Why have supply chain partners proven to be the weakest links in cyberattacks
NEW DELHI: In 2015, Amazon’s Web Services division reportedly found a hidden microchip in one of the servers of Elemental Technologies—a video streaming company during the acquisition process.
The servers were assembled by a California-based company Super Micro Computers, which was working with subcontractors who had manufacturing facilities in China, according to a Bloomberg report published in October 2018. Further investigations by US authorities revealed that neither Elemental Technologies nor Super Micro Computers had any knowledge of it, and that the microchip was planted at the manufacturing facilities in China for surveillance purposes.
A 2018 study by Ponemon Institute reveals that 56% of organizations faced a data breach caused by one of their vendors. According to a May data exfiltration report by security firm McAfee, internal actors including contractors and third-party suppliers were responsible for more than 40% of serious data breaches faced by enterprises worldwide in 2018. Carbon Black’s April report concurs that 50% of today’s attacks not only target big companies but all businesses on the supply chain. In software supply chain attacks, vendors do not know if their apps or updates are infected with malicious codes when they’re released, allowing them to run with the same trust and permissions as the app. Hackers look to exploit unsecure network protocols, unprotected server infrastructures and unsafe coding practices.
“Complexity in supply chains has been growing over the last few decades. The growth in complexity increases the number of partners. In turn, integration across such partners exposes organizations to a variety of risks that can come from the exploitation of the weakest link in a global network, which could be several tiers down the supply chain," cautions Rajpreet Kaur, principal analyst, Gartner.
The emphasis on supply chain management is higher than before. However, according to a 2019 Gartner survey, while supply chain leaders rank cyber attack risks as a top concern, only 10% of them characterize the relationship between their function and IT as strategic. “As industries move towards digitization, the technology adoption and development plans of different partners may not be in sync, exposing modern digital supply chains to new vulnerabilities," points out Venkat Krishnapur, vice president of engineering and managing director, McAfee India.
How third-party vendors procure or assemble products not only affects them but everyone using their products. Supply chains are an easy target for the hackers merely due to their negligence in complying with security measures, says Sanjay Gupta, vice president and India country manager, NXP Semiconductors. He adds, “it is a weak link for the organizations as they can’t control what security measures are being taken by their supply chain partners and as it is rightly said a chain is only as strong as its weakest link."
Most companies on supply chain network may also not have the same resources or security mechanism to deal with cyberattacks as their bigger partners. Burgess Cooper, partner, information and cyber security at EY, believes, “Organizations with different low cost supply chain manufacturers or suppliers with feeble security frameworks are most prone to cyber risks. Attackers are known to target an organization through its third party networks as they are crippled by margin pressure to deliver quick service at low costs, where security is often compromised. This is one of the key factors that can put an organization at risk."
Such cases have been reported in India too, like the ATM card fraud in 2016 where hackers stole the PIN of customers while they were withdrawing money. The breach wasn’t at the end of card companies but in ATM systems procured from Hitachi. The good thing is that growing concerns about increasing supply chain complexity and attacks are driving a number of new laws, regulations and frameworks globally, but India is yet to catch up. Big companies that can invest in security, for instance, are increasingly mandating a minimum a security on-boarding process with five to seven norms that suppliers have to fulfil. Auditing suppliers at regular intervals is also important, as it allows the company to know that their suppliers have the right controls in place.
Krishnapur adds, “Tools such as ISO/IEC 27036 are available in the market that can help define a solid baseline. This should be followed by a regular analysis of security and privacy controls."
Burgess insists on a new model called ‘Zero Trust’, where a company assumes that its network , contractors and supplier connections have been compromised and works towards air-gapping the system, so the infection doesn’t reach them through any of the common points.
Gloss