A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry or government sector. Cybercriminals typically tamper with the manufacturing process of a product by installing a rootkit or hardware based spying components. In an Internet Security Threat Report, powered by Symantec, it is stated that supply chain attacks still continue to be a feature of the threat landscape, with an increase by 78 percent in 2018.
In a more general sense a supply chain attack may not necessarily involve electronics. In 2010 when burglars gained access to the pharmaceutical giant Eli Lilly’s supply warehouse. By drilling a hole in the roof and loading $80 million worth of prescription drugs into a truck. They could also have been said to carry out a supply chain attack.
In cybersecurity terms, the Target security breach, Eastern European ATM malware, as well as the Stuxnet computer worm are examples of supply chain attacks. A supply chain attack involves tampering with electronics or software in order to install undetectable malware for the purpose of bringing harm to a player further down the supply chain network.
Generally, supply chain attacks on information systems begin with an advanced persistent threat that determines a member of the supply network with the weakest cybersecurity to affect the target organization. According to an investigation produced by Verizon Enterprise, 92% of the cybersecurity incidents analyzed in their survey occurred among small firms.
APT’s can often gain access to sensitive information by physically tampering with the production of the product. In October 2008, European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that stole a customer’s account details by using untraceable devices inserted into credit-card readers made in China. This help criminals to gain access to account information and make repeated bank withdrawals and Internet purchases, amounting to an estimated $100 million in losses.
The threat of a supply chain attack poses a significant risk to modern day organizations. The attacks are not solely limited to the information technology sector but also supply chain attacks affect the oil industry, large retailers, the pharmaceutical sector and virtually any industry with a complex supply network.
The Information Security Forum explains that the risk derived from supply chain attacks is due to information sharing with suppliers. It states that “sharing information with suppliers is essential for the supply chain to function, yet it can also lead to Information compromised in the supply chain and can be just as damaging as compromised from within the organization”.
Poorly managed supply chain management systems can become significant hazards for cyberattacks, which can lead to a loss of sensitive customer information, disruption of the manufacturing process, and could damage a company’s reputation.
Wikipedia
