A supply chain attack is a cybersecurity threat characterized by the attackers targeting a vulnerable or less-secure elements in the supply chain. Often, the “weak link in the chain” exists with a hardware supplier, software vendor, partner, or another third party that has a relationship with the victim.
For example, instead of directly trying to infect a target’s network, hackers might inject malware into a software update of an app used by many organizations. Or perhaps firmware might be exposed to a virus in a manufacturer’s factory when a device is in the hands of a retailer so that when the customer takes delivery of a device, it’s already infected.
Most everyone expects new hardware and software coming directly from the vendor to be free from malware. There’s a level of trust with service providers, which are often given elevated physical access privileges and network access permissions.
Because of their established relationships, vendors are often allowed to bypass defensive measures — making supply chain attacks tricky to defend against.
Supply Chain Attack Analogy
Imagine a supply chain for the delicious french fries you enjoy at your favorite fast-food restaurant. There are many steps involved between getting the raw food on the farm to finished product on the table.
- Farmers grow the potatoes
- A shipping company takes these potatoes to a factory
- After being cut up into a uniform shape, the fries are packaged
- A refrigerated truck delivers the fries to the restaurant
- The restaurant deep-fries the tasty treat for you to enjoy
Let’s say you notice that something has gone very wrong with your french fries. They taste terrible! It’s possible that at any stage in this fictional supply chain, your food could have been exposed to a foul-tasting substance that ended up in your mouth. The contamination might have occurred with a different ingredient as well. For example, the oil used to deep fry your food might have gone bad.
The same might happen in IT. Your PC contains many different components that were produced by different manufacturers. You rely on multiple vendors that provide IT services. You may have dozens of applications or services preloaded on your smartphone or computer before it is delivered to you. If at any stage of the supply chain, any of these are compromised, you could fall victim to a supply chain attack.
Supply Chain Attack Examples
The following are prominent examples of supply chain attacks:
- NotPetya ransomware — Hackers implanted ransomware in a patch of the Ukrainian accounting software, MeDoc. When the update rolled out, it kicked off the NotPetya outbreak, which caused chaos around the world.
- Phones ship with pre-installed malware — About 5 million smartphones in Asia were infected by RottenSys malware somewhere in the supply chain between 2016 and 2018.
- CCleaner update malware — Researchers found that hackers had installed a backdoor in the popular CCleaner tool via a compromised software update. Luckily, the vulnerability was caught before hackers had a chance to do more damage.
- Target hacked through their HVAC vendor — Target stores were compromised when network credentials were stolen from the heating/air conditioning vendor, which had been granted network access to several store locations.
- Home Depot breach — The hacking of the home improvement company’s self-checkout system in 2014 was blamed on the theft of network credentials from a trusted supplier.
- 24.ai chat service malware affects Delta, Sears, Best Buy — Websites of some of the biggest brand names in America had data compromised via a third-party chat service provider that had access to the companies’ websites, exposing the information of more than 100K customer credit cards.
Mitigating The Risk Of Supply Chain Attacks
In 2019, IT professionals cited the misuse or unauthorized sharing of confidential data by third parties as their second biggest concern. Here are six ways to reduce the risk of supply chain attacks.
1. Evaluate The Risk Of Third Parties
Organizations must insist that their suppliers comply with appropriate cybersecurity regulations. They might ask vendors to perform self-assessments, audits, or make the purchase of cyber insurance compulsory. By evaluating all third parties with access to sensitive data, the risk of experiencing a breach is significantly reduced.
2. Limit Users’ Ability to Install Shadow IT (Unapproved Software)
IT functions usually have a list of approved software, but individual workers within the business often install unapproved programs such as file-sharing software to help them do their jobs. This is known as Shadow IT.
By reducing the number of users who are authorized to install third-party software on machinery, organizations can decrease their attack surface. When flawed software or hardware is embedded into a device or product, it presents a major security risk.
3. Include Appropriate Termination Clauses In Vendor Contracts
Organizations ought to consider what will happen to sensitive data held by a supplier following contract termination. There should be a clause within all vendor contracts to address this issue.
4. Review Access To Sensitive Data
It’s important to know exactly who has access to an organization’s sensitive data so they can limit access to select users for specific purposes. Third parties should be required to openly share this information.
5. Secure IoT Devices
IoT devices are known for being extremely vulnerable to cyberattacks, which means extra precautions must be taken to secure them. For example, diagnostics for a smart manufacturing tool can be automatically sent to the manufacturer to carry out predictive maintenance. It might be a much-valued service, but it leaves organizations vulnerable to attack.
6. Continually Monitor And Review Cybersecurity
The nature of cyberattacks is forever evolving to exploit organizations’ vulnerabilities. To reduce the chances of a supply chain attack, the cybersecurity policies of organizations and their vendors must be continuously assessed and refreshed.