Supply Chain Attacks Are Increasing – Organizations Must Evolve

If the past year is any indication, cyber-attacks are on the rise. Third-party connections continue to be exploited, entities like supply chains and critical infrastructure are growing as high-value targets and the cybersecurity protocols that organizations need to stay safe are shifting. The old ways of protecting your most valuable assets aren’t working anymore, and it’s time to evolve.

What 2021 Showed Us About Supply Chain Security

The SolarWinds hack was the largest supply chain attack of 2021. The breach exposed 18,000 customers to malware, including large government agencies (SolarWinds announced that the actual number of customers hacked through SUNBURST to be fewer than 100). If the hack hadn’t been detected in time, many of SolarWinds’ third-party clients, including the Department of Homeland Security and the Treasury Department, could’ve been compromised. The Kaseya attack in 2021, another supply chain breach, affected 1500 businesses globally, disrupting supply chains in various countries.

When supply chain organizations are attacked, the consequences go far beyond OT downtime and software issues. Take the Oldsmar Water hack in 2021, where attackers targeted software in the water plant, raising levels of lye in the water. If it hadn’t been caught, it could’ve resulted in a water-boil notice, water shortages or poisonings.

Unfortunately, last year just set the stage for what the future holds.

Hack One, Breach Many is the Mentality for Hackers

Supply chain organizations contain many third-party connections, often to critical infrastructure organizations – like how SolarWinds is connected to the Department of Homeland Security. That makes these organizations a bullseye for hackers. By breaching one organization, they can access dozens, or hundreds, of others. The Kaseya attack resulted in 1500 businesses being held for ransom at once. That’s an incredibly lucrative opportunity for hackers regarding efficiency and possible payout. In addition, the high risk of these critical infrastructure organizations means they are more likely to pay if hit by ransomware to prevent devastating effects.

Because all of these organizations are connected, their cybersecurity is connected. If even one Kaseya-like organization isn’t properly protected, the ramifications can extend to their entire network. That complacency has consequences. If a third party causes a breach, the cost is estimated to rise by almost $400,000. That’s a hefty price to pay for not being proactive about high-risk third-parties.

Hackers understand how these organizations play into each other and will look for the most vulnerable access point across connected businesses – not just their endpoint – to start a massive attack. That means the way these organizations approach cybersecurity needs to change.

How Organizations Can Stay Protected

It all comes down to access: what access points exist, who has access and how well those individual, decentralized points are protected – especially when connected to third-parties.

Employing a castle-and-moat defense won’t work anymore. Especially because not only can a hacker breach those defenses and move laterally, they can jump to another organization once they’re inside those castle walls. By evaluating the individual access points, an organization can start evaluating and protecting each one, limiting the surface area of an attack and any kind of movement for the attacker.

There are new, better ways to stay safe.

  1. Properly identify and inventory access points: An important starting point for securing systems and data is by identifying all points of access. To understand which of those represent the highest risk, you need to determine whether a breach of an access point would have expansive consequences, such as a threat to the health and safety of personnel or the public, inability of the business to fulfill its core mission or material loss of revenue.
  2. Establish zero trust policies: When assigning access rights and privileges to users, embrace the principle of zero trust, which grants users access only to the information and applications required to do their job and nothing more. This applies to both internal and third-party users.
  3. Restrict access through fine-grained controls: Controlling who can access your critical assets, data and systems is the best way to keep any access point safe. Whether it’s through multi-factor authentication, time-based controls or other methods, restricting who can walk through that metaphorical door keeps the assets behind that door safe.

What’s Hot on Infosecurity Magazine?