Every business has a supply chain upon which it relies. Any disruption to that a supply chain has a knock-on effect on all the businesses that depend on it. Most organizations are well versed in securing physical supply chains, but the world has changed, and now there is a cyber component to just about every supply chain.
Supply chains are no longer purely analog. Many now are entirely digital, and virtually all the rest are hybrid. Even if goods and services are physical, the planning, design, sorting, logistics and transport systems around them rely on IT software and services for their production and delivery. In the modern, digital world, therefore, it is crucial for all organizations to be aware of this cyber component and to take steps to manage the risk.
Cyber Supply Chain Risk Management (C-SCRM) should be a high priority for every modern organization to minimize the impact of a growing number of threats. These threats are not only of disruption to supply chains, but also of subversion. C-SCRM, therefore, has become an essential component of Third-Party Risk Management.
While power failures and cyber attacks can impact digital services and freeze or destroy information systems to disrupt digital, analog and hybrid supply chains, malicious actors can also infiltrate suppliers of IT and digital services and software to infect them with malware.
This subversion of cyber supply chains by exploiting trust in suppliers can enable malicious actors to introduce malware into thousands of organizations who rely on the compromised suppliers to either disrupt business operations or covertly spy on them and gain access to commercially sensitive information.
The best-known example of this is the SolarWinds supply chain attack that came to light in December 2020, which enabled those behind the operation to insert backdoor malware in the Orion network management system code that was delivered to Orion customers in an update to the Orion software. The backdoor was designed to enable the attackers to impersonate users and accounts, affecting around 30,000 victim organizations.
According to a 2021 report from ENISA, supply chain attacks are typically made up of four components:
- Attack techniques used to compromise a supplier’s supply chain, which include malware infections, social engineering, brute force attacks, and software exploits.
- Supplier assets that are targeted, which include pre-existing software, software libraries, code, configurations, data, processes, hardware, people, and suppliers.
- Attack techniques used to compromise suppliers’ customers, including exploitation of trusted relationships, drive by compromises, phishing, and malware infection.
- Customer assets targeted, which include commercial data, personal data, intellectual property, software, processes, bandwidth, financial, and people.
The ENISA report warns that supply chain attacks are increasing, with 66% of attacks focusing on source code and 62% exploiting customer trust in suppliers. This is a risk that organizations can’t afford to ignore.
The SolarWinds incident and subsequent Kaseya and Log4j breaches have served to highlight the very real risks of software supply chain compromises, but these form just part of the wider set of risks to digital and hybrid supply chains.
Modern organizations, therefore, need to adopt wider risk management strategies to deal with all the supply chain risks they are facing if they are to avoid or minimize the impact of disruption to business operations, loss of intellectual property, and failure to comply with regulations on data protection and, in some cases, regulation for suppliers of critical national infrastructure.
All organisations now depend upon vendor and partner-supplied products and services to function in today’s interconnected world. This interdependence introduces new risks that attacks on suppliers can spread rapidly across all their customers. This is a major challenge that CISOs must address.
— Mike Small, Senior Analyst, KuppingerCole.
Because we understand the importance of securing digital and hybrid supply chains, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.
This includes live events such as the Cybersecurity Leadership Summit taking place in Berlin and online from 8-10 November 2022. The agenda covers a wide range of security leadership topics including presentations on Successfully tackling your Digital Supply Chain Risk and UNECE R 155: Security-by-Design for the Automotive Supply Chain and In-Vehicle Cybersecurity.
There is also a workshop entitled: Strategy, Risk, and Security: Building Business Resilience for Your Organization, which will highlight the most important steps of an organization's journey to prepare for and even embrace disruptive events and circumstances as part of a holistic, sustainable business approach.
Research
One way of tackling supply chain risk is using a risk management platform to manage all kinds of risk within an organization, including supply chain interruptions. Find out more by having a look at this Leadership Compass on Integrated Risk Management Platforms and this Market Compass on Cybersecurity for Industrial Control Systems.
The case of software supply chain risks in application source code is addressed in this Leadership Compass on Container Security.
Advisories
Coming European legislation requires that supply chain security risks are adequately addressed, as explained in this Leadership Brief on the EU NIS2 Directive. For a German perspective, have a look at this article on KRITIS – Understanding and protecting critical infrastructure. There are similar requirements by legislation in the US. To find out more, have a look at this Advisory Note on Federal Regulations on Cybersecurity.
The link between supply chain security and resilience is touched on in this Advisory Note on Business Continuity in the age of Cyber Attacks and this Leadership Brief entitled: Cyber Hygiene: The Foundation for Cyber Resilience.
Centralizing delivery of digital workplaces can bring cost, efficiency and productivity rewards but security and risk management must be baked in, as discussed in this Leadership Brief on Mitigating Availability & Security Risks in Centralized Digital Workplace Delivery.
Insight
Cyber supply chain resilience management (C-SCRM) is an important part of business resilience management. For more information on these two topics and how they are related, have a look at this KuppingCole insight on Business Resilience.
Audio/video
Ransomware attacks remain a top concern for organizations and are a common cause of supply chain disruption. Find out about the impact of ransomware on supply chains how to defend against these attacks by watching this workshop conducted at last year’s CSLS entitled: Your Path to Ransomware Resilience, this presentation entitled: Ransomware: What happens when the tech stops, and this panel discussion on Cybersecurity Trends 2022.
For a discussion on supply chain disruption in the context of the changing cyber threat landscape, watch this presentation on How to win the war against cybercriminals.
Learn about the importance of cyber supply chain risk management (C-SCRM) and its effect on the resilience of a digital business in this panel discussion entitled: Managing Cyber Supply Chain Risks and Achieving Digital Business Resilience and this presentation on Effective Cyber Supply Chain Risk Management (C-SCRM).
Find out how the application of Zero Trust security principles can help improve supply chain security by having a look at these presentations entitled: Zero Trust and Software Supply Chain Security: Must-do’s for Every Organization and Why ‘Zero Trust’ is Driving an Identity Centric Security Strategy.
Listen to this Analyst Chat on Applying The Zero Trust Principle To The Software Supply Chain to cover security for software in any form, whether it is developed in-house or externally procured.
To hear some of the comments, observations and recommendations by our analysts regarding the SolarWinds hack, listen to this analyst chat on Understanding the SolarWinds Incident and Recommended First Steps and on Post-SolarWinds Software Security Strategies.
Blogs
Consider if your digital supply chain is your weakest link and find out how to protect your organization against these risks in this Blog Post entitled: Prepare, Prevent and Protect.
Picking up the theme of Zero Trust in the context of cyber supply chain security, have a look at this blog post on The Next Level of Zero Trust: Software Security and Cyber Supply Chain Risk Management and this blog post entitled The Non-Zero Elements of Zero Trust, which discusses the zero trust approach to security in the context of the SolarWinds supply chain attack.
For some keen observations on the importance of C-SCRM, have a look at this blog post on Why C-SCRM Is Becoming so Essential for Your Digital Business.
And for a perspective on supply chain security in the context of disaster planning, have a look at this blog post on the Elements of a Disaster Operations Plan.
Webinars
Zero Trust is the foundation for cyber supply chain risk management, as discussed in this Webinar entitled: Digital Trust: Critical to Digital Business Success.
Supply chain disruption is often the inevitable consequence of cyber-attacks. Being prepared is the single most effective action that those responsible for IT security can take. Find out more in this Webinar on Disaster Planning Made Simple.
For further discussion on supply chain security in the context of the European regulations, have a look at this Webinar on The Changing Scope of the NIS2 EU Directive.
According to a report from ENISA, supply chain attacks are increasing, with 66% of attacks focusing on source code and 62% exploiting customer trust in suppliers. This is a risk organizations can’t afford to ignore. Learn more by watching this Webinar on Protecting the Business from Software Supply Chain Threats.
The topic of the SolarWinds hack is further referenced in this webinar on Effective Endpoint Security With Automatic Detection and Response Solutions and in this discussion on How Can Privileged Access Management Help Securing the Enterprise?
For a range of perspectives on the broader topic of supply chain security, choose from the following webinars:
- Are You Ready for Security Automation?
- Techniques for Securing Transactions With Identity Verification and Verifiable Claims
- Recruiting Customers, Suppliers and Even Competitors to Help Reduce Risk
Whitepapers
Organizations not only have to consider the risks associated with their own IT systems, but also have to consider the risks that come via third-party systems. Find out how to manage these and other risks in this White Paper entitled: Getting Ahead of the Cybercriminals: Understanding the External Threat Landscape.
Avoiding code tampering by external attackers and internal parties is an essential part of supply chain security. Find out how to increase security throughout the software lifecycle and implement a multi-layered, defense-in-depth code tampering prevention and detection strategy by reading this White Paper on Software Supply Chain Security.
Software supply chain compromises typically involve the use of compromised credentials, as discussed in this White Paper entitled: Identity & Security: Addressing the Modern Threat Landscape.
Tech Investment
Organizations investing in technologies to improve cyber supply chain security can have a look at some of the related technology solutions that we have evaluated, starting with the Veracode Application Security Platform, which is a cloud-based application security testing platform for providing insights into software security risks.
Other supply chain related solutions we have evaluated, include: