Supply Chain Threats and Vulnerabilities

Supply chain attacks, what are they and why do they matter to an SME?  Lots of larger company’s rely on smaller ones to provide key components that they require in their manufacturing or other processes.  That supply chain is critical their operations and is therefore required to be robust and secure.  An attacker is constantly looking for weak links in cyber defences, that can be exploited for financial gain.  They will look at an SME as such a weak link, expecting the SME to have a lower understanding of the threat, and lower expenditure on defence.  They will be looking to piggy back on loopholes in the suppliers defences, to attack their main target.

Manufacturers often use what is known as ‘just in time supply’, ie they have an electronic connection to their key suppliers who are connected up to the company’s inventory, and automatically resupply when an item runs low.  It’s efficient and prevents the holding of unnecessary stock.  But it can, if not done correctly, drive a coach and horses through your security.

Cybersecurity, IT governance, and data security will be the number one risks in 2023. Ransomware has been a significant threat in 2022, but the nature of cyberattacks is constantly evolving.

The goal of such attacks is to grab whatever the target has that is of value to the attacker, so it can include infecting legitimate applications in order to distribute malware, access IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc.  In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

An example of such an attack was published by NCSC and points out that many modern businesses outsource their data to third party companies which aggregate, store, process, and broker the information, sometimes on behalf of clients in direct competition with one another.

Such sensitive data is not necessarily just about customers, but could also cover business structure, financial health, strategy, and exposure to risk. In the past, firms dealing with high profile mergers and acquisitions have been targeted. In September 2013, several networks belonging to large data aggregators were reported as having been compromised.

A small botnet was observed exfiltrating information from the internal systems of numerous data stores, through an encrypted channel, to a botnet controller on the public Internet. The highest profile victim was a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing, and supply chain management. While the attackers may have been after consumer and business data, fraud experts suggested that information on consumer and business habits and practices was the most valuable.

The victim was a credit bureau for numerous businesses, providing “knowledge-based authentication” for financial transaction requests. This supply chain compromise enabled attackers to access valuable information stored via a third party and potentially commit large scale fraud.

NCSC also cited what is known as a watering hole attack, which works by identifying a website that’s frequented by users within a targeted organisation, or even an entire sector, such as defence, government, or healthcare. That website is then compromised to enable the distribution of malware.

The attacker identifies weaknesses in the main target’s cyber security, then manipulates the watering hole site to deliver malware that will exploit these weaknesses.

The malware may be delivered and installed without the target realising (called a ‘drive by’ attack) but given the trust the target is likely to have in the watering hole site, it can also be a file that a user will consciously download without realising what it really contains. Typically, the malware will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.

Steven A. Melnyk, Professor of Supply Chain Management at Michigan State University said, “The problem with small to medium sized enterprises is that they are in the unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products. They are protected by governmental regulations and requirements. However, they generally have the weakest cybersecurity arrangements in terms of size, resources, and expertise. They open up large clients to leapfrog cyber security attacks.”

Melnyk cited the example of a well-respected American chemical company that was hacked through its supply chain. The hackers obtained information about customers and orders, including quotes. They saw details of items that the company – which was renowned for innovation – was getting ready to patent, he revealed. “The hackers altered the master production schedule; they changed due dates, order quantities and order quality levels. Deliveries were compromised. A new supplier then entered the market, with the precise items that the customers wanted, at prices under the current variable costs. This supplier also patented the firm’s innovations.”

The growth of the digital economy and digital supply chain is contributing to the growing cyber security threat, with four billion people predicted to be connected to the Internet daily in 2020.  In 2021 it is estimated that so far, attacks of this nature have increased globally, by around 42%.

There are of course things that you can do to protect yourself and your clients.  There are several technical defences that you can implement.  The problem generally remains that SMEs have a tight budget and no internal resource to combat this issue.

The first thing cyberattackers do after breaching a defence is move laterally throughout the ecosystem in search of privileged accounts.  This is because privileged accounts are the only accounts that can access sensitive resources. When a privileged account is found, sensitive data access is attempted. This predictable attack sequence is known as the Privileged Pathway – it’s the common attack trajectory followed by most cybercriminals.  The trick is to disrupt an attacker’s progression along this pathway so that breach attempts, and therefore supply chain attacks, can be prevented.

An effective Privileged Access Management (PAM) framework will disrupt this common attack trajectory and is highly recommended.

That said, I have always been a great advocate that the biggest ‘quick win’ any company can achieve, at minimum cost, is staff awareness.  Staff are the primary gateways to malicious code injections because they’re usually tricked into permitting cybercriminals access into an ecosystem.

The most common form of trickery is scam emails (or phishing attacks), which I have discussed in previous posts. These emails seem like they’re sent from trustworthy colleagues but upon interacting with them, malicious codes are activated, and internal login details are stolen, which in turn could grant criminals access to a system, initiating the hunt for higher privileged accounts.

To prevent such incidents, all staff need to be educated about common cyberattack methods so that they can identify and report breach attempts, rather than falling victim to them.

There is so much more to this subject, and it is a matter for each company to assess how much of a problem they think this is to them.  Understanding the threats to the business, how vulnerable you are to those threats, and therefore what risks you are taking, and how severe they are, is key to every element of Cyber Security.  SMEs remain vulnerable because they rarely have any in house resource to understand those risks and take the right actions to mitigate those risks.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

Scroll to top