Your Supply Chain is Attacking – How Will You Stop Them?

supply chain attacks FIExtended supply chains can represent cybersecurity risks that increase significantly with each and every new supplier. Too often hardware component manufacturers and software component developers who are not household names feel that they’re not a target and they are less diligent about their security procedures. Or they’re just moving too fast due to business pressures. But once they get compromised, an attacker has an open channel into their customers up the supply chain.

In this blog, we explore the supply chain as a point of vulnerability, how attacks on the supply chain – be it pieces and parts, software, or even the technology suppliers use as part of their own development or manufacturing process – can affect businesses, and what can be done to mitigate the risk.

Business Pressures Increase Risk

Across industry sectors, the supply networks are large, complex, diverse, and continually evolving. Massive upstream clients can oversee an interconnected supply chain consisting of businesses of all sizes and locations around the world.

In the automotive sector, for example, just-in-time (JIT) manufacturing is essential to keep production moving while keeping on-hand parts inventories low. JIT, however, requires multiple specialist partners to work seamlessly together on short time scales requiring them to share vast amounts of information in near real-time, across multiple connected systems and networks.

Consumer electronics is another area where companies collaborate across networks during manufacture. Today’s smart appliances, media systems, and entertainment devices are complicated pieces of equipment that require specialist components, software, packaging, and logistics suppliers to be deeply embedded into the production process, again requiring close communication and coordination.

Due to the competition these businesses face, there is a constant emphasis on speed and collaboration that can lead to cybersecurity vulnerabilities and breaches, leaving companies higher up the chain exposed to attacks.

The Nature of Supply Chain Attacks

If an attacker infiltrates one of your supply chain partners which is connected to one or more of your networks, your operation could be at risk. Infiltration of a third-party supplier that ends up damaging your business is often known as a supply chain attack, third-party attack, or value chain attack.

There are many examples of these attacks, including:

The 2014 Target hack – In one of the most high-profile supply chain attacks it is estimated that the attackers accessed data on 40 million credit cards and debit cards along with the Personal Identifiable Information (PII) of 70 million customers. This attack began with a sophisticated phishing campaign aimed at one of Target’s supplier companies, Fazio Mechanical, a heating, ventilation, and air conditioning (HVAC) business.

Energy sector cyber espionage – In 2014 it was reported that a group of attackers known as Dragonfly had infiltrated a number of industrial control system (ICS) programs. Downstream equipment providers who supplied major energy companies and power grid operators created the software. If it hadn’t been caught, it is feared that the resulting infiltration could have led to spying or even sabotage of the attacked companies.

The Panama and Paradise Papers – These two well-publicized hacks led to the release of millions of third-party client documents. Although praised by many (as they showed evidence of widespread tax avoidance and dubious offshore accounting practices by thousands of companies, celebrities, and politicians), these two attacks also serve as examples of serious supply chain attacks where the vulnerabilities of downstream suppliers left upstream clients exposed.

Lenovo’s supplier software vulnerabilities – For manufacturers of products containing third-party software, cyberthreats extend to these programs as well as the systems and networks used in their production. As an example, in 2014 laptop manufacturer Lenovo shipped laptops installed with a piece of software called ‘Visual Discovery’ made by Chinese company SuperFish. It was subsequently found that the program had a critical vulnerability; a so-called keybridging or Man in The Middle (MiTM) weakness that could expose private user data. Lenovo had to spend a significant amount of time and resources to fix the software.

Surveys have shown that as many as 56% of businesses in some sectors have suffered some form of third-party data breach and there are reasons to believe that this number could be on the rise as new technology comes online.

The Threats of Innovation

Innovation brings businesses a competitive edge but it can also present new challenges that companies need to solve quickly in order to realize the benefits before their competitors catch up. This view was put forward in 2016 by Unipart Chairman and Group Chief Executive John Neill, who stated:

“… one of the greatest challenges that companies face today is the disruptive and dislocating pace of change that will come from the integration of intelligent technologies such as robotics, artificial intelligence, billions of sensors and massive low cost computing power.”

As industry supply chains further modernize and digitalize, each new technology that is integrated requires more stakeholders to set up, manage, and service the specialized technology, such as:

  • The original equipment manufacturer (OEM)
  • Maintenance personnel
  • Tech support for software upgrades
  • Experts to handle data analysis
  • Third-party IT providers for servers and data storage

The addition of a single new partner to the supply chain, or of new technology or system by an existing supplier, might also result in a large number of extra devices being integrated through cloud-based services and Web-enabled equipment. Each device can represent a vulnerability to be exploited through a malware attack, data hacks, or even botnet attacks.

The pressure to innovate in order to maintain a competitive edge and increase efficiency means that new technologies can often be introduced without being fully tested or certified. In addition, each of the external partners added to a supply ecosystem may connect their own networks of suppliers, partners, and contractors, which can add even more risk and points of vulnerability.

The Multiplying Risk Vector

As explained above, every supplier business that connects to your network represents a risk. If login credentials are stolen through phishing, or if an attacker perpetrates a successful watering hole attack against a supplier business, your network could be subsequently infiltrated.

However, protecting your systems and data from an attack takes more than simply securing the first-level connections with your suppliers. You also need to consider the array of external contractors and businesses with which they may each collaborate. In some cases, the size of the attack vector can increase exponentially with every new company joining the supply chain.

Today, the scale of this problem is significant. In 2017 breach security company Opus found that only 17% of respondents felt they were highly effective at mitigating third-party risks. In addition, 57% of companies said they didn’t even know exactly who in their supply chain had access to sensitive data, or whether the security policies suppliers had in place were effective.

Now is the time to take a look at the security of your own supply network.

Protecting Your Supply Chain

Every supply chain is different, and there is no one-size-fits-all approach to its security. However, the following steps are designed to apply to the vast majority of companies ready to get a handle on these issues:

  1. Conduct a detailed risk assessment and create an inventory of internal departments and external suppliers who have access to sensitive information or even just your network, and how.
  2. Wherever possible, disconnect the most critical devices (e.g. servers storing sensitive data) from networks that are accessed by third parties. This will significantly limit the impact of any supply chain attack.
  3. Review the internal procedures in place across all relevant departments and business units. Ensure everyone has adequate training, up-to-date devices, clear recommendations on connecting new systems to the network, and the right credentials (with strong passwords) in place to ensure security.
  4. Include security in your standard vetting procedure for new suppliers and insist that they have the same level of security capabilities that you have implemented. And be sure to ask about the security practices of their suppliers.
  5. Develop clear and consistent security guidelines for third parties and roll them out to the entire supply chain, including your suppliers’ suppliers, on down the line. Ensure there are mechanisms both to keep tier 1 suppliers up to date and to ensure they enforce equivalent provisions on tier 2 and beyond. This could involve ensuring they achieve a security certification for example, such as Cyber Essentials or ISO 27001.
  6. Ensure you can detect and contain what appear to be insider threats. Develop your security strategy under the expectation that your perimeter defenses will get breached, such as by someone who has compromised a supplier’s credentials so they can simply log into your network. Implement network security technology that monitors and analyzes network traffic, identifies anomalies and can discern between benign anomalies that generate false positives and the malicious anomalies that represent high-risk threats.

Your supply chain is your business. Ensure yours is protected today.

Most organization struggle to see and recognize sophisticated cyber threats. Lastline gives you the network visibility and detection to contain these threats before they disrupt your business. Learn more about our network security solutions that security professionals use to ensure they’re in control and ready for any attack.

John Love

John Love

John Love has been in hi-tech marketing for over 30 years. After spending his first 18 years at Apple, he worked at Logitech and several startups, and has been in security since 2010.
John Love