Earlier this year, a cyberattack forced Colonial Pipeline to shut down its entire IT network. Colonial Pipeline transports 2.5 million barrels per day of gasoline, diesel, jet fuel and other refined products through 5,500 miles of pipelines.
This breach created a gasoline shortage and drove up prices across the eastern and southern United States, and ranks as the largest cyberattack on an oil infrastructure target in the history of the United States – so far.
Because today’s supply chains are data-driven and tech-enabled, digital attacks like this have the potential to damage and disrupt physical supply chains around the globe causing delays, shortages and devastating financial losses.
Hacking and cyberattacks are a huge, multibillion dollar business. Hacker organizations, just like any other multibillion dollar business, are searching for the best way to make money. That’s why so many have shifted their focus from single targets – a specific company, for example – to supply chains.
Large attack surfaces
Though the cyberattack on Colonial Pipeline impacted the company’s billing system and not its pipeline infrastructure, the company halted all physical operations to avoid risking further damage from the attack, according to reports. It ended up paying a ransom of $4.4 million (in bitcoin).
While many folks still imagine that cyberattacks are carried out by a lone hacker sitting in a dark basement looking to create mayhem, cyberattacks have evolved over the last decade, and most notably over the past five years.
Sophisticated organizations involved in cyberattacks range from nation states – think China, Russia, and North Korea, for example – to private organizations employing dozens of hackers.
Today’s cyberattacks can quickly move beyond the digital realm and into the physical realm. A supply chain attack, also referred to as a third-party attack, occurs when an unauthorized user infiltrates a private company network system and gains access to sensitive data, most commonly through an outside partner or provider.
Hackers love large “attack surfaces,” a term used to describe the potential points, or vectors, where a network can be entered. Large attack surfaces offer more vectors that can be exploited to gain access to sensitive data and systems. Smaller attack surfaces are easier to protect from hackers.
Since supply chains often link together hundreds, if not thousands of organizations, they provide massive attack surfaces. Simply put, they’re too tempting, and potentially vulnerable, for hackers to ignore.
Supply chain service providers are doubly vulnerable to cyberattacks because they have access to data from a multitude of organizations – more access points equal more vulnerability. And, because supply chains are entirely systems dependent, not to mention hugely complex, it’s easier for hackers to gain access.
To that point, Enisa expects four times as many attacks on supply chains this year than in 2020. Instead of wasting time and resources trying to infiltrate a specific target or organization, cyber criminals are now focused on exploiting weakness wherever they can find it.
Sophisticated hackers are scheming. When they implement their attacks, they don’t know who their victims will ultimately be, but they know it will be valuable.
Ultimately, cybercrime comes down to a numbers game – basic return on investment. Cybercriminals are interested in uncovering the biggest opportunity for successful infiltration with the least amount of effort, and that’s driving them to target supply chains.
Consider the NotPetya cyberattack that occurred in 2017. Instead of targeting a specific company, hackers targeted accounting software used by government agencies, corporations, hospitals and schools. The accounting software provided the vector to expose tens of thousands of computers in a single attack.
The effects of the NotPetya cyberattack rippled outward like a boulder dropped into a pond, devastating thousands of organizations and immobilizing supply chains worldwide. When NotPetya’s malware reached Maersk, the digital supply chain attack turned into a serious physical supply chain disruption.
Click here to hear more about technology issues in the supply chain:
Prevalence of cybersecurity breaches
Further proving that supply chains are increasingly enticing cyberattack targets, 93% of respondents admitted they have suffered a direct cybersecurity breach because of weaknesses in their digital supply chain security. Nearly 38% of respondents said they had no way of knowing when or if an issue arises with a third-party supplier’s cybersecurity, compared to 31% last year.
Notably, BlueVoyant’s survey found that the average number of breaches experienced in the last 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-over-year increase.
Only 13% of companies said third-party cyber risk was not a priority. That’s a fairly significant change compared to last year when 31% of companies said supply chain and third-party cyber risk was not on their radar.
The biggest cybersecurity risk for an organization’s supply chain is the lack of control of its data after leaving its network and being transmitted to a third-party vendor, according to the survey. Even the most sophisticated organizations struggle to manage control, given the number of business partners.
Specific to the supply chain industry, manufacturing respondents were least likely to identify supply chain/third-party cybersecurity risk as a key priority and were most likely to be reporting on an annual basis only.
Operating with a “zero-trust” mentality
Because organizations are trying to be more proactive than reactive when it comes to cybersecurity, they’re spending more money to manage cyber risk and combat cyberattacks, according to BlueVoyant’s survey. Nine out of 10 respondents say their budget for third-party cyber risk management is increasing in 2021.
Many organizations are building in-house cybersecurity departments or bringing in external cybersecurity experts to establish preventative measures and to protect themselves from possible incidents.
The emerging trend across the industry is to adopt a zero-trust architecture (ZTA) strategy. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks vs. the internet) or based on asset ownership (enterprise or personally owned).
A common and effective defensive philosophy is to approach your cybersecurity program with an assumption that you’ve already been breached and focus on putting controls in place that verify identity and authorization before providing access. Enabling these types of controls will go a long way toward protecting network resources and mitigating infiltration.
Continuous innovation and investment
When it comes to cybersecurity, organizations must play both defense and offense. While they must shore up their defenses so they can withstand digital threats, it’s impossible to prepare for every possibility. That’s why they must go on the offense by establishing a robust internal security program and reviewing supplier and customer security standards.
A good place to start is with recognized industry certification programs. Organizations that have achieved SOC 2 Type 2 or ISO 27001 certification have proven, through external audits and independent review, that they have robust and effective information systems controls and processes that support a sufficient level of security measures relative to the industry.
Cyber insurance is another increasingly trend within the industry with many providers, both traditional carriers and newcomers, moving into the space. While cyber insurance does not directly protect organizations from cyberattacks, it does help mitigate many of the aftereffects, which could be devastating to their business. In addition, many insurance providers provide access to cybersecurity consulting services and resources as part of their coverage.
Unfortunately, there is no one solution that fully protects against cyber threats. Even if an organization has the newest and greatest cybersecurity technology, it won’t be long until hackers obtain that same technology and render it useless.
Every organization, regardless of size or industry, is a potential target for cybercrime through its extended supply chain network. Diligence and vigilance are the foundation of every effective cybersecurity strategy. To stay ahead of cybercriminals and protect the global supply chain, all organizations must continuously innovate and invest in people, processes and protective technology.