when they discovered that hackers had inserted a backdoor in the updates to SolarWinds software known as Orion, which was widely used across the federal government.
As the investigation progressed, it was also found that many victims were already compromised before SolarWinds deployed the corrupted Orion software.
The United State’s largest petroleum pipeline, Colonial Pipeline, was compromised by ransomware in May 2021. Ransomware was handed the status of a high-level national security threat overnight, as a single leaked password exposed the Colonial pipeline, culminating in gas supply disruptions and panic buying.
Threat actors exploited a security certificate of Mimecast that authenticated its services on Microsoft 365 Exchange Web Services. Despite the limited impact, around 10% of Mimecast’s customers accessed applications dependent on the compromised certificate.
How do cyber-attacks affect the supply chain?
Cyber attacks disrupt the flow of services once it targets the supply chain.
Since the supply chain is a closely knitted function that is relied upon by an organisation, a cyber attack on any of the segments of the chain fully impacts the whole organisation, its customers and clients associated with the supply chain.
Cyber attacks on the supply chain result in the following:
- Financial damage
- Operational damage
- Reputational damage
How is your organization affected by supply chain risk?
Many organisations need to be equipped to encounter cyber risk. Organisations emphasise internal cyber threats and spread awareness among their employees about them.
So, what is more, important than being aware of internal cyber risk alone?
A minimum of two tiers exist in every organisation.
1st tier: Suppliers directly associated
2nd tier: Suppliers to tier 1
Generally, organisations focus on assessing and analysing risks for level 1 suppliers while remaining ignorant of level 2 suppliers.
Now a question may arise,
‘Despite not being directly involved, why should an organisation be aware of level 2 suppliers?’
A cyber attack from a level 2 supplier has the same impact on your organisation as one from a level 1 since level 1 and 2 suppliers are interdependent.
Therefore, if organisations remain oblivious to the risks level 2 poses, threat actors can easily disrupt your organisation’s supply chain by targeting level 2 suppliers.
Cybersecurity Supply Chain Risk Management Best practices
Build a Cybersecurity Mesh Architecture
In mesh-like architecture, every node is connected to every other node making all the activities in the supply chain interconnected; that is, every individual in the chain is aware of what is happening across the supply chain..
An increase in the number of nodes enhances the quality of the mesh. According to Gartner, by 2024, organisations will reduce the financial impact of security incidents by an average of 90% by employing a cybersecurity mesh architecture that supports multiple technologies in multiple places, encapsulating identities outside the traditional security perimeter.
Implement Zero-Trust Approach
“Never trust, Always verify.”
People must authenticate themselves before accessing the data, regardless of their enterprise or supply chain position.
Always keep a check on your vendors
An on-site security team must coordinate with vendors to resolve potential security issues once they are admitted into the formal supply chain.
In counterfeit or nonconforming vendor products, “one strike and you’re out” policies must be applied.
Accepted vendors must be prequalified to initiate a component purchase.
Before buying parts from other vendors, they should be unpacked, examined, and scanned.
Improve OT transparency
As a result of the pandemic, cyber-attacks linked to OT have risen recently, and remote working has become more prevalent, making enterprises more vulnerable.
To ensure devices are safe in your supply chain, organisations must increase their supply chain visibility for more robust security, as greater transparency makes internal flaws more evident.
A company’s culture should enable internal and external risk warnings to be shared openly.
Establish a secure session.
A secure booting process must be devised where the system will only boot once it detects the authentication codes.
There is no reversal when it comes to supply chain risks. Implementing cybersecurity supply chain risk management in your organisation will bring proper operational and managing workflows. This will, in turn, reflect a change in corporate culture and outlook. By adopting these strategies, an organisation can minimise supply chain disruptions and the associated consequences that arise from them.