The European Union Agency for Cybersecurity (ENISA) has found that 66 percent of supply chain attacks focus on the supplier’s code.
Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers.
Malware is the attack technique used in 62% of attacks, according to the new ENISA report Threat Landscape for Supply Chain Attacks, which analyzed 24 recent attacks.
ENISA says strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.
Supply chain attacks are expected to quadruple in 2021 compared to last year, requiring an urgent introduction of novel protective measures. Such attacks often go undetected for a long time, and, like Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance.
Supply chain attackers are exploring new potential highways to infiltrate organizations by targeting their suppliers. In order to compromise the targeted customers, attackers focus on the suppliers’ code in about 66% of the reported incidents. This shows that organizations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.
For about 58% of the supply chain incidents analyzed in the report, the assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.
For 66% of the supply chain attacks analyzed, suppliers did not know, or failed to report on how they were compromised. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users.
The impact of attacks on suppliers may have far reaching consequences because of the increased interdependencies and complexities of the techniques used. Beyond the damages on affected organizations and third parties, there is a deeper cause for concern when classified information is exfiltrated and national security is at stake or when consequences of a geopolitical nature could emerge as a result.
In this complex environment for supply chains, ENISA says establishing good practices and getting involved in coordinated actions at EU level are both important to support all Member States in developing similar capabilities – to reach a common level of security.
The report issues an extensive number of recommendations for customers to manage the supply chain cybersecurity risk and to manage the relationship with the suppliers. The report also suggests possible actions to ensure that the development of products and services complies with security practices. Suppliers are advised to implement good practices for vulnerability and patch management for instance.