Supply chain privacy risk presents a new attack surface for organizations with complex supply chains. Cyber criminals, hackers and other threat actors play an ongoing game of cat and mouse with information security professionals whose job is to protect their organizations against unwanted intrusions, data breaches, IP theft, ransomware and other malicious attacks. In recent times, the criminals have zeroed in on a new strategy for slipping past the best laid defenses of their targets – supply chain attacks. The clever new strategy exploits the supply chain relationships a target organization has with its numerous suppliers.
With today’s highly integrated digital supply chains, the potential for successful intrusion by hackers has never been greater. Unfortunately, many CSCOs are only now realizing the risks about which CISOs and other InfoSec leaders are already aware. This paper defines the risk, explores the many avenues available for bad actors to infiltrate systems via supply chains and offers solutions to this emerging threat.
Defining the Threat of Supply Chain Attacks
Always seeking the path of least resistance, cyber criminals look for novel vulnerabilities they can exploit within a target organization’s information security. The criminals know that network and cloud security has grown very robust and takes too much time and effort to defeat. This explains the explosion of social engineering attacks. Social engineering exploits weak external data privacy policies exhibited by too many organizations today. Even as industries begin to address privacy governance and make headway in protecting external data, criminals are keeping one step ahead, seeking vulnerabilities further removed from the center of an operation.
Market research produced by application security firm, Checkmarx revealed supply chain attacks growing in frequency and scope over the last 12 months. Nearly nine in ten CISOs of the 1500 application security and developers polled by Checkmarx for the study reported at least one breach in the trailing year as a direct result of applications they built. Forty-one percent shared that it was open-source software supply chain attacks that enabled these breaches.
Following a brief hiatus during the pandemic, the number of supply chain cyber attacks in the US reverted to its upward vector.
ANNUAL NUMBER OF SUPPLY CHAIN CYBER ATTACKS N THE UNITED STATES FROM 2017 T0 2022
Chart via Statista, data from Survey by Identity Theft Resource Center
In its 2022 Data Breach Report, the Identity Theft Resource Center reports supply chain attacks “leapt past malware-based compromises in 2022”.
The Two Kinds of Supply Chain Attacks
Attacks Against the Physical Supply Chain
First, let’s examine the threat of unwanted intrusion via traditional, brick and mortar supply chain channels. If one thinks about it, supply chains are naturally vulnerable points in any organization. For any organization reliant upon suppliers to deliver goods and services the risk is present. For manufacturers particularly, the threat is multifaceted.
McKinsey says, “The complexity of global industrial supply chains exponentially increases their risk.” According to McKinsey research:
The average, an auto manufacturer has:
- 250 tier-one suppliers
- 18,000 suppliers across the full value chain.
The average aerospace manufacturer has:
- 200 tier-one suppliers
- 12,000 across all tiers.
Each of these thousands of suppliers delivers individual components a manufacturer uses to build its product. For electronics, durable goods, automotive, aerospace or other complex product manufacturers, each product can require thousands of individually sourced components to build.
Consider all the varied parts needed to manufacture an automobile. Sheet metal, electronics/computer components, glass/windows, interior seating, upholstery and trim, thousands of engine and transmission parts, suspension elements, lighting and hundreds of other parts are typically sourced from individual suppliers and must be shipped into manufacturing facilities according to strict production schedules and timelines.
Manufacturing organizations commonly employ several discrete software applications to manage their complex supply chains. They typically employ Enterprise Resource Planning (ERP) software like Oracle, SAP and others to manage purchasing and procurement. They leverage Transportation Management Systems (TMS) such as BluJay, MercuryGate and others to automate scheduling and routing of logistics of the many suppliers bringing raw materials into facilities and delivering finished product to their customers. They use Warehouse Management Systems (WMS) and Yard Management Systems (YMS) to keep track of millions of dollars of raw material inventories on their premises as they move materials into plants in accordance with complex production schedules. There is an expanding array of enterprise automation software providers entering this competitive and in-demand market which only increases the risk.
It is common practice for a large enterprise to build its so-called “tech stack”, selecting its favored software application from disparate providers. They then work to integrate these disparate systems with one another for purposes of flowing data upstream and downstream. The goal is to provide supply chain visibility end-to-end – from purchase order, through logistics, production, sales and final product delivery.
The vulnerability lies in the fact that many of these systems, ERP, TMS, YMS and others routinely provide remote, third-party access to external resources – typically the employees of the suppliers who access the manufacturers’ information systems to input sales/purchase orders, manage materials handling and logistics scheduling, or to perform a host of other functions. Today’s cyber criminals know that it is far easier to spoof their way past hardened information systems by mounting phishing, spear phishing, smishing and other social engineering attacks against lower-level employees within the extended supply chain. If they can trick a supplier into revealing their credentials for external access to ERP, TMS, WMS and other systems, they can gain access to the manufacturer’s internal systems without any brute force entry needed.
Security Magazine recently made the following bold statement:
Cyber threat assessment firm, NCC Group’s research revealed that forty nine percent of organizations surveyed reported they did not stipulate security standards to which their prospective suppliers must adhere as part of their procurement and contracting process.
Worse yet, thirty-four percent said they did not regularly monitor or perform risk assessments of their suppliers’ cybersecurity practices.
The NCC Group researchers concluded that cyberattacks on supply chains grew by fifty-one percent between July and December of 2021 and fewer than one in three organizations were “very confident” they could effectively and quickly respond to a supply chain attack.
Privacy Bee views the challenge posed by protecting the physical supply chain as a Vendor Risk Management (VRM) project. The task requires active and effective management of all the external data privacy of an organization’s third-party relationships like supply chain vendors. More on the nature of the VRM solution from Privacy later in this paper.
Attacks Against the “Software Supply Chain”
There is another type of supply chain representing a risk to information security. Nearly all organizations have grown Increasingly reliant on software to automate and manage a broad array of internal business processes. HR management, financial management, procurement, supply chain logistics management and many other business processes are leveraging software solutions which expose a new and dangerous attack vector.
The “software supply chain” is perhaps the most potentially dangerous segment of the supply chain when it comes to cyber-attack. What is the “software supply chain”?
Definition: The software supply chain is anything and everything that touches an application or plays a role, in any way, in its development throughout the entire software development life cycle (SDLC). The software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artifact.
Most software today is not written from scratch. Software vendors and in-house software development teams often create applications and other tech solutions by assembling code/artifacts acquired through both open-source and commercial software channels. The problem is that these artifacts increase vulnerability because developers have little control over the source code. Many times, they aren’t even aware of any changes made to the code by third parties before they acquire it. Because cyber criminals know this is a weak spot, they have begun inserting malicious code into software artifacts they can then exploit later once the artifacts have been written into larger software systems within target organizations. Attacks via software supply chains are trending.
In their glossary definition of “Software Supply Chain”, Application security firm, Synopsis writes, “The sharp and continuous rise of code reuse and cloud-native approaches have provided them [cyber attackers] with additional angles to mount attacks several degrees of separation away from their intended targets. Exploiting just one weakness opens the door for a threat actor traverse down the supply chain where they can steal sensitive data, plant malware, and take control of systems – something we’ve seen plenty of examples of in recent times.”
As noted above in the discussion of attacks against the physical supply chain, organizations regularly build their own “tech stack” for supply chain and supply chain logistics management using a number of commercially available software products. The integration points between these disparate systems represent a weak spot for security.
At the same time, many other organizations use internal software development resources to build their own, proprietary automation systems for managing business processes like HR, finance and others. Building one’s own applications presents its own set of challenges and risks. In-house development teams regularly source existing code via open-source channels or even through reputable software development companies (as opposed to writing every single line of code from scratch). However, development teams are not typically focused on or required to investigate the cybersecurity practices of the sources they utilize. In the absence of a clear CISO mandate to examine the provenance of all third-party code, developers tend to focus mostly on meeting tight timelines for deliverables.
The push to complete software development projects at a rapid pace is even more the case when it involves project workers or SOW development companies to which many organizations outsource software development projects.
YoY GROWTH IN OPEN-SOURCE SUPPLY CHAIN ATTACKS WORLDWIDE FROM 2020 TO 2022
Chart via Statista
Recent Examples of Supply Chain Attacks
2023 3CX Attack
In 2023, Voice Over Internet Protocol (VOIP) telephony company, 3CX was victimized by a software supply chain attack. The 3CX internet-based phone system is used by more than 600,000 companies worldwide and has more than 12 million daily users. The company’s customer list contains dozens of industry leading companies that represent perfect targets for threat actors. The data and information systems of top brand names like American Express, Mercedes-Benz, IKEA, McDonald’s, BMW, Air France and many others have been compromised by this attack.
Cybersecurity firm Crowdstrike explains how the attack was perpetrated. Their threat intel team says, “The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” In plain English, this means that threat actors – in this case suspected to be North Korean hackers – were able to inject malicious code into software licensed by 3CX for use in corporate internet telephony software artifacts which then provide the threat actors unauthorized access to internal systems of all organizations that have employed the code in their communications tech stack. The injected malware is capable of harvesting system info and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox browser user profiles.
In a blog post, 3CX CISO, Pierre Jourdan explained that 3CX’s desktop applications were compromised via injection into an upstream library. The consequences and losses associated with this breach are still not fully tallied and new damage is being discovered daily as the investigation continues.
2019-2020 SolarWinds Attack
SolarWinds is a large software company based in Tulsa, Okla. The company provides system management tools for network and infrastructure monitoring, and other technical services to hundreds of thousands of organizations around the world. Among the company’s products is an IT performance monitoring system called Orion.
TechTarget reports the 2020 attack was perpetrated by hackers in Russia, who gained access to the networks, systems and data of thousands of SolarWinds customers in what is described as one of the largest such attack recorded to date. This was accomplished by hackers inserting malicious code into the Orion system creating a back door through which threat actors then accessed and impersonated users and accounts of victim organizations. Since the Orion system is used by numerous multinational organizations and government agencies, it was a high value target for cyber criminals.
US Homeland Security, Departments of State, Commerce and Treasury were affected, as were private companies such as FireEye, Microsoft, Intel, Cisco and Deloitte. The potential damage and other ramifications of this hack will continue to be felt for years.
Who is Responsible for Managing & Mitigating Supply Chain Privacy Risk?
Because these novel attack vectors straddle several functional areas of an organization – IT, procurement, logistics – there is no historical roadmap to follow when it comes to determining who drives mitigation efforts. Of course, CISO and IT security leadership must always be involved in cyber security. CSCOs and CEOs also have a vested interest in guiding best practices in protecting supply chains. Cross-functional focus on developing supply chain data privacy policies is essential and requires collaboration between all key stakeholders in order to develop, deploy and enforce effective external data management and vendor risk management governance. Next, let’s examine what this looks like in practical terms.
What Can Be Done to Prevent Supply Chain Attacks?
The two primary tools to fight supply chain attacks are the DevSecOps (including the use of Software Bill of Materials or SBOM) and strong Vendor Risk Mitigation tools to ensure healthy external data privacy hygiene amongst all vendors (software and materials providers). DevSecOps is a security methodology focusing on culture, automation and software design requiring shared responsibility for privacy and security throughout the entire IT lifecycle. However, DevSecOps and SBOMs alone, in the absence of VRM tools represent an incomplete approach. Let’s define both SBOM and VRM and examine the critical nexus between both strategies which necessitates the application of both.
A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. The US Cybersecurity and Infrastructure Agency (CISA) has issued guidance on how to guard against software supply chain attacks. In 2021, the Biden Administration issued an executive order calling for SBOM to be implemented across the entire tech industry.
The National Telecommunications and Information Administration recently published this definition of SBOM. “A Software Bill of Materials (SBOM) is a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. These components can be open source or proprietary, free or paid, and widely available or restricted access.”
Implementing DevSecOps and enforcing the requirement that all code, regardless of its source, be validated using SBOMs is only effective if the sources providing the bill of materials are at least as secure as your organization. The critical success factor for lowering risk of supply chain attacks – whether physical or via the software supply chain – is strong external data privacy. Organizations must have unfettered visibility into the privacy risk profiles of every one of their employees as well as every employee of every vendor, software supplier, contractor/SOW worker with any level of access to their internal information systems.
With Privacy Bee for Business, this seemingly towering challenge is made manageable. Vendor Risk Management tools from Privacy Bee allow organizations to achieve a baseline view of their risk exposure – both internally and externally. They also enable the controls to establish tolerances and thresholds they can set and enforce. Built into procurement policies, the data privacy thresholds a company sets can then be enforced across all third party vendor relationships and those vendors unable or unwilling to meet or exceed privacy requirements can be precluded from participating.
Privacy Bee VRM gives InfoSec leaders real-time scan capabilities so they can analyze prospective and incumbent vendor companies, their employees, attack vectors commonly exploited by bad actors, and isolate all privacy-centric paths attackers might use to compromise a vendor organization, and in turn, your organization.
Then after a vendor has been configured within your Privacy Bee VRM application, the Privacy Bee solution continues to monitor their risk score 24/7/365. Any major change, such as a data breach, influx of high-risk contractors, or any other alarming event prompts warning notifications so that the vendor is provided the opportunity to restore compliance with the privacy tolerances your organization established. Privacy Bee works direct with vendors on your behalf, guiding them on ways to improve their privacy practices and effectively de-risk your organization via a safer supply chain. What’s more, this service is offered completely free of charge. The cleansing of unsecured data uncovered by the privacy risk assessment scans is managed by Privacy Bee for modest costs based on the number of seats licensed by a client organization. The cost benefit of engaging this service is significant and can be reviewed in great detail in our sister white paper, Cost Benefit Analysis Proves the Necessity of Business Privacy Management.
To learn more about protecting your organization from Supply Chain attacks or to request an assessment and quote, contact Privacy Bee today.