When most people think of supply chain risks, they picture ships stuck in port, factories closed due to COVID lockdowns, or empty shelves where component parts once sat. But these physical obstacles are not the only risks that manufacturers face. Cyberthreats have been growing steadily over the last few years, and during the pandemic, these supply chain security risks escalated.
You might think that digital attacks are a threat only from your third-party software vendors. In the SolarWinds hack, for example, more than 18,000 customers of the IT management company uploaded a malicious update, compromising their systems. But the attack didn’t stop there. Once cybercriminals infiltrated a company’s network, linked systems gave them access to that company’s partners and customers as well. The fact is, any vendor whose software talks to yours—such as billing and payment systems—can compromise your company’s security.
Linked Systems: A Benefit and a Risk
Just-in-time manufacturing has always required constant communication and a high degree of collaboration between manufacturers and their suppliers. During the pandemic, this collaboration increased, as manufacturers sought more efficient ways to source raw materials and component parts. Timely data-sharing became even more critical, and many companies increased their internet-enabled connections to suppliers.
While tighter collaboration allowed companies to improve the predictability of their supply chain, it also created new entry points for cybercriminals to try to exploit. In short, by connecting more closely with suppliers, these companies increased their own attack surface.
And cybercriminals were quick to take advantage of this broader target. According to the National Association of Manufacturers, in 2020, the number of cyberattacks on manufacturers spiked by more than 300% from the previous year, accounting for 22% of all attacks across all sectors, up from 7% in 2019.
A New Twist on an Old Supply Chain Security Risk: Phishing
The surge in cybercrime isn’t driven solely by direct attacks like SolarWinds. Phishing is also a growing problem, as criminals employ new technologies to take this old hacking technique to a new level.
The Anti-Phishing Working Group (APWG) reported that in the first quarter of 2022, there were 1,025,968 total phishing attacks—the first time the three-month total has exceeded one million. Given that email users are more savvy than they used to be, how is this possible?
It’s simple: Today’s cybercriminals have gone way beyond simply faking emails. Some use sophisticated social engineering techniques like AI-generated voicemails and deepfake video recordings. People know to be wary about email, but how many people think to question the authenticity of the voice at the other end of a phone call?
Even the relatively low-tech business email compromise (BEC) attacks have gotten better. Fake websites are much harder to differentiate from the legitimate versions, and cybercriminals now clone emails from legitimate employees to create urgent requests that sound authentic.
Today’s criminals are also more patient than ever, and they do their homework on both the person they’re targeting and the person they’re mimicking, in order to create an email or a call that’s highly realistic. And with people posting their personal details on multiple social media sites—including LinkedIn—it’s easier than ever for hackers to glean the information they need to successfully impersonate someone.
A One-Two Punch: Combining Hacking Techniques
Hackers are patient. They’re careful. And they think long term. They know that by working through suppliers, their attack may take months to execute, and they’re willing to wait. This is why more and more, malicious actors are switching from attacking a company directly to infiltrating their suppliers. Once in a supplier’s system, undetected, they have time to plan an attack against your company.
In this situation, more often than not, the malicious actor will assume the identity of a trusted contact at the supplier, and then reach out to your company. This technique, called spoofing, allows criminals to create highly credible phishing emails, calls, and even videos. Many companies with excellent security have nevertheless been infiltrated through their suppliers’ systems.
Digital Supply Chain Security: A Growing Concern
Digital threats to supply chain security are a growing problem. That’s why five years ago, the National Counterintelligence and Security Center (NCSC) designated April as “National Supply Chain Integrity Month.” The goal of this annual awareness campaign is to encourage companies—especially providers of information and communications technology—to fortify their digital security.
And businesses are indeed becoming more aware of the issue. Many companies, manufacturers included, are taking action. According to a survey conducted by PwC last year, nearly half of all manufacturers provided information or assistance to third parties—including suppliers—to help them improve their own cybersecurity. Nearly four in ten survey respondents (36%) said they’d rewritten contracts with third parties to mitigate risk, and 30% went as far as terminating partnerships with third-party vendors because of unacceptable security practices.
Cybersecurity Risk Management
There are several steps you can take to make your company a hard target for cybercriminals. Strong data encryption may be the most important. The ideal standard for encryption is the Advanced Encryption Standard (AES), a symmetric block cipher used by federal agencies to safeguard classified information. AES has been available for commercial use for more than 20 years, and provides excellent protection against cyberattacks.
AES encryption can be found in many of today’s frequently used devices, applications, and networks. WhatsApp messages, for example, are encrypted using 256-bit AES encryption. Google Cloud uses this standard as well. If you’re system isn’t making use of AES, it’s time for an upgrade.
However, even great encryption can’t prevent attacks that come from security flaws in software, which is why it’s important to monitor your systems for unusual activity. Zero-day attacks, in which cybercriminals exploit a security flaw before the software maker has issued a patch, are impossible to predict—you can’t fix what you don’t know is broken. But unusual activity can be your first signal that something is wrong.
Monitor Your Suppliers
Even if your company’s data is strongly encrypted, and you’re vigilant about software and system monitoring, you can still be vulnerable to attack through your suppliers. Any vendor software that interacts with your own is open to exploitation, putting your own systems at risk. This is why it’s critical to monitor systems for unusual activity.
And to repel phishing attacks, it’s important to have protocols in place that require staff to double check sensitive requests, and to conduct regular training in spotting fake communications. Here again, it’s just as important that your suppliers have these security protocols in place as well. Your vendor risk management program should include a yearly review of your supplier’s security protocols.
And because even the most secure systems still face some risk, make sure your company has an up-to-date incident response plan. Your company should have backup systems and emergency protocols in place, so that no time is wasted in assessing and repairing the damage from a successful hack. Last year, when Accenture fell victim to the LockBit ransomware attack, it was able to contain the threat right away by implementing a plan it had prepared well in advance.
The Accenture incident exemplifies what has become a truism in the business world: When it comes to system security, the companies that fare the best are the ones that plan for the worst.
A Secure Manufacturing Partner
The European Union Agency for Cybersecurity (ENISA) has several recommendations to help companies reduce the risk of supplier-enabled cyberthreats:
- identify and document all suppliers and service providers;
- define risk criteria for different types of suppliers and services such as supplier and customer dependencies, critical software dependencies, single points of failure;
- monitor supply chain risks and threats;
- manage suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products and components;
- classify assets and information shared with or accessible to suppliers and define relevant procedures for accessing and handling them.