Supply Chain Security Supply chains and the weakest link
The Covid-19 pandemic has shaped our everyday life over the past two years, but despite this, another risk is currently causing companies more concern. The risk of a ransomware attack, data leaks or IT failure is currently classified as more dangerous than the risks of business interruptions, natural disasters or the Covid-19 pandemic.
Companies consider cyber risks to be the biggest threat to companies in 2022, according to at least 2,600 global company representatives in the annual survey of the Allianz Risk Barometer. A connection can certainly be established via the rapid increase in successful cyber attacks in recent years.
The majority of these attacks are no longer only aimed at the targeted company, but can increasingly be traced back to the entire supply chain. The most well-known examples of this type of indirect cyber attacks in recent times were the hack of the software company Solarwinds in 2020 and the disclosure of the vulnerability in the log4j framework, which prompted the BSI to classify the cyber threat situation as extremely critical.
These supply chain attacks are a combination of at least two attacks, with the first attack usually being a supplier and being used as a springboard to penetrate the systems of the actual target. According to Accenture’s State of Cybersecurity Report 2021, indirect attacks now dominate the threat landscape. For example, the number of successful indirect attacks increased by 17 percent to 61 percent from 2020 to 2021. The reasons for the increase are, on the one hand, the expansion of global supply chains in the course of globalization, which has enormously increased the attack surface and made individual IT service providers the gateway for thousands of organizations worldwide. Cybercriminals are increasingly taking advantage of this circumstance by launching organized attacks on suppliers in order to use them to get into the systems of the target companies, some of which are much better protected.
In the event of an attack on the network management software company Solarwinds in 2020, hackers were able to inject malware into their software product “Orion” and thus enter the systems of potentially 18,000 Orion users, including American government agencies. This prospect of easy scaling is another incentive that explains the increasing attractiveness of this type of attacks.
In principle, all sectors are affected, but especially industries that rely on a large supply chain or even have very high protection standards, such as the defense sector or the financial industry. In a study, the European Union Agency for Network and Information Security (ENISA) showed how serious the gap in cybersecurity capabilities between suppliers and their customers is: in 66 percent of the analyzed supply chain attacks, suppliers did not know how they were attacked, while this was the case for only nine percent of the attacked customers.
In order to protect against indirect attacks, it is therefore no longer sufficient for companies to focus only on their own systems. In order to avoid attacks along the entire value chain, it is now also important to think about suppliers and process participants for the entire ecosystem. Companies should use a three-stage approach of transparency, specifications and testing.
In the first stage, companies should gain clarity about their own supply chain by identifying the individual components. This applies not only to suppliers in the classic sense, such as brake manufacturers for an automotive company, but above all also to IT providers. It is important to find out which connections exist with the suppliers: which IT assets and data can they access in which context? In addition, a company must get an overview of which IT is used internally and where in order to be able to react quickly to a hack or a vulnerability. Especially with log4j, many companies had problems quickly and comprehensively identifying whether and where they use technology that includes log4j after the vulnerability was announced.
In the second step, it is necessary to develop specifications with regard to the cybersecurity of suppliers as well as the type of access and exchange of data. For this, the company must develop risk criteria that are adapted to the different types of supplier relationships and also take into account special categories such as critical software dependencies or single points of failure (SPoF). These requirements should be recorded in a binding manner in order to guarantee compliance with the required level of cybersecurity.
Finally, compliance with the standards must be checked. Here, one should not only rely on the self-assessment of the suppliers, but also get a reliable picture by means of their own audits or external auditors. In addition, the company should also broaden its view in monitoring the risk and threat landscape and always include potential risks for its supply chain.
The fact that many companies still have some catching up to do when it comes to supply chain security is underlined by a survey by the company BlueVoyant: less than 25 percent of the companies surveyed stated that they monitor their entire supply chain, and only 32 percent check the cybersecurity level of their suppliers at regular intervals.
Industry standards and regulations can also raise the level of security in sectors that have not yet achieved a sufficient level of security on their own. An example of effective industry cooperation is the Trusted Information Security Assessment Exchange (TISAX) of the Association of the Automotive Industry, which acts as a mechanism for the exchange of test results based on an industry-specific standard. Car manufacturers and their service providers can be checked by a recognized TISAX team with regard to the secure processing of confidential information and data protection. The respective test result is then forwarded to other TISAX participants. The aim is to establish objective evaluation criteria in order to create transparency about the degree of maturity of cybersecurity among service providers and suppliers within the automotive industry.
However, despite these initiatives, indirect attacks will continue to contribute in the future to ensuring that cyber risks will not disappear from our everyday business. The reason for this is that, according to ENISA, an increasing number of indirect attacks are classified as advanced persistent threats (ATPs). ATPs are complex, targeted and effective attacks that require a lot of effort and resources. Therefore, these attacks are often associated with state-funded or otherwise financed hacker groups. These groups take advantage of the mentioned characteristics of indirect attacks in order to achieve their strongly secured goals such as nation states, authorities or defense companies. They also do not shy away from possible collateral damage.
So when it comes to protecting the ecosystem, cooperation is the order of the day. Companies, service providers and suppliers must work closely together across industry boundaries in order to define a coordinated security strategy along the value chain. Because even in the context of supply chain security, the saying still applies: every chain is only as strong as its weakest link.
* Thomas Schumacher is Head of IT Security at Accenture.