Vulnerabilities lead to supply chain hacking

When it comes to supply chain hacks, it’s not a matter of if, it’s a matter of when your organization will be hacked. Attacks on critical infrastructure and systems are on the rise, and with hackers gaining skill and in some cases getting paid out through ransomware attacks, that trajectory of supply chain hacking is only headed upwards.

What is the definition of a supply chain hack?

When infrastructure is attacked, it is known as a supply chain hack. This attack happens when a bad actor infiltrates a vulnerable supply chain system through an outside vendor or provider that has access to systems and networks. In other words, a bad actor gains access to a third-party vendor’s access point and then has the ability to get in and wreak havoc on critical infrastructure. The SolarWinds hack in 2020 was a prime example of supply chain vulnerabilities -- hackers got inside the development operations of SolarWinds and managed to insert malware inside a software update that was distributed by the company in March. SolarWinds is a third-party vendor to a variety of government organizations, so the malware disrupted the Treasury Department, the Pentagon, the Commerce Department, and more. According to a 2019 Ponemon Institute report, 90% of the companies that help provide critical national infrastructures had at least one cyberattack between 2017 and 2019. These recent supply chain hacks have (and could in the future) result in gas shortages, higher meat prices, sensitive information exposed, and endless other worst-case scenarios. The term critical access is often employed when speaking about these systems because the supply chain, and the information therein, is nothing short of critical.

Why are supply chains so vulnerable to hacking?

1. Supply chains and infrastructure organizations contain a vast amount of third-party connections. Look back at the SolarWinds supply chain hack. That software was connected to three major government components (at least), and the company stated that 18,000 customers downloaded the affected version of the software. That means there were 18,000-plus points of entry for a potential bad actor. It can be difficult to keep track of third-party suppliers, and according to the 2020 Ponemon report, too few organizations are keeping track diligently. The supply chain attack statistics show:

• 49% of respondents say their organization does not assess the security and privacy practices of all third parties before granting them access to sensitive information.
• 53% of industrial and manufacturing respondents say their organizations do not have a comprehensive inventory of all third parties with access to their network.
• 74% of respondents who’ve experienced a hack said it was the result of giving too much privilege to third parties.

All those numbers add up to trouble. As these supply chain attack statistics show, there are a lot of doors for bad actors to walk through, and, at least based on the Ponemon report, far too many remain unlocked. 2. The information that exists within these networks and organizations is highly valuable. When we talk about vulnerable supply chains, we mean government, manufacturing, and energy. The kind of organizations, that if attacked, could lose more than just their hard drives. The ransomware that took over Colonial Pipeline not only spurred gas shortages and international headlines; it cost the company millions to regain control. If the bad actors wanted, they easily could’ve started attacking all the smaller entities connected to the Colonial Pipeline. Think of a supply chain network like a series of air ducts across a building. Once you get the vent cover off, there are infinite places you could go and a treasure trove of valuable information you could discover. 3. These organizations rely on reputation, not Zero Trust architecture. That same Ponemon report referenced above states that 63% of respondents’ reliance on reputation is their main reason for not evaluating the security and privacy practices of third parties they work with. SolarWinds is a trusted name, and so is Colonial Pipeline. Both are now victims of supply chain hacking. At what point is reputation no longer reliable? To paraphrase many spy movies: don’t trust anyone. 4. Many supply chain organizations lack critical access protection software. It can be overwhelming, time-consuming, and costly for an organization to track and control access to its network, especially when those connections add up to thousands. So, many organizations take shortcuts or simply don’t. Look at the stats referenced above; almost every question resulted in concerning answers from more than half of respondents, meaning most aren’t taking supply chain hacking or critical access security seriously. The solution doesn’t have to be overwhelming. There’s a variety of resources available and even more solutions for critical access protection. As for cost, the fallout from the SolarWinds supply chain hack cost the company $18 million so far. Better to pay for protection than pay the price for a data breach.

Supply chain hacks and the financial industry

Like any business, financial companies are only as secure as the weakest link in their supply chain. If a supply chain is vulnerable, so is your company. Banks, credit unions, investment companies, and others in the financial sector must remain compliant with Sarbanes-Oxley, Gramm-Leach-Bliley, and other regulatory guidelines. In the United States and around the world, network connections that are not secure and inadequate IT protection tools can lead to lost data through supply chain hacking, as well as regulatory non-compliance. As disruptive new technology and business interests unsettle the traditional financial sector, network security gaps occur through inattention, legacy IT systems, and unmonitored third-party IT support. Finance IT tech support, operating independently of its clients, can easily introduce unintended vulnerabilities that leave open windows for hackers.

How can an organization reduce supply chain vulnerabilities?

Preventing supply chain hacking comes down to protecting your entryways. The best way for an organization to secure itself against supply chain hacks is to examine all relationships with third parties and make sure that both sides are doing everything they can to reduce the risk of hacks. If you don’t already have a vendor or third-party risk management program set up, do so. Learning more about Zero Trust Architecture, access management, and third-party security is a great start.