March 14, 2022
Cyber security trends in 2022 - Supply chain attacks are rapidly increasing
In the third blog of this series we discuss the rapid increase in the number of supply chain attacks. In 2022, businesses should consider supply chain security a boardroom priority, and a critical part of every cyber security strategy.

Over the last two years we have seen a steady increase in the number of orchestrated supply chain attacks, with ENISA, the European Union Agency for Cyber Security, reporting that attacks were expected to rise fourfold from 2020 to 2021. Simultaneously, supply chains are going through a period of digital transformation, with automation increasing efficiencies, whilst at the same time introducing possible vulnerabilities to businesses.

The 2020 SolarWinds attack demonstrated the catastrophic and rippling effect of supply chain strikes in full force. SolarWinds is regarded as one of the most significant supply chain attacks in recent years, especially  considering the number of affected organisations, which included government agencies and large enterprises. It drew a lot of media attention and prompted a reaction from governments across the world. Unfortunately, this incident is far from unique, and the frequency of supply chain assaults has been progressively rising over previous years. This trend emphasises the necessity for policymakers and the security sector to work together to create, and implement, unique preventive measures to combat and minimise the effect of supply chain threats.  

In 2022, businesses should consider supply chain security a boardroom priority, and a critical part of every cyber security strategy. Whether you are a business that ships products across the globe, or a professional services firm storing confidential client data, a review of your supply chain risk should be considered a high priority, and a strategic plan to mitigate risk and to respond to a possible breach put in place.  

Impact of supply chain attacks

Supply chain attacks result in disruption to operations, loss of revenue, regulatory fines, and reputational damage, to name a few, but perhaps most significant is the far-reaching effect of supply chain attacks on most, if not all, customers of the impacted supplier. One attack can result in many organisations being left vulnerable, which is what makes them so powerful and dangerous to businesses. Supply chain attacks take advantage of highly connected global markets, and the cascading repercussions of a single attack could have a far-reaching influence. When multiple consumers rely on the same supplier, the implications of a cyber-attack are multiplied, and a large-scale national or even cross-border impact is possible.

What is a supply chain attack?

A supply chain attack typically comprises of a series of attacks, and a supplier could be used as a route into a target company. There are 4 principal areas to consider:

  • Supplier: A company that sells a product or provides a service to another company.
  • Supplier assets: Important components that the Supplier uses to create the product or service.
  • Client (target): The entity that consumes the product or service produced by the supplier.
  • Client (target) assets: Valuable elements owned by the target.

At least two attacks are conducted in a supply chain attack. The attack begins with a supplier, which is then utilised to attack the client to gain access to its assets. The end client or another supplier might be the target. As a result, for an assault to be categorised as a supply chain attack, it must target both the supplier and the client.

Considering the 2020 Solar Winds attack, while the initial entry point through which attackers gained access to SolarWinds' network is unknown, it is believed that it could have been an exposed server, unpatched software, or a brute force attack. After gaining access, the attackers were able to insert malicious code into the Solar Winds Orion system. This malicious code was then sent out to customers in the form of a SolarWinds software update. Once the malicious code was on the client’s machine, it created a backdoor through which hackers could access and impersonate users of the target organisation.

How can the risk of a supply chain attack be reduced?

Vulnerabilities in the supply chain are notoriously hard to manage, however recommendations can be broken down into three main categories, Risk Management, Prevention, and Mitigation.

Risk management

  • Identify your  supplier relationships and measure the risk that each poses to gain a full understanding of your security posture. The NCSC provides a helpful list of scenarios to measure your supply chain against.  
  • Keep track of your organisational assets, primarily software and hardware. Identify how each product is supported by its provider? For example, do they patch, and if so for how long.
  • Have an incident response plan in place so that you can respond quickly if part of your supply chain becomes susceptible to a vulnerability. Make sure that you practice and run through this plan so everyone in the organisation understands their role in the response process.

Prevention

  • Conduct routine security assessments within your supply chain to identify any outstanding vulnerabilities.
  • Perform thorough due diligence on your suppliers during on-boarding. Do they follow and implement international standards for information security such as 27001? Do they follow security development lifecycle practices?
  • Apply security patches promptly.

Mitigation

  1. User training and awareness programs. Are your users aware of what is normal and what is not? Is there a procedure in place flagging anything suspicious to relevant parties?
  2. Monitor endpoints and traffic to and from your environment to look for unusual or suspicious behaviour. Though this is generic cyber hygiene, with strong monitoring you may be the first to alert your supplier to a possible supply chain compromise.
  3. Follow the principle of ‘least privilege’:
  • What access does this product require?
  • Can it be run in a virtual/docker environment?
  • Does it need administrative privileges?
  • Can the product be segmented off the network?
  • Can firewalls be put in place so only the IP address and ports required to function be allowed?

The above recommendations are broad and may not be suitable for all suppliers and/or environments. For a robust security strategy, it is recommended that you work with a third-party cyber security supplier to conduct due diligence into your supply chain to identify, and resolve, potential risks.

If you have any questions about this blog, or would like to discuss your supply chain, please contact our defensive services team.

Sign up to our newsletter to receive the latest updates