With escalating numbers of supply chain attacks, increasingly higher reputational and financial stakes, and closer regulatory scrutiny on third party assurance, businesses will soon find it difficult to operate if they can’t prove they have appropriate supply chain cybersecurity checks in place, writes Laura Greenwood.
It’s time to increase cyber resilience in supply chains. Now. We’re going to be saying this over and over in the coming months and here’s why: Conducting robust cybersecurity checks and measures that incorporate an organisation’s complete supply chain are going to become the new normal. And it’s going to be impossible to operate without it.
How do we know this?
Well, supply chain attacks - cyber-attacks on, and via, suppliers – are increasing in frequency and in business impact, causing far-reaching and costly disruption. Yet the latest government data shows that currently only 13 per cent of businesses review the risks posed by their immediate suppliers, and the proportion for the wider supply chain is just 7 per cent.
And as Ian McCormack, NCSC Deputy Director for Government Cyber Resilience, says:
“Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. [So] with incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.”
In response, governments and industry regulators are paying more attention to the way companies to assess supply chain risk. The EU’s NIS 2 Directive, for example, aims to improve cybersecurity risk management and introduce reporting obligations across sectors such as energy, transport, health and digital infrastructure.
Likewise, the Prudential Regulatory Authority (PRA)’s Supervisory Statements (SS2/21) on outsourcing and third party risk management and supervisory statements on operational resilience seek to strengthen and modernise the framework for outsourcing and third party risk management within financial services.
Whatever the sector, it stands to reason it will become increasingly difficult to do business with organisations which do not have robust cyber policies in place.
We’ll dive deeper into these points in another blog, but for now let’s take look at some of the recent high profile supply attacks and gain an understanding of what happened.
Critical National Infrastructure (CNI) is a big target for cyber criminals. From transport systems, to financial services, to health systems, and energy suppliers, taking down just one small part of these critical systems can bring nations to a standstill. And it only requires one small supplier to be hacked.
DSB Trains – Denmark (November 2022)
An attack on the supply chain of Denmark’s largest rail operator, DSB Trains, brought trains to a standstill for four hours November 2022. DSB was not hit directly, the disruption was caused by a cyber attack on Supeo, a Danish company that provides enterprise asset management solutions to railway companies, transportation infrastructure operators and public passenger authorities.
Supeo provides a mobile application that train drivers use to access critical operational information, such as speed limits and information on work being done to the railroad. When the subcontractor decided to shut down its servers, following the hacker attack, the application stopped working and drivers were forced to stop their trains, according to the media reports.
Solarwinds – USA March 2020
This is THE largest supply chain attack ever. Suspected nation-state hackers, identified as a group known as Nobelium by Microsoft, attacked the Solarwinds Orion platform. They initially gained access to the Solarwinds network in September 2019, added the malicious ‘sunburst code’ in the early part of 2020, but it wasn’t until March 2020 that Solarwinds started sending out impacted code to their users. And it wasn’t until later that summer that the cybersecurity firm Fire Eye detected the breach.
All in all, the threat actors had free access to more than 30,000 public and private organisations – for a period of 14 months!! This included every department of the US government including the Treasury, Homeland Security and the Department of Defence. At the time the average dwell time for a hacker was around 95 days, and still to this day the true impact of Solarwinds is not fully understood.
Interestingly, nobody fully understands why Nobelium launched the Solarwinds attack. Nobody fully understands who they were attempting to attack. And nobody fully understands whether there was actually any information that was stolen from Government agencies. But it does highlight the fragility of supply chains and the huge scale, national and international approach to cyber-attacks.
Target - USA (2014)
US retailer Target’s systems were first attacked in November 2013 using network credentials stolen from a third party provider of refrigeration and HVAC systems. Once the hackers gained access to the network, they were able to gain a foothold on the company’s payment system and the attack resulted in the breach of 40 million credit and debit cards.
At the time it was estimated that Target could be face losses of up to $420 million as a result of the breach,including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.
We should also note that supply chain risk management and supplier assurance is not solely about cybersecurity – it incudes due diligence checks on other topics such as antibribery and corruption, and modern slavery too.
It’s clear that any organisation is only as secure as its entire supply chain – and the only way to reduce risk is for all organisations to collaborate with robust cybersecurity processes to ensure they are not the weakest link in the chain.
For further information on how Crossword can support you in making sure your supply chain is cyber-secure, click here.