Software Supply Chain Attacks Are Ubiquitous


Posted on by Robert Ackerman

At many companies in multiple ways, a chain is only as strong as its weakest link. It’s an old security adage, and it’s true. Moreover, this may be the case most of all among corporate supply chains, which are inescapable and number well into the hundreds at most sizable companies and, sad to say, are highly vulnerable.

It’s no surprise they are so common. Enormous numbers of manufacturers,  suppliers, integrators, and others attract vendors to build IT and communications technology products that are cost-effective and can be delivered quickly to business customers located virtually anywhere. But they also increase the number of companies with access to their products and, as a byproduct, the number of potentially weak links that cybercriminals can try to exploit.

Supply chain attacks started becoming relatively common roughly a decade ago, but they have since become far more pervasive. Last year, supply chain attacks surpassed the number of malware-based attacks by almost 40%, according to the Identity Theft Resource Center, a non-profit organization that provides identity crime victim assistance and annually tallies the number of publicly disclosed cyber breaches. And Astra Security, a cybersecurity software company, says 80 percent of organizations it surveyed last year experienced at least one data breach caused by a third-party vendor.

All kinds of companies are victims, but a huge group of similar government entities that have been attacked less but could easily create the most harm if victimized more have begun moving further toward the danger zone. These are infrastructure companies – companies such as electric and gas utilities -- whose faulty security is increasingly ruffling feathers.

“The supply chain is the area where the threats are growing the most for us, but the regulations aren’t targeted to those who are providing the products,” Curley Henry, the Deputy Chief Information Security Officer at Atlanta-based power utility Southern Company, recently told The Wall Street Journal.

The foundation for what is happening now in the supply chain world was sparked by the Covid-19 pandemic. It disrupted supply chains around the globe, severely impacting business operations. Companies were forced to adapt and in so doing realized that supply chains should adopt strong end-to-end visibility so that finished products could be delivered in a timely manner. Also increasingly apparent was the need to improve supply chain security. Customers want to receive authentic products, free from tampering or counterfeiting.

Today, the pandemic has receded sharply and things have changed again.

Realizing the need to be more nimble, partly because of growing issues with China, corporate supply chain managers have begun focusing on regionalization -- production closer to where companies expect to sell their goods. This takes time to develop, however. In the interim, companies have more aggressively begun spreading their base of suppliers around the world, moving away from single-sourcing in an additional bid to make supply chains as resistant to disruption as possible.

Meanwhile, day-to-day, cybercriminals continue to aggressively attack software supply chains because this allows them to compromise hundreds, even thousands of victims via a single breach, while simultaneously affording them extensive internal access to the systems. Any breach is damaging, but a supply chain attack often is far worse because it frequently has a higher level of access to the network.

Most often, IT supply chain attacks target smaller companies as a path to larger, more valuable targets because it’s more difficult to break directly into larger organizations with more robust security protection.

If successful, the price is the ticket to the backdoor of a huge enterprise network and perhaps an entire supply chain. This means that a company’s security no longer depends solely on its own resilience, and that is disheartening. There is also often a cascading effect, sparked by additional customers who also do business with the affected supplier.

An extraordinary supply chain attack occurred roughly two-and-a-half years ago – the SolarWind attack in late 2020. The company provides software-as-a-service solutions for IT infrastructure and supply management. Its Orion framework software was breached, infecting more than 18,000 systems worldwide at a cost of billions of dollars. Among the notable victims were the U.S. Departments of Health, Treasury and State, as well as most Fortune 500 companies.

Lesser supply chain attacks continue to make headlines and detail the suffering that inflicts victims.

A victim attack early last year and still in the news, for instance, is Expeditors International, a Seattle-based global logistics company. In February 2022, it discovered that hackers had penetrated its network, forcing the company to shut down most of its operating and accounting systems to protect its data and infrastructure. That limited its ability to ship freight, manage customs processing and distribute customers’ products for weeks. The headaches continue today -- 15 months after the attack, Expeditors International is still fighting a court battle with longtime customer iRobot over shipping delays and lost business.

The lessons here? One is that supply chain breaches often wreak havoc for a surprisingly long time. The other is that hackers do not quit. This means that companies reliant on supply chains must embrace a significant cyber determinant in conducting third-party transactions and begin demanding that vendors provide easy mechanisms to verify the end-to-end authenticity and integrity of their products. The health of their companies could depend on it.

Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Protecting Data & the Supply Chain Ecosystem

supply chain critical infrastructure infrastructure security software integrity

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs