What if the legitimate hardware or software procured from or developed by trusted vendors has been compromised at the source itself? Cyber-attacks targeting vendors and partners to gain access to the systems and data of organizations – better known as supply chain attacks.
The infamous incidents from the recent past insinuate that organizations are at an increased risk of IT/ICT supply chain compromise and most of them are ill-prepared to prevent and detect such threats. The deployment of malware payload masquerading as an update in the network management platform of SolarWinds called ‘Orion’ had put around 18,000 networks at risk.
In April 2021, Codecov – a DevOps tool provider – found its software platform compromised which was used by around 29,000 customers globally to test their software code. Software firm Kaseya revealed in July 2021 that its network management package was used to spread ransomware across Kaseya’s customers, affecting close to 1,500 companies globally. Cyber supply chain breaches have surfaced time and again. KingSlayer, Operation ShadowHammer, Operation Cloud Hopper, NotPetya are the indelible ones, while Target, Asus, SITA have been some of the victims of other significant supply chain attacks. Stuxnet has been a classic case of supply chain attack.
Supply chain attacks exploit the inherently trusted relationship between vendors and customers or machine-to-machine communication channels, and therefore detecting a malware payload or an exploit hidden in the software/hardware ‘supply chain’ could be a daunting task.
With an elevated state of cyber defences and increased cybersecurity awareness, threat actors are strategically targeting companies intertwined with the supply chains of large enterprises or government entities as the common attack vectors are rendered ineffective.
The key factor stoking up cyber supply chain attacks is the prospect of gaining access to a great number of targets as generally a vendor supplies software and hardware or maintains them for hundreds or even thousands of companies. The motives behind such an attack could be financial gains, or sabotage/espionage by competitors or for that matter by (or at the behest of) a foreign government, targeting sensitive information, intellectual property, personal data, software and processes.
The spectrum of supply chain attack vectors is also quite broad, ranging from build systems and development/testing environments to open-source software or open-source platforms, and third-party software to cloud services.
Software updates have infamously been a prominent attack vector in recent times, exploiting the inevitable dependence of enterprises and government agencies on a host of third-party software solutions and consequently the recurrent need of patching vulnerabilities. Another avenue is physical devices, which are a lucrative yet arduous attack vector. There have been instances of hardware tempering where computing devices or networking equipment were shipped with embedded physical implants or manipulated firmware to create backdoors.
With their global expanse and exposure to risks from a wide spectrum of threat actors, preventing supply chain attacks is not a cake walk. Simply securing own infrastructures is not sufficient as the security perimeter now extends to hardware and software suppliers, managed services providers, and vendors as well, and the threat actors are constantly vying to find new pathways throughout the supply chain to gain access.
This is further compounded by the fact that IT/ICT systems are often found to be a patchwork of many technology solutions sourced from different entities and deployed at different points in time.
Lying at the intersection of information security and supply chain management, the discipline of cyber supply chain risk management strives to ensure the integrity, security, and resilience of globally spread supply chains underpinning IT/ICT products and services.
Its scope encompasses the entire life cycle of a system, which includes design, development, deployment, maintenance, and decommissioning and extends well beyond organizational perimeter to the vendors, partners and entities having access to data. The risks mainly emanate from the lack of visibility on, and control over the processes involved in the manufacturing/development and delivery of IT/ICT products and services. With better visibility, each of the components could be tracked down to its source and a vulnerability could be patched swiftly as and when it is discovered.
It also paves the way for effective implementation of other technical measures such as security audits of vendors and open-source software and deployment of Zero Trust Architecture adopting stringent access policies.
There exist quite a few resources in the form of tools, services, best practices and guidelines and security assurance frameworks to aid understanding and management of cyber-related supply chain risks. In general terms, managing such risks requires: identifying and mapping the cyber supply chain, understanding the risks, aligning cybersecurity expectations with vendors; and auditing for compliance. It is vital to integrate this practice across all the organizational functions and verticals in order to build a strong defence in the face of looming threats targeting cyber supply chains.
Munish Sharma is Senior Consultant at Data Security Council of India