How secure is your supply chain?
Supply chain management is no longer only about procurement alone. With the rise of supply chain-based attacks, supply chain management, risk management and IT are coming closer together and forming supply chain cyber resilience.
Supply chain attacks are on the rise. According to the European Union Agency for Cybersecurity (ENISA), the number of supply chain-based attacks multiplied by four in 2021. Cyber criminals are often after the quickest and most effective way to compromise a target and today, the weakest link in a company often sits within its own supply chain.
“Supply chain attacks abuse a predefined trust relationship between two organisations,” explains Milad Aslaner, SentinelOne’s Senior Director of Cyber Defence Strategy. “With supply chain-based attacks, cyber criminals are targeting as a first step the suppliers of their target, and later abuse the trust relationship between the two organisations to breach their actual target.”
Technology alone will not solve the risk of supply chain-based attacks. “The supply chain of an enterprise can quickly become the Achilles heel of the security team,” he adds. “That’s why organisations need to look into people, process and technology. You need to train your team to be more cyber aware, have relevant processes and programs in place, and then invest in future-proofing technology that helps you drive efficiency.”
As an enterprise, you might be doing it all right with people readiness, establishing relevant processes and having the required technologies, but still harbour a weak spot around your suppliers. He says: “Cyber supply chain risk management (SCRM) has become critical and it needs to become an integral part of an organisation.”
One of the biggest challenges of supply chain attacks is that they often go unnoticed. While a big company may focus on their main suppliers, there are often subcontractors and outsource partners involved. “The problem with supply chain security is that as you broaden the scope of your subcontractors, their outsourced suppliers, etc, you have less and less visibility, understanding and control. This is why a structured and risk-based approach to supply chain is important,” says Aslaner.
This is also one of the reasons that supply chain attacks are so impactful – it takes a long time for organisations to detect these kinds of activities. We live in a world where critical information is often shared as public data. Using a search engine, for example, will bring up information about contractors. RFP documents are sometimes publicly accessible or even leaked. Businesses often share case studies on their websites. “A threat actor could even get information through professional networks such as LinkedIn as many people share their key accomplishments and recent projects. As an example, if I was a vendor manager and I put as a key achievement the successful negotiation with company X, that information could be used by a threat actor,” he adds. “The reconnaissance to find information about suppliers can be pretty easy these days. People love to share information, often not realising how valuable the information can be.”
There are also many different types of supply chain attacks, from malicious code in applications of the supplier to hardware-based infections, etc. One kind of supply chain attack happened on a manufacturing line where malicious implants were placed onto chipsets before the machines went out to a customer. A more common example is malware that gets transferred to the supply chain. “Everyone can be impacted. The question is, is that organisation getting impacted because the threat actor is trying to get into their customer base, or are they the main victim?” asks Aslaner. “Ultimately, the majority of supply chain attacks happen because of a pre-existing trust relationship between two companies. Once a supplier is trusted by the company, they often have continuous access.”
Historically, many companies have only been focused on their own enterprise environment, but this is no longer sufficient. For supply chain attacks, focusing solely on your own environment is not enough. Aslaner believes that organisations need to assume they will be compromised. “It is not a question of if, it is a question of when,” he warns. “This is the mindset that we all need to put ourselves in.”
There is also no such thing as transparency in the supply chain. People often think about their supply chain as the first ring of direct vendors that they're interacting with. But as a supply chain matures, this ring expands due to subcontractors, outsourcers and external service providers.
“We need to think: How do we make it as difficult as possible for an attacker to get in? How do we make it as quickly as possible to detect when they get in? How do we ensure business recovery and continuity as fast as possible?” he asks.
The answer is not only in technology. Technology may be a one part of the puzzle, but in order for supply chain security to work, a company needs to focus on three core elements: People, process and technology.
“If you have a large security budget and you assume that just by buying technology you are secure, you’re wrong. This might be a utopia that will be pitched, but it’s not reality. We need to assume a breach and that’s true for the enterprise environment as well as for the suppliers,” he explains. “In order to be effective about supply chain-based attacks, an organisation needs to understand the specific risks that they are trying to mitigate and then determine what is the best approach for that.”