Understanding Supply Chain Attacks: An Emerging Cybersecurity Challenge

Reading Time: 4 minutes

Authors:  

Claudia Martorelli | Data Protection Advisor

Date: 24 June 2024

The European Union Agency for Cybersecurity (ENISA) has identified supply chain attacks, particularly those targeting software dependencies, as the foremost emerging cybersecurity threat for the coming decade. The web of dependencies among businesses within the software/IT sector creates a host of opportunities for cybercriminals to exploit. Vulnerabilities within the supply chain can be harnessed to execute attacks causing extensive harm across multiple organisations, as illustrated by recent incidents like the attack on Snowflake cloud services. Impact ranges from large scale data breaches, financial loss, disruption to services, as well as significant damage to reputation. As these attacks become more frequent and severe, addressing supply chain risk is essential for robust organisational security strategies. This article explores the nature of supply chain attacks, the implications of the NIS2 Directive (Directive (EU) 2022/2555), and essential practices to enhance supply chain cybersecurity. 

Understanding Supply Chain Attacks 

Supply chain attacks are typically sophisticated, costly, and meticulously planned as they involve a multi-stage strategy where an attacker first compromises a supplier, using this initial breach to infiltrate a primary target. For an incident to qualify as a supply chain attack, both the supplier and the target must be affected.  

Key techniques used in supply chain attacks include: 

  • Software Attacks: Malicious code is injected into software updates or popular applications. A prominent example is the SolarWinds incident, where attackers embedded malware in a legitimate software update, affecting thousands of clients, including major corporations and government agencies. 
  • Hardware Attacks: Threat actors tamper with components such as circuit boards used to build servers, routers, or other network devices. They may install malicious microchips or modify existing ones. This type of attack is less common than software supply chain attacks, but their impact can be just as significant. An example is the Micro-Star International (MSI) attack, where the hardware manufacturer’s private keys (used for digitally signing firmware for motherboards) were leaked. This allowed attackers to install and execute malicious firmware, allowing them to bypass security measures and providing far-greater reach of the compromised systems, in a manner that regular malware would not. 
  • Targeting IT Suppliers and Managed Service Providers (MSPs): Many attackers focus on regional MSPs, which support numerous small and medium-sized businesses (SMBs) but often lack robust security resources for themselves. For instance, in the Kaseya attack, a vulnerability in the software’s update mechanism was exploited to deploy ransomware to Kaseya’s MSP customers, which in turn spread downstream to their clients.  

By compromising multiple organizations’ intellectual property, financial data, customer information, and other sensitive data, supply chain attacks provide significant returns to threat actors, enhancing their popularity.  

NIS 2 Directive and Supply Chain Cybersecurity 

NIS 2 Directive provides a regulatory framework to enhance the level of cybersecurity in the European Union. It requires Member States to strengthen cybersecurity in critical sectors by requiring “essential” and “important” (public and private) entities to adopt specific measures. EU Member States have until 17 October 2024 to transpose the directive into national law, with some rules taking immediate effect. 

Supply chain cybersecurity is an important aspect of the cybersecurity risk management measures dictated by NIS 2, specifically addressed under Article 21.  

Essential and important entities are required to implement appropriate technical, operational, and organizational measures to secure their supply chains with measures needing to be proportionate to their size, exposure to risk as well as the likelihood and severity of an incident.  

Article 21 mandates that, when assessing the controls to be applied, entities should consider the following aspects of the supplier/service provider:  

  • their specific vulnerabilities,  
  • the overall quality of their products,  
  • their cybersecurity practices, including their secure development procedures.  

Compliance with NIS 2 supply chain security obligations involves not only fulfilling the requirements outlined in Article 21, but also taking into account the results of any coordinated risk assessments (carried out at Union level in accordance with the Article 22.1).  

Coordinated risk assessments can be performed by the Cooperation Group, in cooperation with the Commission and ENISA on specific critical ICT services, systems or products supply chains. Such assessments will evaluate technical and, where relevant, non-technical risk factors (such as undue influence of a third country on a supplier/service provider). Failure to address these coordinated assessments could result in non-compliance, even where the requirements of the NIS 2 Directive are met. 

Finally, essential and important entities should also consider the specific policies adopted at national level. According to Article 7(2)(a), as part of the national cybersecurity strategy, each Member State shall adopt policies addressing supply chain security for ICT products/services used by entities.  

Best Practices for Enhancing Supply Chain Security 

Effective supply chain security requires a multifaceted approach involving various corporate functions such as information security, risk, legal as well as procurement and supplier relationship management. Key practices include: 

  • Supplier and Service Provider Management: Identify and document all suppliers and service providers. Define a risk criteria based on the criticality/sensitivity of systems and data and map out all dependencies as well as potential single points of failure. 
  • Risk Assessment and Treatment: Assess and consider supply chain risks as part of business continuity and disaster recovery assessments and policies. Implement measures for risk treatment based on best practices (e.g. ISO/IEC 27001/2). 
  • Ongoing Monitoring and Awareness: Continuously monitor supply chain risks using internal and external information sources. Conduct regular reviews of suppliers’ performance. Ensure personnel are aware of supply chain risks. 
  • Patch Management and Testing: Only accept patches from legitimate sources, and thoroughly test them before deployment. Implement rollback procedures and maintain effective backup and restore processes. 
  • Asset and Information Classification: Classify assets and information accessible to suppliers and establish procedures for their secure access and handling. 

By adopting these practices, organisations can better manage and mitigate the supply chain risk, thereby significantly enhancing their overall security posture. 

Whilst ensuring supply chain security and complying with the requirements of NIS2 may seem challenging, our data protection and cyber-risk service have a wealth of experience in assisting organisations in improving their security posture and preparing for regulatory change. We can design and implement a robust supply chain security framework, as well as support your organisation with the implementation of any other NIS2 requirements. If you would like to discuss our services, please contact our advisors. 

Related posts

Let's discuss your career