Cyber-attacks have been around for many years they are nothing new, as have the range of threats targeting organisation. When it comes to the supply chain cyber security, the threats have varied as to whether an organisation is considered as being part of the supply chain, an end customer, and even who the real target actually is.
Over the last few years, we have seen several high-profile attacks which are considered as supply chain attacks. Several years ago, I was attending an event run by the security company RSA, (which provides encryption services to many governments and large enterprises around the world). On that very day of the event, RSA had experienced a breach, it was through a phishing email sent to only three members of staff, where one had clicked on the link leading to a compromise. The real target was actually one of their customers, the defence company Lockheed Martin. This was a very targeted attack.
Other examples over the last few years include the Target attack, where the air conditioning supplier was attacked to get into Target. Or, more recently the SolarWinds attack where the compromised updates were downloaded by 18,000 customers. However, as a recent report by ENISA (The EU industry body on cyber security) entitled “ENISA Threat Landscape for Supply Chain Attacks” (July 2021) highlights: ‘Not all attacks should be denoted as supply chain cyber security attacks, but due to their nature many of them are potential vectors for new supply chain cyber security attacks in the future.’
As a starting point it is important to understand that ‘Supply chain refers to the ecosystem of processes, people, organisations, and distributors involved in the creation and delivery of a final solution or product.’ This means that there are many ways to analyse attacks to the supply chain cyber security ecosystem all of which provide a useful understanding, one such approach is to look at what is being attacked rather than the who. This approach responds directly to the above quote from ENISA.
Threats specific to supply chain cyber security only
These types of threats can be identified by the fact that very few outside of the supply chain will be affected, and include attacks to a supplier, supplier’s assets, a customer, or a customer’s assets. As services are becoming more specifically personalised through digital transformation not just for each market sector, but also for each sub-sector. The digitally transformed services from these software suppliers may not necessarily be as tried and tested as previous solutions, as the whole point of digital transformation is that they are agile projects, where they are continuously developing, testing and adding-in new services.
As important as digital transformation projects are for so many enterprises, many are still in their infancy when it comes to development methodologies to “bake security into” them. This means that until these project teams have established approaches for building security in, and taking vulnerabilities out of the code, we will likely see issues which originate from digital transformation projects aimed at providing better services to suppliers and their customers. Some issues in such services are not likely to surface for many years, whereas others will be identified and fixed very quickly.
The strategies for dealing with these types of attacks includes good procurement governance, procurement policies, processes and practices and specifying what practices you would like to see in use immediately and those which could be implemented in a phased approach over an agreed period of time.
Different tiers of supply chain cyber security attacks
The supply chain is not a single uniform group of suppliers, as there are often several tiered layers – usually there are no more four critical layers. An example of a critical layer may be where a major trucking or shipping company uses a particular software for their logistics, control or navigation and a key component in it is provided by different supplier. It could be the GPS software, or the artificial intelligence determining the best route to take. This supplier may be second or third tier of the application provider and will be one tier further away from the actual customer. Other examples of lower tier suppliers could include coding library providers for Application Programming Interfaces (APIs) or Wi-Fi library provides for specific platforms, or Bluetooth connection library providers.
As applications become simpler for customers to be able to connect using many different technologies (Wi-Fi, Wi-Fi Direct, Bluetooth, Near Field Communication (NFC), Zigbee, etc.) and that each of these expand and improve, they, and all the other specialist API library provides, will be essential and grow in number. Each of these suppliers are all undergoing their own digital transformation to make it easier for their customers to use their services through the cloud.
The end result being that a single solution could have tens, if not hundreds, of suppliers of specialist services, some of which will be critical, and any compromise of the code could lead to a compromise of the whole end service being provided. Attacks to these critical support service suppliers are not as well documented, but around 2015, a wireless network API library provider for the iOS platform over a three-month period had three separate vulnerabilities, where each vulnerability affected between 1,500 to 5,000 applications impacting several tens of millions of end users of the iOS platform.
Threats common to all users, but where supply chain is an attractive target
There are some threats out there which common to all users, but when attackers have too big a choice as to who they target, they will often go for those sectors which they believe will be most likely to pay out – for whatever the reasons may be. The types of threats that fit into this category include the likes of particular types of ransomware targeting particular versions of software and operating systems.
These types of attacks arise from chance events that affect many organisations all at the same time, but leave the attackers having to pick and choose who they target. These types of attacks may sometimes be as a result of what are called “zero-day” attacks; where the vulnerability is so new that it is not known by the vendor and the timeline for the vendor to produce a security patch is big enough for attackers to have free reign to take advantage of it.
Although it is often difficult to be strategic about these types of attacks from a resilience perspective, keeping all your technology with the latest security updates and patches goes a long way to reduce the impact from such threats. Further, to keep up with what the latest vulnerabilities are, regardless of whether a patch is available is important to enable your organisation to at least be able to put some other controls in place restrict the impact of such attacks until such time as a patch is available.
Threats from common untargeted opportunistics attacks
In the same way that old style advertising used to work, where everyone is a prospective target, there are some always many attacks whether it be an untargeted phishing email, or a probe into your network IP address, or a probe on your web server, or a vulnerable Wi-Fi network. The math that such attackers work on is anything from less than 1% to maybe 3-4%, they don’t know much about who or what they will find, they only have enough information to fit into their preferred mode of operation, be it email, internet spiders, or anything else.
Many of these types of attacks also rely on systems not being updated. Systems not having the latest security patches may always present a security issue. However, there are some organisations which are and have been running systems operating on Windows XP, which stopped receiving security patches over twenty years ago. Such systems are often protected with several layers of controls, despite best intentions, a change in network settings can make them all accessible over the internet – even though they had not been connected to any device connected to the internet.
The best strategy to maintain resilience from such attacks is to not just follow industry best practices, but also to test and undertake assurance activities.
Resilience practices against supply chain cyber security threats
There are many recommendations offered in the ENISA Report, which also provides detailed analysis of the most significant supply chain cyber security attacks in recent years. Overall, if organisations are following risk management best practices with the use of standards and frameworks with clear business outcomes that are to be achieved through each project, they should be in a good position to know:
• What assets they have
• What they should protect
• What and where they should be focused on detecting
• Their response capabilities from different types of attacks
• Their recovery capabilities
Having a Threat Intelligence function in the organisation as many enterprises are beginning to have will serve to ensure that the right teams are prepared before anything hits the fan.