Supply Chain Security Holes: What You Should Know
Global supply chains are taking a beating as a result of tensions between the U.S. and China, not to mention the global Covid-19 coronavirus pandemic. But there’s an older supply chain headache that still exists, one that will outlive the two current disruptions that businesses face: supply chain security issues.
There are 3.1 security attacks on global supply chains each week, according to a recent 10-year study by British standards group, BSI. Much of this risk comes from IT security issues.
“Supply chains present a weak link for IT security because organizations can’t always control the security measures taken by supply chain partners,” says Saumitra Das, chief technology officer for threat detection platform, Blue Hexagon.
Supply chains are vulnerable in many ways; the complexity of supply chain operations extends to the variety of ways that supply chains can be attacked digitally. But there are several areas that are particularly vulnerable for global businesses today.
APIs: A Blessing and a Curse
One of the enablers for global commerce is interconnection among various computing systems along the supply chain. Historically this has been a tricky and incomplete integration on account of the variety of systems, processes and standards used throughout the world.
The cloud, and specifically application programmer interfaces (APIs), have considerably improved the situation, helping businesses share data through APIs without having to fully connect their systems with the larger ecosystem.
APIs present a tempting target for attack, however, the result of flaws in API coding and methodologies that potentially can expose data.
“Many supply chain vendors have systems that connect to organizations via API,” notes Das. “By 2022, Gartner predicts that API abuses will become the most common type of web application attack resulting in a data breach.”
Niche Managed Service Providers: Weak Links in the Chain
Many industries with global supply chains have managed service providers that provide technology services that are niche to the industry they serve. While these MSPs perform a valuable role for the industries they serve by supplying digital tools and services, they also often are smaller organizations that don’t have the resources for deep security practices.
As with many smaller businesses, these industry MSPs often have weaker security than the larger organizations they serve. The problem is that in a global supply chain, these MSPs become a weak link.
“Many of these providers are small businesses without the resources or experience to properly secure their customers data,” suggests Chris Linklater, consulting manager at enterprise security firm, FireEye Mendiant. “Recently there has been several examples of MSPs that have been victimized by ransomware that has crippled the business operations of their customers.”
Industry Software: Specialization Has its Costs
The same issue affects smaller third-party software often used along a supply chain. Large enterprise software vendors such as SAP and Oracle invest great sums in security technology and best practices, and generally they are as secure as anything on the market. Industry software from smaller providers doesn’t come with the same level of security, though.
Because global businesses rely on partners all along the supply chain, the use of less secure software developed by small third-party providers isn’t even immediately evident. But it still poses a risk to businesses and their operations.
“While large software vendors have resources to ensure that their products undergo rigorous security testing, many small software vendors don’t have this luxury,” says Linklater. “There have been numerous examples of small to medium software products having unpatched vulnerabilities or being utilized by a threat actor to deliver malicious code to a victim organization.”
IoT Devices: A Security Issue Waiting to Happen
The use of internet-enabled devices, collectively known as the Internet-of-Things (IoT), has exploded in recent years. In 2019, IoT adoption among businesses grew by 21.5 percent according to Gartner research, reaching a total of 4.8 billion IoT devices in the field.
IoT security currently is a huge problem, however. Roughly 57 percent of all IoT devices currently in the field are vulnerable to medium- or high-severity attack, according to research by Unit 42, the threat intelligence team at network security firm, Palo Alto Networks.
“The challenge with these IoT devices is that they are designed with cost and reliability as priorities, while security is often overlooked,” notes Linklater. “These IoT devices present risk, as security controls are often difficult to implement during their deployment.”
While there are steps that businesses can take to minimize the risk from IoT, firms cannot enforce proper IoT security precautions on all links in the supply chain. That makes IoT a huge risk.
Third-Party Systems Access: Unavoidable and Unmonitored
Not only are many software solutions and IoT devices in play along a company’s supply chain. There also are many employees and contractors involved. Frequently, these workers are given access to part of a company’s network or computing systems out of logistical necessity.
While systems access by third parties may be required, it also is a huge security risk on par or greater than IoT device security. Humans are typically the weakest link in the security chain, and workers involved in the supply chain but not directly monitored by a company are an ever-present security danger.
“Suppliers that have third party access to an organization’s network may inadvertently be compromised and enable infiltration,” warns Das. “One of the biggest examples of this was the Target attack where the attacker managed to infiltrate Target’s Point of Sale (PoS) machines via an HVAC supplier.”
Businesses benefit greatly from global commerce and their increasingly complex supply chains. But as the above risk factors show, supply chains also bring a fair amount of added security risk.
