According to the new ENISA report – Threat Landscape for Supply Chain Attacks, which analysed 24 recent attacks, strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers.
This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.
Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year. Such new trend stresses the need for policymakers and the cybersecurity community to act now. This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently.
In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.
For about 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.
For about 58 percent of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.
For 66% of the supply chain attacks analysed, suppliers did not know, or failed to report on how they were compromised. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users.
The report includes an extensive number of recommendations for customers to manage the supply chain cyber security risk and to manage the relationship with suppliers.
Recommendations for customers include:
• Identifying and documenting suppliers and service providers;
• Defining risk criteria for different types of suppliers and services such as supplier and customer dependencies, critical software dependencies, single points of failure;
• Monitoring of supply chain risks and threats;
• Managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components;
• Classifying of assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them.
The report also suggests possible actions to ensure that the development of products and services complies with security practices. Suppliers are advised to implement good practices for vulnerability and patch management for instance.
Recommendations for suppliers include:
• Ensuring that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cyber security practices;
• Implementing a product development, maintenance and support process that is consistent with commonly accepted product development processes;
• Monitoring of security vulnerabilities reported by internal and external sources that includes used third-party components;
• Maintaining an inventory of assets that includes patch-relevant information.