The digitalization of information processes has facilitated the integration of supply chains and has promoted supply-chain visibility. The advent of modern technologies like cloud computing has increased the agility of supply-chain organizations, enabled more reliable planning and speedier collaboration, and lowered operational costs.
The advantages that motivated supply chain organizations to participate in these complex digital environments also have their downsides in the many cyber security risks to supply chains that have been spawned by that connectivity. As supply chains have become more connected and more global, the potential for supply chain disruption from a cyber event becomes more likely and its implications more severe and widespread. It also becomes more challenging to secure the many supply chain and computing components that represent points of vulnerability.
The integrity of supply-chain systems and data is becoming an increasingly important business consideration when it comes to choosing supply-chain partners. A recent study from Gartner indicated that cyber security risk has become a primary buying consideration for supply-chain executives and that 60% of supply-chain organizations will gauge cyber security risk as a significant factor in conducting transactions and business engagements by 2025. Regulators are also increasingly focusing on cyber security, and companies without robust cyber risk management strategies may face penalties should incidents occur.
“There is an imperative both from a policy landscape, a regulatory landscape and also from a business landscape to do a better job at understanding risks and managing those risks,” said Bob Kolasky, former assistant director at the U.S. Department of Homeland Security’s Cyber and Infrastructure Security Agency and currently a senior vice president at Exiger, a supply-chain software company.
Over two-thirds of business leaders feel that their cyber security risks are increasing, according to a recent survey conducted by Exiger and Stax Consulting, and cyber vulnerabilities now represent the top risk concern for supply-chain managers. Eighty-six percent of supply-chain cyber breaches are financially driven, the Exiger research showed, while 10% represented some form of espionage.
There have been several examples of supply-chain cyber attacks in recent years, including last year, when Microsoft Exchange Server, an email, scheduling, and collaboration platform, was found to have unpatched vulnerabilities, impacting thousands of enterprises directly and millions indirectly and allowing attackers to infiltrate servers and steal data. A similarly unpatched vulnerability in Log4j, a widely-used Java logging framework, was discovered in 2021, affecting 93% of enterprise cloud environments. The vulnerability allowed attackers to craft malicious input data that resulted in information leaks.
In December 2020, SolarWinds, a major supplier of enterprise software, was compromised when attackers inserted malicious code into software updates, which were pushed out to users, allowing the attackers to gain access to customer information. That same month, a cyber attack compromised Accellion’s file-sharing software, also allowing the attackers to access sensitive user information.
According to Kolasky, the key first step that organizations can take to protect their supply chains from cyber security threats is to understand the types of risks that adversaries are targeting. “One of the main ways that adversaries can gain access to networks and information is by exploiting vulnerabilities in the attack surface,” he said. An “attack surface,” according to the Computer Security Resource Center, is “the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from.”
“Minimizing the attack surface is crucial to protecting organizations from cyber supply-chain attacks,” said Kolasky. “By understanding the attack surface, organizations can work to patch vulnerabilities that an attacker could exploit which present an undue risk to the system, making it more difficult for adversaries to find a way in.”
There are several techniques that can be put to use to reduce a system’s attack surface. One is to examine network usage reports and to lock down areas where unauthorized or unusual traffic was found. Another involves enforcing password best practices, including, crucially, ensuring that employees who have left an organization no longer have access credentials.
A vulnerability that is often overlooked involves the hosting on systems of excessive and unneeded third-party apps, which are often risky and represent a potential entry point for bad actors because their source code is widely available. It’s also worth noting that attack surfaces can include physical access points, such as server rooms and data centers, and human vulnerabilities—such as when hackers convince users to share their credentials using social engineering techniques.
Supply-chain organizations should also be aware that attackers, which include criminal gangs as well as adversarial governments, often seek to threaten industrial control systems and other related operational technology. Securing threats to control systems became a priority for the White House in 2021 when President Joe Biden declared that “the degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.”
Those kinds of attacks, Kolasky agreed, “can cause some real harm. Understanding risks introduced into supply chains through industrial control systems in suppliers and service providers is crucial in achieving enhanced cyber security.”
That’s why, he says, it’s important to stay several steps ahead of malicious actors. “Closing vulnerable gaps requires tools that go deep into multiple tiers of suppliers—not just to the third party but also to the fourth, fifth, and further to the end tier, to gauge cyber security risks exposed in vendors and service providers,” Kolasky explained. “This insight, coupled with security controls, incident responses, and security practices help to identify and mitigate any issues before they cause too much damage.”