A\u00a0supply chain attack\u00a0is a\u00a0cyber-attack\u00a0that seeks to damage an organization by targeting less secure elements in the\u00a0supply chain.\u00a0It can occur in any industry, from the financial sector, and oil industry, to the government sector.\u00a0It can also happen in software or hardware.<\/p>\n\n\n\n
Cybercriminals typically tamper with the manufacturing or distribution of a product by installing\u00a0malware\u00a0or hardware-based spying components.\u00a0Symantec’s 2019 Internet Security Threat Report states that supply chain attacks increased by 78% in 2018.\u00a0<\/p>\n\n\n\n
A supply chain is a network of individuals and companies who are involved in creating a product and delivering it to the consumer. Links on the chain begin with the producers of the raw materials and end when the van delivers the finished product to the end user. It includes every step that is involved in getting a finished product or service to the customer. <\/p>\n\n\n\n
The steps may include sourcing raw materials, moving them to production, then transporting the finished products to a distribution center or retail store where they may be delivered to the consumer. Entities involved in the supply chain include producers, vendors, warehouses, transportation companies, distribution centers, and retailers.<\/p>\n\n\n\n
The supply chain begins operating when a business receives an order from a customer. Thus, its essential functions include product development, marketing, operations,\u00a0distribution networks, finance, and customer service.<\/p>\n\n\n\n
When supply chain management is effective, it can lower a company’s overall costs and boost its profitability. If one link breaks, it can affect the rest of the chain and can be costly.<\/p>\n\n\n\n
Supply chain management is a crucial process because an optimized supply chain results in lower costs and a more efficient production cycle. Companies seek to improve their supply chains so they can reduce their costs and remain competitive.<\/p>\n\n\n\n
A supply chain attack is a type of cyber attack that targets organizations by focusing on weaker links in an organization’s supply chain. By targeting a weak point in a supply chain, a cyber attack may be more likely to succeed — with attackers taking advantage of the trust that organizations may have in third-party vendors. <\/p>\n\n\n\n
Supply chain attacks could occur in any industry that has contracts with third-party vendors, such as in financial or government sectors. They have been rising in relevance due to new types of attacks and the high status of the targets hit. Because weak links in a supply chain are an easier target for cybercriminals, organizations should be more aware of the security implemented within each step of their supply chain.<\/p>\n\n\n\n
Cybercriminals will use supply chain attacks to tamper with the manufacturing processes of a company either by hardware or software. Malware could be installed at any stage of the supply chain. This cyber attack can also cause either disruptions or outages of an organization’s services.<\/p>\n\n\n\n
Supply chain attacks allow for specific targeting, and the number of victims can grow quickly if the attacked vendor has a lot of customers. They are difficult to detect, as they rely on software that has already been trusted and can be widely distributed. In addition, there is not one dedicated part of an organization that manages third-party vendors, so if a risk comes to one, it’ll get pushed from one team to another.<\/p>\n\n\n\n
The goal is to infiltrate and disrupt a weak point of a system within an organization’s supply chain with the intent to cause harm. One typical way of doing this is by attacking a third-party supplier or vendor connected to the actual target. Attacks are typically made on third parties that are considered to have the weakest\u00a0cybersecurity\u00a0measures by the attacker. <\/p>\n\n\n\n
When the weakest point in the supply chain is identified, the hackers can focus on attacking the main target.<\/p>\n\n\n\n
Supply chain attacks can be either hardware- or software-based attacks. More specifically, it can occur by compromising software building tools, stealing code-sign certificates, specialized code shipped into hardware components or installing malware on a third party’s devices.<\/p>\n\n\n\n
A supply chain attack may begin with an advanced persistent threat (ATP) that is used to determine the weakest point in an organization’s supply chain — generally, a third-party vendor or application. Once that weak point is discovered — in a software supply chain attack, for example — malware in the form of\u00a0worms, viruses,\u00a0spyware\u00a0or a\u00a0Trojan horse\u00a0is injected into the system. <\/p>\n\n\n\n
The malware could be used to modify code sources the third party uses and to then gain access to the target’s data.<\/p>\n\n\n\n
These cyber-attacks could occur at any location in the supply chain.<\/p>\n\n\n\n
Supply chain attacks can pose a large risk to organizations today. Organizations affected can include financial and government systems, as well as other industries, such as retail, pharmaceutical, and information technology (IT) systems.<\/p>\n\n\n\n
A large risk that will open an organization up to supply chain attacks is sharing data with third parties, vendors or suppliers. Even though sharing that data in a supply chain may be essential for operation, it also comes with an inherent risk. Likewise, increasing the number of vendors an organization includes in its supply chain increases the number of attack vectors.<\/p>\n\n\n\n
To effectively detect supply chain attacks, an organization should first have a systematic verification process in place for all the possible pathways into a system. An inventory of all the assets and data pathways within a supply chain should be made, which should help in detecting potential security gaps within a system.<\/p>\n\n\n\n
The next step would be to create a threat model of the organization’s environment. The threat models can include assigning assets to adversary categories. The categories can then be rated, which will help in determining how severe a threat of an attack could be. These scores should be continually updated. Assets should be classified from most at risk to least at risk.<\/p>\n\n\n\n
All new updates should be tested as they come out. Tests to detect supply chain attacks should be able to find malware file activity,\u00a0registry keys,\u00a0and mutual exclusion (mutex) files. This process should also be done with automated tools.<\/p>\n\n\n\n
There are several ways a supply chain can be attacked. Theft of a vendor\u2019s credentials can lead to the infiltration of the companies affiliated with the vendor. <\/p>\n\n\n\n
For example, Target was the victim of an attack in 2013. Its\u00a0security measures were breached when one of its third parties’ security credentials was compromised. The credentials typically included login, passwords, and network access to Target\u2019s computer. The vendor\u2019s questionable security practices allowed hackers to gain entry into Target\u2019s system resulting in the theft of 70 million customers\u2019 personally identifiable information.<\/p>\n\n\n\n
The aftermath of the breach led to the CEO\u2019s resignation and enormous costs for the company which topped $200 million.<\/p>\n\n\n\n
The U.S. passed the Comprehensive National Cybersecurity Initiative (CNCI) and the Cyberspace Policy Review, which provides federal funding for the development of multipronged approaches for supply chain risk management (SCRM). Likewise, the U.K. Department for Business, Innovation & Skills (BIS) outlined an effort to protect small and medium-sized enterprises (SMEs) from cyber attacks like supply chain attacks.<\/p>\n\n\n\n
There are also several ways to help prevent supply chain attacks. Some of these processes include the following:<\/p>\n\n\n\n
In addition, one could use the\u00a0Mitre ATT&CK framework, which provides up-to-date cyber threat information to organizations that want stronger cybersecurity strategies.<\/p>\n\n\n\n