Number one cyber threat: the supply chain

When world-renowned cryptography and computer security expert Bruce Schneier was asked by Computerworld Hong Kong magazine in 2012 whether we are more secure today than we were five years ago, he replied: "In short, no. It’s interesting that every year we have new technologies, new products, new ideas, companies and research, yet people continue to ask why things are so bad with security? And the answer is that fundamentally the problem is complexity."

Eleven years later, in March 2023, the European Union Agency for Cybersecurity, ENISA, identified highly complex supply chains and, in particular, their software dependencies as the number one threat in its forecast of cyber threats up to 2030.

Cyber attacks often start in the supply chain

In fact, supply chain attacks have increased significantly in recent years and are now one of the most common initial infection vectors. 

Why is this the case? On the one hand, companies have improved their own security, making it more difficult for cyber criminals. On the other hand, the use of service providers and cloud services is increasing. Distributed software development is also becoming increasingly complex. The firmware of major PC manufacturers alone now includes well over 4,000 suppliers for all the software components it contains. 

Largely ineffective basic protection

As supply chain attacks do not directly attack a company's own IT infrastructure, but are infiltrated via third-party IT services, the usual protective measures taken by user companies are largely ineffective against these attacks.

Recent examples show that even companies with a high level of IT security maturity can find themselves in a state of emergency for weeks when a new supply chain vulnerability makes the rounds. The operator simply lacks information about which hardware, operating systems, software libraries, etc. are used in the many products they use, or even which versions are currently in use and which newly discovered vulnerabilities are relevant to them. 

Multi-stage supply chain attacks

The situation is further complicated by the fact that both the supply chain and attacks on it can take place at many levels. Providers, as end users, aggregate and depend on elements and services from other providers, as users. An example of a multi-stage supply chain attack is the compromise of the 3CX desktop application, a popular VoIP software. In early 2023, it was announced that this desktop application had been compromised. The cyber criminals were able to inject malware into the official software updates of the 3CX desktop application and distribute them to end users' systems. Rather than infiltrating 3CX directly, the cyber criminals used a supplier called Trading Technologies, whose website could be used to host a malicious software component that used 3CX.
 

Looking beyond software

Of course, focussing on software is not enough to make supply chains more secure. It is only one dimension of the problem. The BOM principle can also be applied to other elements of the supply chain. In principle, the concept allows complete transparency of all components used. Examples include the hardware used (HBOM) as well as the cloud applications used (SaaSBOM). Security components (such as an EDR) themselves must also be considered, as these are often equipped with high privileges and are therefore attractive to criminals. In its paper "Threat Landscape for supply chain attacks", ENISA lists supplier assets that can become part of a supply chain attack. Consequently, it also mentions people with access to sensitive data and infrastructure, which closes the circle.

Anyone who comes to the conclusion that BOMs are patient due to the complexity of the topic should read on. After all, legislators have also recognised that supply chain issues must be taken very seriously. Missing the boat here, could put your business at risk - and not just because of a successful attack.

What is happening with legislation 

The EU-wide cyber security legislation, the "NIS2 Directive", came into force in January 2023 and must be transposed into national law by the EU member states by October 2024. It requires companies to address cyber security risks in supply chains and supply relationships. For the first time, the law also imposes obligations on companies in the supply chain. In Article 21(2), the cyber security of the supply chain is considered an integral part of the measures for managing cyber security risks. It also requires the use of SBOMs. Suppliers can prepare for such audits.

The draft of the EU Cyber Resilience Act (CRA) requires manufacturers of digital products to provide security updates for a defined period of time, among other things. These must be provided as quickly as possible in order to avoid delays caused by software components used by other manufacturers. A CE marking for products connected to the internet to indicate compliance with the new standards is being discussed. 

The White House has already issued an Executive Order in 2021 to improve the nation's cyber security. EO 14028 establishes new requirements to secure the federal government's software supply chain. In February 2022, the US NIST mandated the provision and use of SBOM by US government suppliers.

Things are also happening in Switzerland when it comes to supply chain risks: The final report on the effectiveness review of the National Strategy for the Protection of Switzerland against Cyber Risks (NCS) of 28 March 2022 mentions that respondents see problems in the fact that there is a lack of awareness of supply chain risks in connection with components or services for critical infrastructure and that these are not consistently addressed by the NCS.

Conclusion

Organisations that do not systematically address the risk of supply chain attacks not only run a high risk of becoming unprepared victims of such an attack. They also run the risk of regularly falling into an operational frenzy when vulnerabilities are reported and wasting valuable security and operational resources looking for a needle in a haystack. As criminals naturally do not wait for us, organisations should establish an incident handling and emergency management system that is appropriate to the risk and also takes supply chain-specific incidents into account. This should include analysing and documenting supply chain dependencies for key business processes and sensitive data. For suppliers, the impact of a temporary non-use of systems and services should be analysed. Finally, it is important to drive forward the stocktaking process, to familiarise yourself with the existing solution approaches and then to insist on these requirements from the suppliers.

Finally, it is clear that legislators and regulators have recognised the risk and are taking action. Those who fail to seize the opportunity risk severe penalties and, in the worst case, de facto exclusion from the market as a supplier. 

Translation

This insight was originally written in German and translated into English with DeepL.com.