ENISA: „strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers”

Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year says European Union Agency for Cibersecurity (ENISA).

Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Malware is the attack technique that attackers resort to in 62% of attacks.

According to the new ENISA report – Threat Landscape for Supply Chain Attacks, which analysed 24 recent attacks, strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers.

This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.

Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year. Such new trend stresses the need for policymakers and the cybersecurity community to act now. This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently.

Juhan Lepassaar, EU Agency for Cybersecurity Executive Director said: “Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once. With good practices and coordinated actions at EU level, Member States will be able to reach a similar level of capabilities raising the common level of cybersecurity in the EU.”

Why is a good level of cybersecurity not good enough?

Composed of an attack on one or more suppliers with a later attack on the final target, namely the customer, supply chain attacks may take months to succeed. In many instances, such an attack may even go undetected for a long time.

Similarly to Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance. All such aspects reveal the degree of sophistication of the adversaries and the persistence in seeking to succeed.

The report reveals that an organisation could be vulnerable to a supply chain attack even when its own defences are quite good. The attackers explore new potential highways to infiltrate organisations by targeting their suppliers. Moreover, with the almost limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common.

In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.

For about 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.

For 66% of the supply chain attacks analysed, suppliers did not know, or failed to report on how they were compromised. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users.

Download the report – Threat Landscape for Supply Chain Attacks

___________

A supply chain is the combination of the ecosystem of resources needed to design, manufacture and distribute a product. In cybersecurity, a supply chain includes hardware and software, cloud or local storage and distribution mechanisms.