Organisations must develop strong programs to manage supply chain risks, both known and unknown, and prioritise their most critical assets. Often referred to as the ‘crown jewels’, these are the assets that are the most valuable and vital to business success.
Supply chain attacks exploit vulnerabilities in the network of suppliers, distributors, and other third-party partners to gain unauthorised access to sensitive data and systems. The complexity and opacity of modern supply chains often leaves businesses exposed to significant risks, ranging from operational disruptions to data breaches.
Including supply chain security as a key component of an organisation’s overall security strategy is crucial. This ensures that the most important parts of the organisation are protected, supporting the enterprise’s long-term stability and success.
Supply chain attacks target less secure elements in the supply network of an organisation. In software supply chains, for example, attackers can compromise software distributed by a legitimate vendor, impacting end users of that software. This approach has been observed in various high-profile incidents, such as the SolarWinds attack discovered in December 2020, where malicious code was inserted into the company’s software updates, affecting thousands of customers, including government agencies and large corporations.
The nature and methods of supply chain attacks are constantly changing, becoming more sophisticated over time. As attackers innovate, the methods to infiltrate supply chains become more accessible, lowering the barriers for potential attackers to execute such operations. The proliferation of malicious packages in open-source software repositories has made it easier for attackers to exploit vulnerabilities in widely used software components. This trend is exacerbated by the growing reliance on open-source software, which, while fostering innovation and collaboration, also introduces new risks.
Organisations face a number of concentration risks within their supply chains, particularly in extended networks that include fourth-party and systemic dependencies. These risks are amplified in sectors critical to national infrastructure—for example, healthcare, telecommunication, financial services, transportation, and energy—where a breach in a single supplier can have far-reaching impacts on operational resilience and systemic stability. This means it’s crucial for organisations to gain visibility into their entire supply chain and collaborate with industry peers and regulators to mitigate these risks.
State-sponsored cyberattacks have evolved into a formidable threat, with the capacity to destabilise sectors and entire economies. These actors, backed by national interests, deploy increasingly advanced tactics. Their strategies extend beyond targeting critical infrastructure; they now sophisticatedly exploit human vulnerabilities through social engineering. The current global geopolitical situation indicates a probable escalation in such attacks.
For example, the Australian Cyber Security Centre (ACSC) acted against a series of state-sponsored cyber activities that targeted Australian institutions in 2020.2 These attacks were aimed at government agencies, industry, political organisations, educational institutions, health services, essential service providers, and operators of other critical infrastructure. The ACSC identified the tactics, techniques, and procedures (TTPs) used in these attacks. These included spear-phishing to exploit human vulnerabilities and the deployment of sophisticated malware to infiltrate systems.
To combat these evolving threats, and protect their supply chains, organisations must:
- Implement comprehensive security measures, including secure coding practices, thorough vetting of third-party vendors and deploying endpoint detection and response (EDR) solutions to protect against cyber threats
- Enhance supply chain transparency and security by leveraging technologies like blockchain for immutable transaction records and invest in artificial intelligence (AI) for improved predictive capabilities and operational efficiency
- Cultivate a strong security culture within the organisation and among supply chain partners through regular security awareness training, sharing of best practices, and collaborative security initiatives, making security a shared responsibility to reduce vulnerability to attacks.
The security of supply chains is a complex issue that requires concerted efforts from all stakeholders. By understanding the latest trends and threats, and implementing best practices for supply chain security, organisations can better protect themselves against the potentially devastating impacts of a breach.
Craig Searle is director of consulting and professional services (Pacific) at Trustwave.