2021 saw many vulnerabilities and cyberattacks shift to affect supply chains, heavily impacting both organizations and the general population. This year, supply chain attacks are set to become even more widespread. Our in-house chartered psychologist and Director of Human Science, Bec McKeown, believes that the very nature of supply chain attacks introduces a high level of complexity to the decisions you make when responding. Not only are there multiple actors involved, there will be competing priorities and outcomes, making it essential to prepare your people and systems well in advance.
Regulation across multiple industry sectors is demanding increased attention on mitigating the impact of attacks on organizations’ supply chains. Trustwave emphasized that it’s “no longer enough” to secure your own company’s infrastructure; you must also evaluate the risk of third-party vendors and plan for breaches there too. ENISA’s 2021 report Threat Landscape for Supply Chain Attacks agrees, claiming 62% of attacks on customers in its survey “took advantage of their trust in their supplier”.
What is a supply chain attack?
A supply chain attack occurs when systems or services are impacted by a vulnerability or malicious code introduced by a third-party component. They’re more complex than other types of cyberattacks for several reasons, including oversight, visibility, responsibility, trust, ethics, and communications, plus the necessary complexity of supply chain management systems involving multiple up and downstream stakeholders.
Some types of crises are incorrectly termed as “black swan” events – rare and unlikely to affect you. The black swan principle no longer applies to supply chain attacks within the cyber realm. Forrester Analytics revealed that 30% of all hacks now focus on the supply chain; the interconnected nature of your organization more or less guarantees it.
Kev Breen, Director of Cyber Threat Research at Immersive Labs, says, “The trend will likely continue throughout 2022 as we enter a race between network defenders battling with the growing reliance on open-source components and the ever-expanding supply chain attack surfaces threat groups can exploit''.
In 2021 an attack on the IT management software company Kaseya crumbled supermarkets in Sweden, while 18,000 customers were affected by the vulnerable networking supplier SolarWinds. A zero-day vulnerability in Apache’s Log4j logging package (used by Microsoft, Amazon, and Twitter) meant attackers were able to steal AWS credentials and compromise critical business functions, deploy malware, and exfiltrate sensitive data. Supply chain attacks will continue to attract sophisticated attackers, Lindy Cameron noted at the Chatham House Cyber 2021 Conference, “especially as we anticipate technology supply chains will become increasingly complicated in the coming years”.
It’s therefore critical to have a “clear understanding of any risks associated with third-party vendors” and the know-how to “prioritize actions to reduce the risks of a breach”, according to Trustwave. This comes in three stages: preparation, response, and recovery.
Preparation
Executives and crisis management teams (CMTs) have less visibility, information, and control over cyberattacks on the supply chain than a direct hit, so these leaders must prepare in anticipation for such an attack – and there are certain actions that should be taken before a crisis occurs.
Firstly, you should understand your software and your supplier’s estate. This is basic situational awareness, critical to effective crisis management. Transparency on the full chain is crucial; does your supplier have critical suppliers, and does their supplier have further critical suppliers? You must also map these critical suppliers against your business services. Ensure you chart any tolerances, and test these under stress. How long can your organization withstand supplier disruption?
Failure to understand your supply chain brings risk in the form of unaccounted for environmental, social, and governance factors. Without proper comprehension of the other parts of the chain, how can you be sure you aren’t contributing to regulatory or reputational risks, such as criminality, slavery, or pollution? For more information, Immersive Labs’ Principal AppSec Engineer Sean Wright discusses why you shouldn’t blindly trust software supply chains in a recent blog.
The ENISA report found that 66% of suppliers did not know how they were compromised during an attack, so it’s also crucial to undertake robust vetting and monitoring across all tiers of suppliers. C-Suites must understand the visibility and control that the organization has over the supply chain’s cyber hygiene and how this is monitored and tested. Before a cyber crisis strikes, you must also recognize your place in the chain and how this impacts or complicates your cyber breach reporting responsibilities both up and down the chain. To practice this, run crisis exercises with the full chain.
Humans play the largest part in preparing for a cyberattack. Even the best-practiced teams can’t fully predict human error, and it’s even harder to track when that error comes from far up the supply chain. Executives need to know – in advance – who is part of the response team up and down the chain to be mobilized to make decisions quickly if required. There’s no use trying to make friends during a crisis; these relationships and links of trust should be established long before an attack. Further, good preparation will involve good communication with these key players. You can’t control how another organization (your supplier, or your supplier’s suppliers) conducts its business, but in creating good relationships and understanding their priorities and responsibilities, you can learn how to influence rather than mandate different teams when recommending the best way forward.
In addition, you must be comfortable with making decisions based on semi-facts. Obtaining and verifying accurate information will be difficult when multiple organizations within the chain are all trying to mitigate the impact of an attack on their part. But if you have prepared, then it will be easier to trust the cyber teams involved in all areas of the chain and manage the situation.
Previous attacks have taught us that areas of the supply chain that aren’t necessarily cyber related can still be affected by a cyber breach. The supply chain cascades over to non-supply chain collateral damage in the same way a ransomware attack might. For example, in May 2021 Colonial Pipeline (the largest pipeline for refined oil products in the US) was crippled by a cyberattack. Not only was the network compromised, but the physical oil distribution was affected too, impacting local businesses, domestic areas, and critical national infrastructures such as airports and factories. This attack emphasized the fragility of industrial infrastructure and forced the US government to reassess its cybersecurity policy.
Response
Once a crisis is declared, leaders need to be ready to respond at the speed of light. Using your incident response plan, CISA guidance, or knowledge of the CMT team around you, setting your priorities straight is key here. Urgent and important activities need to be actioned quickly.
To start with, it’s all about services. You need to first understand which of your services have been impacted and which are critical to your organization. You then need to assess how vulnerable those specific services are and what the risk is. Leaders should grasp that proactive actions like risk assessing the supply chain and identifying the next stages of an incident response plan land higher in the rank of urgency than requesting a budget to improve a firewall mid-crisis.
The next thing to do is understand if any personal data is affected – and fast. Keeping sensitive data out of the hands of attackers is one of the biggest worries when it comes to supply chain cyberattacks. A data breach on top of a ransomware hack could end up costing you much more, both financially and in terms of reputation.
Leaders need to protect shareholders and the downstream supply chain, but the order in which to tackle these is always a challenge for CMTs. The answer isn’t likely to be found in any business continuity plan (BCP) or response plans due to the unpredictable nature of cyberattacks. But having the correct personnel in place, thoroughly equipped with relevant skills and knowledge, will help you to tackle any incident.
Time after time it’s evident that good crisis response is about the people involved, so make sure you’re taking burnout into consideration. Crises can be long and stressful. It’s easy for teams to become fatigued, resulting in less effective decision making when you need excellence. Ensure top-level executives have high-quality deputies on standby that are trusted to manage incidents as well as their seniors. Build your people’s resilience as well as your systems.
Ultimately what’s best for your organization and what’s right for your supply chain may never fully align. This convergence of security exposure, ethical, and contractual considerations towards your up and downstream supply chain likely make for some wicked problems in the event of a supply chain attack, further highlighting their complexity.
Leaders must prepare for a secondary attack after an initial supply chain breach. Frequently, hackers will follow through on another attack in a different area, especially if the first is successful. It’s all too common for an initial supply chain breach to be followed up with a ransomware injection, resulting in a multi-pronged attack that could destroy an underprepared organization.
You can practice responding to a supply chain attack in our latest Crisis Simulator scenario, Supply Chain Pain, which features a device management software company with a vulnerable product. The scenario covers key decisions around transparency, ethics, and regulatory contracts, helping you to stress-test the decisions that need to be made during this type of crisis.
Recovery
Supply chain attacks are so complex that a guide on tackling them couldn’t ever be fully comprehensive. But here are some of the key takeaways to recovering well from a supply chain attack. The process can be condensed into three main points:
- Review the crisis itself
- Review the supply chain and critical risks within it
- Review your organization’s contracts – do they protect you and the chain appropriately, proportionately and transparently?
Once you’ve worked on the above, you must monitor every element better than before the crisis hit. If there’s a problem, you’ll know about it sooner. The best way to keep on top of this is by training and exercising teams. Our Crisis Simulator offers realistic and engaging scenarios that put you in the middle of real crises, testing your teams’ situational awareness and decision-making skills. Data-driven results mean managers can analyze employee responses, allowing assessment of strengths and areas to improve. With appropriate training and exercising, organizations will be better prepared to face cyberattacks wherever they hit on the supply chain – a vital part of cyber workforce resilience.
The likelihood of your organization or some part of its supply chain being attacked is high. So join our cybersecurity and crisis response experts to make critical decisions with a live playthrough of our latest Crisis Sim, Supply Chain Pain, during our webinar on February 17th.
Ben Hockman,
Principal, Crisis Management and Response,
Immersive Labs